Add an authentication directory service

You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to authenticate users logging in to the appliance instead of maintaining individual local login accounts.

Two types of directory services are supported—Microsoft Active Directory and OpenLDAP.

Prerequisites
  • Minimum required privileges: Infrastructure administrator.
  • The authentication directory service must be configured with certificates to support secure LDAP communications (LDAPS).
  • Root certificate authority (CA) or intermediate CA certificates that were used to sign the directory server certificate must be added to the HPE OneView trust store.
    NOTE:
    • For better security, most directory servers use CA signed certificates as opposed to self-signed certificates.

    • Consult with your Active Directory or OpenLDAP administrator, or public key infrastructure (PKI) administrator to obtain your CA-root public certificate. To extract the entire CA chain for an Active Directory server certificate, follow these steps.

    • Use Settings > Security > Manage Certificates to import the CA-root certificate into HPE OneView trust store. Enter each unique CA-root in the HPE OneView trust store if the individual directory servers making up the domain have certificates from different CA-roots.

  • DNS must be configured on the HPE OneView appliance before you supply the DNS fully qualified domain name for directory servers.
  • The forward lookups of the names and IP addresses of directory servers must be working properly in DNS.
Procedure
  1. From the main menu, select Settings.
  2. Either click the Edit icon in the Security panel or select Actions > Edit.
  3. On the Edit Security screen, under Directories, click Add Directory.
  4. Enter the data requested on the Add/Edit Directory screen.
  5. Click Add directory server.
    IMPORTANT:

    The decision whether to search the Global Catalog or the domain is based on the scope of the search:

    • When the scope of a search is the domain or an organizational unit, use the SSL port. The default is 636.

    • When the scope of a search is the Active Directory forest, use the SSL Global Catalog port. The default is 3269.

      In larger Active Directory environments, when the search for user authentication must span the Active Directory forest, Hewlett Packard Enterprise recommends using the global catalog port, 3269, for Active Directory authentication queries.

  6. Enter the data requested on the Add Directory Server screen.
    NOTE:

    For Open LDAP:

    • Use the Add button to add Organizational unit fields as needed.
      IMPORTANT:

      The appliance and the authentication directory service use the LDAPS (LDAP over SSL) port, when communicating with each other, with data type numeric.

    • To delete an Organizational unit field and its entry, click the corresponding icon..

  7. Click Add to add a server, and return to the Add Directory screen.
    NOTE:

    The appliance fetches the server certificate chain, allows you to verify, and trusts it. You must add the entire certificate chain to be trusted, including the top-most root CA, that has signed the directory server certificate. If the root CA is found missing in the chain, it prompts you to trust the root CA certificate using the Manage certificates screen.

    While you can use Add+ to add more servers, Hewlett Packard Enterprise recommends using a cluster for your directory server configuration instead of configuring replicated directory servers in the appliance. If you use a cluster for your directory server configuration, the cluster hostname can be specified as the directory server.
  8. Click Add to add the authentication directory service or click Add+ to add more directory services.
    NOTE:

    Directory search operations can be time consuming depending on your directory configuration and network latency affecting login time. When using Active Directory with many domains, for optimal login performance, configure a Global Catalog for your directory server. By default, the Global Catalog is configured on port 3269.

  9. After adding the authentication directory service:
    1. Verify the configuration: on the Security screen under Directories.
    2. Validate the directory server configuration.
  10. Add a group with directory-based authentication.