About directory service authentication

You can configure HPE OneView to use an external enterprise directory service for user authentication. HPE OneView supports the following enterprise directory services:
  • Active Directory

  • OpenLDAP

The display name of the directory service used in the HPE OneView login page appears on the Add/Edit Directory configuration details page. This name indicates the enterprise directory that it is associated with.

NOTE:
  • When users authenticate using their directory account name (for example, with Active Directory the value of the sAMAccountName field) instead of their email address, Hewlett Packard Enterprise recommends that the display name match the domain component of the directory.
  • HPE OneView prepends the username with the directory display name.
    Example:

    For a directory domain corp.example.com, a display name of corp allows the users to log in using only their directory account name. A user specifying a login name of admin gets authenticated to the directory as corp\admin.

  • If an Active Directory is set up to use a pre-Windows 2000 domain name, when setting up a directory in HPE OneView, the administrator must ensure that the directory name matches with the pre-Windows 2000 domain name. Subsequently, if required, the administrator can also choose to set the pre-Windows 2000 directory domain as the default for users to log into HPE OneView.
    Example

    If the Active Directory domain is example.com on an Active Directory, and the pre-Windows 2000 domain name is myDomain, having the display name as myDomain allows users to log in using only their directory account name. A user specifying a login name of admin gets authenticated to the directory as myDomain\admin.

When you use a directory service, directory users are granted HPE OneView permissions using their group membership in the directory. After defining a directory service, use the User and Groups screen to define permissions for directory groups.

Directory groups are assigned one or more HPE OneView permissions. A directory user is assigned the HPE OneView permissions that represent the union of the permissions for all the directory groups that the user is a member of. Only after permissions are defined for directory groups, directory users are authenticated into the appliance.

Any user in the group can log into the appliance using the following steps:

  1. Select the enterprise directory service in the login page.

  2. Enter a user name. The format for the user name depends on the Directory type. Consult your HPE OneView administrator and directory administrator for the proper user name format. Valid formats include:
    • Email address. For example: jane.larry@example.com.

    • The down-level logon name or domain name\user logon name. For example: example\janel where example.com is the directory domain.

    • The common name of the user (CN attribute in the directory). For example: janeL
      NOTE:

      A best practice is to set the HPE OneView display name for the directory service to match the leading part of the fully qualified domain name (example if there is example.com) directory. The format for the user name depends on the Directory type.

  3. Enter the password.

Enterprise directory user in the appliance

There is no explicit user created in the appliance corresponding to the directory user. However, when a directory user is logged into the appliance, the user is identified by the user name preceded by the enterprise directory name.

In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:) the user is identified by the name preceded by the enterprise directory service. For example:

CorpDir\pat
IMPORTANT:

Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out. Similarly if there is any modification of the user group in the authentication directory, that does not reflect in the currently active session for the user.

If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local user sessions are ended when such modifications are made.

Directory server

When a directory is configured on the appliance, you can specify one or more directory servers using names (or IP address) and ports of the servers that host the authentication directory service that can be accessed for the directory service. If more than one directory server is added for a directory, they are assumed to be replicated servers for high availability or disaster tolerance. If one directory server is not reachable, the other configured servers are accessed for authenticating the user.
NOTE:
  • If you use a cluster for your directory server configuration, the cluster hostname can be specified as the directory server. Hewlett Packard Enterprise recommends using a cluster for your directory server configuration instead of configuring replicated directory servers in the appliance.

  • Directory search operations can be time consuming depending on your directory configuration and network latency affecting login time. When using Active Directory with many domains, for optimal login performance, configure a global catalog for your directory server.

  • To ensure high availability, typically a directory domain contains multiple directory servers. HPE OneView allows multiple directory servers to be configured. When you configure multiple directory servers, HPE OneView attempts to reach each one of the directory servers in the specified order until it can authenticate the user. For example, a Microsoft Active Directory environment typically has multiple domain controllers.

    For the best availability, work with your Active Directory administrator to determine which domain controllers must be added to HPE OneView.

Binding to the directory server

The appliance must bind to the directory server for performing search and authentication operations. You can choose to bind using any one of the following options:
  • Service Account: A directory service account that has read-access permission to your directory server can be configured in the appliance. The service account takes user name and password as inputs. HPE OneView stores the credentials you provide for future use. The Service Account option is mandatory when two-factor authentication is enabled in HPE OneView.

    Depending on your configuration, in some directory environments, directory users require service accounts as they are not allowed to query certain parts of the directory tree. Consult your directory administrator for more information.
    NOTE:
    • Use the service account option when two-factor authentication is enabled in HPE OneView.

    • Ensure that the service account has read access to the directory tree so that HPE OneView can use this account when performing searches across the directory on behalf of HPE OneView users. For example, during login when HPE OneView queries the directory to determine the groups that the user is a member of, the service account is used to perform that query.

  • User Account: The user account uses the credentials supplied by the user while connecting HPE OneView to the directory service. The user account helps in querying the directory during the authentication process. User Account is the default option for directory binding. The user credentials for the directory service are not stored in HPE OneView.

User login formats used for authentication

To support user login with only the user name specified, the following formats are tried to authenticate with the directory service:

If the user name is not an email address (denoted by the presence of an @ character) or a \ character (to denote the domain\user name format), logins are attempted in the following order:

  1. The user name is treated as the logon name, and directory-name gets prefixed as directory-name\user-name, for example: example\jane.

  2. The user name is treated as a UID.

  3. The user name is treated as Common Name (CN).

NOTE: If the Active Directory Server Service configured in HPE OneView has a user lock-out policy (defined, for example, on n number of successive failed login attempts), Hewlett Packard Enterprise recommends that you use the email or the domain\user name format to log into HPE OneView. If email or domain\user name format is not used (instead, just the user name is used), HPE OneView internally tries different login formats as described previously. This may result in locking out the user from the GUI on a single failed login attempt (wrong password). To minimize login attempts, configure the directory display name to be the same as the first component of the directories fully qualified domain name. For example, assign the HPE OneView name example for the directory example.com. Hewlett Packard Enterprise recommends that users use the UPN or the down-level logon name to login to HPE OneView. The most commonly used UPN is username@domain.com, and the down-level logon name is domain\username. If UPN or down-level logon are not used (instead, just the username is used) HPE OneView internally tries different logon formats.

Trusting the directory server

Hewlett Packard Enterprise recommends that you use CA-signed certificates on your directory servers. The entire certificate chain (including the CA root and any intermediate certificates) for the directory certificate must be placed in the HPE OneView trust store before configuring the directory service. This action ensures that the appliance automatically trusts the directory server when it is configured on the appliance.

After adding an enterprise directory service and server

You can:
  • Designate it as the default directory service to be used at login time.

  • Optionally, disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.

Configuring an enterprise directory server in HPE OneView

Consider the following points when configuring an enterprise directory server in HPE OneView:
  • When HPE OneView tries to connect to a directory server, trust verification is performed using the certificates that are trusted by the appliance. Hence, import the root certificate of the directory server certificate chain into the appliance before adding the directory server.

    Otherwise, you will be prompted to either add the issuing certificate or trust the self-signed certificate of the directory server.

  • It is possible that the directory server might present a certificate chain that includes the server certificate, one or more Issuers, and optionally a root certificate.

    If the server does not present the root certificate in the certificate chain, obtain the root certificate from the directory server administrator and import it into the appliance before adding the directory.

  • If there are multiple directory servers configured under the same directory service, import all the issuer certificates (roots and intermediate CA certificates of each directory server) into the appliance before adding the directory.

  • If the directory service in HPE OneView is configured with a domain name and there are multiple domain controllers in the domain that are load balanced in a round-robin fashion, import all the issuer certificates (roots and intermediate CA certificates of each domain controller) into the appliance before adding the directory.

Hostname verification when configuring and communicating to an enterprise directory server

If the directory server is set up with a CA signed certificate, HPE OneView performs hostname verification while establishing a connection. This hostname verification succeeds only when one of the following is specified in the Subject CN or the SAN field of the directory server certificate:
  • A wildcard domain name. For example, *.example.com.

  • Fully Qualified Domain Name (FQDN) of the directory server. For example, ad01.americas.example.com.

    NOTE: If FQDN is used in the Subject CN or the SAN field, set up the DNS name resolution to resolve the FQDN to the IP address of the directory server.
  • IP address of the directory server.

If these details are not mentioned correctly, an error is displayed along with the resolution.

When any of these details are mentioned, HPE OneView verifies if the details of the directory server to which the connection is being established is the same as the details specified in the Subject Common Name (Subject CN) field or the Subject Alternative Name (SAN) field of the certificate that is associated with and presented by the server.

HPE OneView does not perform hostname verification while establishing a connection if the directory server is trusted in HPE OneView using any one of the following:
  • A self-signed certificate

  • The Force trust leaf certificate option. This option can be accessed using Settings > Security > Managed Certificates > Add Certificate.

    The Force trust leaf certificate option on the Add certificates screen allows you to enables or disable trusting of the CA-signed leaf certificate into appliance trust store. If enabled, the appliance ignores root and intermediate certificates in the specified certificate chain. This certificate is treated similar to a self-signed certificate if the signing CA certificate is not present in the appliance

    NOTE:

    Force trusting a leaf certificate is not recommended. If you use the Force trust leaf certificate option, only the leaf level certificate is trusted in the appliance. The leaf certificate is not subjected to revocation checks or hostname verification. Also, every time the directory server certificate is regenerated, you are required to import the new certificate into the appliance for successful communication with the directory server.

    In an environment where multiple domain controllers are load balanced in a round-robin fashion, it is possible that the certificates of different domain controllers may have been signed by different intermediate CA certificates. In this case, either force trust the leaf certificates of all the domain controllers or trust all the root and intermediate CA certificates in the appliance using the Settings > Security > Managed Certificates > Add Certificate option.

More information

Configuring a Microsoft Active Directory service

Configuring an OpenLDAP Directory service