HP CloudSystem Foundation User's Guide
Contents
1. HP CloudSystem Enterprise and Foundation Software Configuring Directory Services in HP CloudSystem CloudSystem identity management includes support for Microsoft Active Directory and OpenLDAP This white paper details step by step how to set up directory services in CloudSystem Foundation and Enterprise Directory Tree Samples Two directory tree samples are employed in this white paper The Directory Tree 1 represents a Microsoft Active Directory tree while the Directory Tree 2 exemplifies an OpenLDAP tree Both are detailed in the right side column CloudSystem Foundation Use the CloudSystem Console to manage directory services in CloudSystem Foundation Infrastructure administrators can configure directories and associate directory groups to administrative roles Create a directory entry using the CloudSystem Console gt Settings gt Security gt Edit gt Directories gt Add directory screen Pn Tree 1 Active Directory sample The CloudSystem Portal and its underlying OpenStack Keystone service are Below is an Active Directory tree sample automatically configured based on the default directory set in the CloudSystem that contains hierarchical organizational Console Cloud administrators can then manage directory users within the directory units The North America organizational unit contains the Admins Group and Sales Group groups as well as the The following sections depict how to set up Microsoft Acti2. connected enter a group name to see matching groups Group name Admins Group Q Role Specialized Full Read only Infrastructure administrator This role grants full administrative privileges to all items and actions including the ability to configure the appliance Figure 4 Assigning the Admins Group to the Full Infrastructure administrator role 5900 3794 September 2014 Directory Services on CloudSystem Active Directory constraints Below are listed the main constraints in CloudSystem Foundation for Microsoft Active Directory e Directory tree groups must be located under the user search base e Directory schema Users supports the user objectClass only Groups supports the group and groupOfNames objectClasses only OpenLDAP Step 1 Add the directory Give a name to the directory entry and select the OpenLDAP type Then enter the search context which consists of user identifier user search base and base DN suffix as shown below Add Directory Directory South America Directory type OpenLDAP Search context CN OU south america OU DC example DC com Username garcia Password s ssssssssssss Figure 5 Creating the South America directory The search context is interpreted as following e User Name ID CN e User search base OU south america OU people e Base DN DC example DC com Step 2 Configure the server Enter an IP address or host name directory server port a
3. er port 636 Directory server BEGIN CERTIFICATE certificate MIIC2jCCAcKgAwIBAgIQYgSW4Tg3sIZICS3y 0ss 4TANBgkqhkiG9w0BAQUFADAWMRQWEGYDVQQD EwtwdWxzYXJBRCOwMTAe FwOxNDAyMj YxNzA3NTJa FwOxNTAyMj YwMDAwMDBaMBYxFDASBgNVBAMT C3BibHNhckFELTAxMIIBIJANBgkqhkiG9w0BAQEF AAOCAQSAMIIBCgGKCAQEAvbS pPpMhUAaNNIO mlan Figure 2 Configuring a server for the North America directory Step 3 Check and save the settings On the Add directory dialog enter valid user credentials in the username and password textboxes Make sure the user account is located under the user search base Then check the connectivity and save the configuration Step 4 Set the default directory On the Edit Security dialog choose a directory as the default directory For example Edit Security Authentication v Authentication Allow local login To disable Local login you must log in using another authentication service Default directory North America Figure 3 Setting the North America as the default directory Step 5 Add a directory group Go to CloudSystem Console gt User and Groups gt Add Directory User or Group Connect to a pre defined directory using a user account Then select a group from the list and assign a role to it For example Add Directory User or Group Directory North America Credentials smith sssssssssese Connect Credentials are used to retrieve directory groups and will not be saved After you are successfully
4. from a directory group can log into the CloudSystem Console Currently only Full Infrastructure administrator and Read only roles are supported e User accounts from the default directory that are assigned to an OpenStack project can log into the CloudSystem Portal By default Full Infrastructure administrators are assigned to the administrator project General Constrains CloudSystem Portal It is automatically configured based on the default directory and the first server from the server list In other words the CloudSystem Portal does not support multiple directories nor load balancing servers FQDN Although CloudSystem Console accepts an IP address for the directory server HP strongly recommends the usage of FQDN Strong certificate validation By default CloudSystem Foundation does not validate the directory server certificate in a strict manner To enable the strong SSL TLS validation for the CloudSystem Portal you must export the CA certificate from the directory server and import it to the Foundation appliance through the appliance console For more information see the Enabling strong certificate validation in the CloudSystem Portal appendix in the HP CloudSystem Administrator Guide at www hp com go cloudsystem docs 5900 3794 September 2014 Directory Services on CloudSystem CloudSystem Enterprise CloudSystem Enterprise supports the multi tenancy features in Cloud Service Automation CSA With CSA you can bind Organ
5. ity Authentication v Authentication Allow local login To disable Local login you must log in using another authentication service Default directory south America Figure 7 Setting the South America as the default directory Step 5 Create a directory group Go to CloudSystem Console gt User and Groups gt Add Directory User or Group Connect to a pre defined directory using a user account Then select a group from the list and assign a role to it For instance Add Directory User or Group Directory South America Credentials garcia ttt et eeccne Connect Credentials are used to retrieve directory groups and will not be saved After you are successfully connected enter a group name to see matching groups Group name admins group Q o role Specialized Full Read only Infrastructure administrator This role grants full administrative privileges to all items and actions including the ability to configure the appliance Figure 8 Assigning the admins group to the Full Infrastructure administrator role OpenLDAP constraints Below are listed the main constraints in CloudSystem Foundation for OpenLDAP e Directory tree groups must be located under the OU groups from the Base DN e Directory schema Users supports the inetOrgPerson objectClass only Groups supports the groupOfNames objectClass only Summary about User Authorization In a nutshell the Foundation user permissions are e User accounts
6. izations to directory services and then assign user groups from that directory to be a part of the Organization The next sections describe how to configure Microsoft Active Directory and OpenLDAP in HP CSA Both assume the Sales consumer organization was created previously Microsoft Active Directory Step 1 Configure base AD settings In the Cloud Service Automation Console open a consumer organization and click on the LDAP panel Enter the hostname port and optionally check the SSL option for a secure connection Then set the Base DN User ID and password For instance Sales Consumer Organization Summary x LDAP Server Information Configure the LDAP server used for authorization General Information Hostname Portal Customization ad server example com Dashboard Widgets e g myLDAPserver hp com Access Control 636 Email Notifications Sry EA TIAE pee e g 389 for LDAP or 636 for LDAPS Operations R Connection Security Catalogs Z SSL Base DN DC example DC com e g ac users ac example com User ID Full DN CN johnson OU North America OU Users DC example DC Figure 9 Configuring LDAP server information for the Sales Organization on AD Step 2 Configure the user login Enter the user name attribute user search base and optionally check the Search Subtree for a recursive lookup For example p uDAP O age User Login Information Access Control Enter the user login informati
7. nd directory server certificate as follows Add Directory Server IP address or host Idap server example com name Directory server port 636 Directory server BEGIN CERTIFICATE certificate MIIBSTCCAVqgAwIBAgIFAJ4im9kwDQYJKoZIhvcN AQEFBQAwGZEZMBcGA1UEAxMQ cHVsc2FyLWxkYXAt ZGVtbzAeFwOxNDAyMDUxODI0 NDFaFwOxNTAyMDUxODIONDFa at at ak ae to PITATE Arm n TRIM 17TH BA na iA PPT FITS TTN Figure 6 Configuring a server for the South America directory Step 3 Check and save the settings On the Add directory dialog enter valid user credentials in the username and password textboxes Make sure the user account is located under the user search base Then check the connectivity and save the configuration Step 4 Set the default directory On the Edit Security dialog choose a directory as the default 5900 3794 September 2014 Directory Tree 2 OpenLDAP sample Below is an OpenLDAP tree sample that contains tree organizational units The south america organizational unit contains garcia and silva user accounts On the other side the groups organizational unit holds admins group and sales group Let s consider the garcia user account belongs to the admins group while silva is a member of sales group DC example OC com OU groups CN admins group CN sales group Directory Services on CloudSystem Edit Secur
8. nt Company L P The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein 5900 3794 September 2014
9. on below Email Notifications User Name Attribute Operations Catalogs User Search Base a OU North America OU Users User Search Filter CN 0 TY Search Option Search Subtree Look Up se Figure 10 Configuring user login for the Sales Organization on AD Notice the search context is identical to CloudSystem Foundation e User Name CN e User search base OU North America OU Users e Base DN DC example DC com 5900 3794 September 2014 Directory Tree 1 Active Directory sample DC example DC com OU North America CN Admins Group CN Sales Group CN johnson Directory Services on CloudSystem Step 3 Save and check the settings Save the settings and then click on the Look Up User button to search for a regular user Step 4 Configure the access control Click on the Access Control panel Enter name and DN for a group or organizational unit For example sge Add DN for Service Consumer Select or add DN for a group or organizational unit from the fields below Or add new named DN must be relative to Base DN Enter a name for the group or organizational unit DN Sales Group Enter a group or organizational unit DN CN Sales Group OU North America OU Users Figure 11 Assigning the Sales Group to the Service Consumer role OpenLDAP Directory Tree 2 OpenLDAP sample Step 1 Configure base LDAP settings In the Cloud Service Automation Console
10. open a consumer organization and click on the LDAP panel Enter the hostname port and optionally check the SSL option for a secure connection Then set the Base DN User ID and password For instance Sales Consumer Organization OU south america 5 CN sales group E Summary LDAP Server Information OU groups CN admins group Configure the LDAP server used for authorization General Information Hostname CN silva Portal Customization ldap server example com Dashboard Widgets e g myLDAPserver hip com Access Control inn 1636 Email Notifications e g 389 for LDAP or 636 for LDAPS Operations A Connection Security Catalogs 7 SSL Base DN DC example DC com e g dc users dc example com User ID Full DN CN silva OU south america OU people DC example DC c Figure 12 Configuring LDAP server information for the Sales Organization on OpenLDAP Step 2 Configure the user login Enter the user name attribute user search base and optionally check the Search Subtree for a recursive lookup For example 5900 3794 September 2014 Directory Services on CloudSystem I Cag tee tosintntormation Access Control User Name Attribute CN Email Notifications Operations Catalogs User Search Base OU south america OU people User Search Filter CN 0 Search Option 4 Search Subtree no Figure 13 Configuring user login for the Sales Organization on O
11. penLDAP Make sure that the search context is identical to CloudSystem Foundation e User Name CN e User search base OU south america OU people e Base DN DC example DC com Step 3 Save and check the settings Save the settings and then click on the Look Up User button to search for a regular user Step 4 Configure the access control Click on the Access Control panel Enter name and DN for the group or Organizational unit For instance age Add DN for Service Consumer Or add new named DN must be relative to Base DN Enter a name for the group or organizational unit DN Sales Group Enter a group or organizational unit DN CN sales group OU groups Figure 14 Assigning the Sales Group to the Service Consumer role Summary about User Authorization Essentially user accounts from groups or organizational units which are set in the Organization s access control can access the respective Marketplace Portal General Constraints Secure connection The LDAP certificate must be imported to the HP CSA keystore For more information see the Supported operations on the CloudSystem appliances appendix in the HP CloudSystem Administrator Guide at www hp com go cloudsystem docs Access control Group or organizational unit must be relative to Base DN Learn more about HP CloudSystem http www hp com go CloudSystem and http www hp com go CloudSystem docs Copyright 2014 Hewlett Packard Developme
12. ve Directory and OpenLDAP smith and johnson user accounts Let s consider that the smith user account service itself without any other configuration in CloudSystem ee eae belongs to the Admins Group while Microsoft Active Directory johnson is a member of Sales Group Step 1 Add the directory Name the directory entry and select the Active Directory type Enter the search context which consists of user identifier user search base and base DN DC example DC com Suffix as shown below OU Users Important Be sure to enter the search context correctly and identically in Foundation CloudSystem Console and Enterprise Cloud Service Management Console OU North America Add Directory CN Admins Group Directory North America Directory type Active Directory iii i CN Sales Group Search context CN OQU North America OU DC example DC com Username smith a CN johnson Password _ saeeeccccccccccscecsses Figure 1 Creating the North America directory 5900 3794 September 2014 Directory Services on CloudSystem The search context is interpreted as follows e User Name ID CN e User search base OU North America OU Users e Base DN DC example DC com Step 2 Configure the server Enter an IP address or host name directory server port and directory server certificate Add Directory Server IP address or host ad server example com name Directory serv
Download Pdf Manuals
Related Search