UCS Manager supports LDAP Authentication along with a specific setting for Microsoft’s LDAP implementation, Active Directory. After configuring this a few times for multi-domain support, I’ve found a few things that can become troublesome if you don’t watch out.

 

Concept

The concept is pretty simple, open up your browser and browse to the management IP of the UCS Manager. Choose your flavor of management style, Web Browser or Java. After choosing this, you’ll be presented with a screen prompting for your logon credentials. Of course we can always manually create local users within the UCS manager, manage permissions and another set of passwords. This gets tiresome in an enterprise! Let’s use our central Active Directory for authentication. When a new person starts or leaves, we just enable or disable their account in one location, AD!

Architecture

At the 10,000-foot view, we can look at the following components for implementing AD authentication for UCS.

  1. A “bind” user account – Basically an AD service account (domain user) in the domain you’re authenticating to
  2. A list of LDAP Providers – Your AD Servers for each domain to send authentication requests to
  3. A list of LDAP Group Maps – AD groups for the following rights (Only create what you need. I recommend a group for at least admins and read-only)
    1. aaa
    2. admin
    3. facility-manager
    4. network
    5. operations
    6. read-only
    7. server-compute
    8. server-equipment
    9. server-profile
    10. server-security
    11. storage
  4. Create some UCS LDAP Provider Groups – This is usually your domain name and a list of the AD Servers you defined earlier.
  5. Create UCS Authentication Domains – This is where you define the name that shows up in the drop down box when UCS wants to authenticate you
  6. Optional – Certificates for using with AD and SSL authentication

If you’ve worked with AD for any length of time, all the components I’ve listed above in the architecture section should make sense. At the end of the day, the AD changes we need to make are:

  1. Create an AD service account (Domain user, Can’t Change Password and Password never expires)
  2. Create several AD Groups for granting UCS rights

In the next blog post we’ll look at setting this up and troubleshooting techniques.

Until next time,

Allan