About directory service authentication

You can configure HPE OneView to use an external enterprise directory service for user authentication. HPE OneView supports the following enterprise directory services:
  • Active Directory

  • OpenLDAP

When you use a directory service, directory users are granted HPE OneView permissions using their group membership in the directory. After defining a directory service, use the User and Groups screen to define permissions for directory groups.

Directory groups are assigned one or more HPE OneView permissions. A directory user is assigned the HPE OneView permissions that represent the union of the permissions for all the directory groups that the user is a member of. Only after permissions are defined for directory groups, directory users are authenticated into the appliance.

Any user in the group can log into the appliance using the following steps:

  1. Select the enterprise directory service in the login page.

  2. Enter a user name. The format for the user name depends on the Directory type. Consult your HPE OneView administrator and directory administrator for the proper user name format. Valid formats include:
    • Email address. For example: jane.larry@example.com.

    • The down-level logon name or domain name\user logon name. For example: example\janel where example.com is the directory domain.

    • The common name of the user (CN attribute in the directory). For example: janeL
      NOTE:

      A best practice is to set the HPE OneView display name for the directory service to match the leading part of the fully qualified domain name (example if there is example.com) directory. The format for the user name depends on the Directory type.

  3. Enter the password.

Enterprise directory user in the appliance

There is no explicit user created in the appliance corresponding to the directory user. However, when a directory user is logged into the appliance, the user is identified by the user name preceded by the enterprise directory name.

In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:) the user is identified by the name preceded by the enterprise directory service. For example:

CorpDir\pat
IMPORTANT:

Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out. Similarly if there is any modification of the user group in the authentication directory, that does not reflect in the currently active session for the user.

If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local user sessions are ended when such modifications are made.

Directory server

When a directory is configured on the appliance, you can specify one or more directory servers that can be accessed for the directory service. If more than one directory server is added for a directory, they are assumed to be replicated servers for high availability or disaster tolerance. If one directory server is not reachable, the other configured servers are accessed for authenticating the user.
NOTE:
  • If you use a cluster for your directory server configuration, the cluster hostname can be specified as the directory server. Hewlett Packard Enterprise recommends using a cluster for your directory server configuration instead of configuring replicated directory servers in the appliance.

  • Directory search operations can be time consuming depending on your directory configuration and network latency affecting login time. When using Active Directory with many domains, for optimal login performance, configure a global catalog for your directory server.

Binding to the directory server

The appliance must bind to the directory server for performing search and authentication operations. You can choose to bind using any one of the following options:
  • Service Account: A directory service account that has read-access permission to your directory server can be configured in the appliance. The service account takes user name and password as inputs. HPE OneView stores the credentials you provide for future use. The Service Account option is mandatory when two-factor authentication is enabled in HPE OneView.

  • User Account: The user account uses the credentials supplied by the user while connecting HPE OneView to the directory service. The user account helps in querying the directory during the authentication process. User Account is the default option for directory binding. The user credentials for the directory service are not stored in HPE OneView.

User login formats used for authentication

To support user login with only the user name specified, the following formats are tried to authenticate with the directory service:

If the user name is not an email address (denoted by the presence of an @ character) or a \ character (to denote the domain\user name format), logins are attempted in the following order:

  1. The user name is treated as the logon name, and directory-name gets prepended as directory-name\user-name, for example: example\jane.

  2. The user name is treated as a UID.

  3. The user name is treated as Common Name (CN).

NOTE: If the Active Directory Server Service configured in HPE OneView has a user lock-out policy (defined, for example, on n number of successive failed login attempts), Hewlett Packard Enterprise recommends that you use the email or the domain\user name format to log into HPE OneView. If email or domain\user name format is not used (instead, just the user name is used), HPE OneView internally tries different login formats as described previously. This may result in locking out the user from the GUI on a single failed login attempt (wrong password). To minimize login attempts, configure the directory display name to be the same as the first component of the directories fully qualified domain name. For example, assign the HPE OneView name example for the directory example.com.

Trusting the directory server

Hewlett Packard Enterprise recommends that you use CA-signed certificates on your directory servers. The entire certificate chain (including the CA root and any intermediate certificates) for the directory certificate must be placed in the HPE OneView trust store before configuring the directory service. This action ensures that the appliance automatically trusts the directory server when it is configured on the appliance.

After adding an enterprise directory service and server

You can:
  • Designate it as the default directory service to be used at login time.

  • Optionally, disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.

Configuring an enterprise directory server in HPE OneView

Consider the following points when configuring an enterprise directory server in HPE OneView:
  • When HPE OneView tries to connect to a directory server, trust verification is performed using the certificates that are trusted by the appliance. Hence, import the root certificate of the directory server certificate chain into the appliance before adding the directory server.

    Otherwise, you will be prompted to either add the issuing certificate or trust the self-signed certificate of the directory server.

  • It is possible that the directory server might present a certificate chain that includes the server certificate, one or more Issuers, and optionally a root certificate.

    If the server does not present the root certificate in the certificate chain, obtain the root certificate from the directory server administrator and import it into the appliance before adding the directory.

  • If there are multiple directory servers configured under the same directory service, import all the issuer certificates (roots and intermediate CA certificates of each directory server) into the appliance before adding the directory.

  • If the directory service in HPE OneView is configured with a domain name and there are multiple domain controllers in the domain that are load balanced in a round-robin fashion, import all the issuer certificates (roots and intermediate CA certificates of each domain controller) into the appliance before adding the directory.

Hostname verification when configuring and communicating to an enterprise directory server

If the directory server is set up with a CA signed certificate, HPE OneView performs hostname verification while establishing a connection. This hostname verification succeeds only when one of the following is specified in the Subject CN or the SAN field of the directory server certificate:
  • A wildcard domain name. For example, *.example.com.

  • Fully Qualified Domain Name (FQDN) of the directory server. For example, ad01.americas.example.com.

    NOTE: If FQDN is used in the Subject CN or the SAN field, set up the DNS name resolution to resolve the FQDN to the IP address of the directory server.
  • IP address of the directory server.

If these details are not mentioned correctly, an error is displayed along with the resolution.

When any of these details are mentioned, HPE OneView verifies if the details of the directory server to which the connection is being established is the same as the details specified in the Subject Common Name (Subject CN) field or the Subject Alternative Name (SAN) field of the certificate that is associated with and presented by the server.

HPE OneView does not perform hostname verification while establishing a connection if the directory server is trusted in HPE OneView using any one of the following:
  • A self-signed certificate

  • The Force trust leaf certificate option. This option can be accessed using Settings > Security > Managed Certificates > Add Certificate.

    NOTE:

    Force trusting a leaf certificate is not recommended. If you use the Force trust leaf certificate option, only the leaf level certificate is trusted in the appliance. The leaf certificate is not be subject to revocation checks or hostname verification. Also, every time the directory server certificate is regenerated, you are required to import the new certificate into the appliance for successful communication with the directory server.

In an environment where multiple domain controllers are load balanced in a round-robin fashion, it is possible that the certificates of different domain controllers may have been signed by different intermediate CA certificates. In this case, either force trust the leaf certificates of all the domain controllers or trust all the root and intermediate CA certificates in the appliance using the Settings > Security > Managed Certificates > Add Certificate option.

Considerations for configuring a Microsoft Active Directory service

  • For the strongest security, Hewlett Packard Enterprise recommends to configure your directory server using TLS 1.2 protocol only.

  • The following maps the Active Directory attribute to the corresponding LDAP property:

    LDAP property

    Active Directory attribute

    cn

    Common-Name

    uid

    UID

    userPrincipalName

    User-Principal-Name

    sAMAccountName

    SAM-Account-Name

  • If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.

    Specify the following components of the user name, displayed here with the corresponding attribute:

    User name component

    Attribute

    First Name

    givenName

    Initials

    initial

    Last Name

    sn

    The field labeled Full Name defaults to this format. This string is assigned to the cn attribute (Common Name).

    givenName.initials.givenName.initial.sn
            

    In the New Object – user dialog box, you are also required to specify a User logon name. User logon name, in combination with the DNS domain name, becomes the userPrincipalName. The userPrincipalName is an alternative name that the user can use for logging in. It is in the form:

    LogonName@DNSDomain
            

    For example:

    joeuser@example.com
  • Finally, as you enter the User logon name, the first 20 characters are automatically filled in the pre-Windows 2000 logon name field, which becomes the sAMAccountName attribute.

  • CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.

More information