Configuring Active Directory groups
Before Active Directory users can log into the SMU, you must configure one or more Active Directory groups. After a group has been added and saved, members of that group can log into the SMU using their Active Directory name and password. Active Directory users belonging to the subgroups of the configured group also have SMU access. In Global Catalog configuration, all the groups must be of scope Universal. CLI access via Active Directory primary group is not supported for Global Catalog configurations.
Before you begin
Note that the administrator is only able to configure groups after Active Directory servers have been added on the Active Directory Servers page.
Procedure
Navigate to the to display the Active Directory Groups page.
This page shows all Active Directory groups that have been added. Note that Active Directory groups are given a group access level. A group can be constrained by this access level such that it can only reconfigure settings related to the server or the storage or for read-only access.If an Active Directory user is member of more than one configured groups in the SMU, then their access level will be derived by combining the access level for all configured Active Directory groups. For example, if a user is a member of one group defined with storage level, but is also a member of a group with server level, then that user will have server+storage access to the SMU.
The following table describes the fields on this page:
Field/Item Description Group Name Group Name is the user-friendly name of an Active Directory group existing on the Active Directory server.
The full Distinguished Name for a group can be viewed by hovering the mouse over the group name. The sort order of the table can be changed by clicking over a column heading.
Group Access Level Shows the group access level. This defines the access level given to Active Directory users who are members of the group when they log onto the SMU. On an external or virtual SMU, if the Group Access Level is Global, then group members are given SMU CLI access. SMU CLI access is not available on an embedded SMU or a NAS module SMU. This column also displays those Active Directory groups assigned the read-only attribute. A read-only group has permission to view most pages of the NAS Manager, but they are not allowed to perform any actions that would trigger a system or configuration change.
NoteRead-only users can not access the CLI, and a user with CLI access may not be read-only. If either of these options is checked, the other one is disabled.details Click the details button in the right-hand column to view details of the associated group. Check All Checks all boxes under Group Name. Clear All Clears all checked boxes under Group Name. add Click to add a group. Takes you to the Add Active Directory Group page. delete Existing groups can be deleted by checking the box in left-hand column and clicking the delete button. The user is asked for confirmation before deleting. If all groups are being deleted, the user is warned that no Active Directory users will be authenticated. Active Directory Servers Takes you to the Active Directory Servers page. Click add and use the Add Active Directory Group page to add groups.
The following table describes the fields on this page:
Field/Item Description Base Distinguished Name The root of an Active Directory subtree of entries from where the SMU searches for groups. Base Distinguished Names are defined on the Active Directory Servers page. Group Distinguished Name The LDAP Distinguished Name of a group to add. Groups can be added one at a time, by entering each Distinguished Name and then pressing the OK button. A maximum of 100 groups can be added. Alternatively, groups can be added by using the find group button. find group Queries the Active Directory to show the list of available groups. The list can be filtered by entering a partial group name and/or a partial domain DNS name. A maximum of 1000 group names is displayed. User Level for Group Members The user levels that can be assigned to group members are the same as those that can be assigned to local or RADIUS users and have the same meanings. The default is Global, but the level can be modified by selecting one of the other radio buttons. Read-Only Access Users in a read-only group may log into the SMU and have permission to view most pages of the NAS Manager; however, they are not allowed to change anything. The Active Directory Group Details page will not allow the read-only attribute to be modified. The group would need to be deleted and re-added to change this attribute. NoteUsers in a group with the read-only attribute can not access the CLI, and a user with CLI access may not be read-only. For complete details on read-only access, please see the section, Read-only users, in the NAS Storage System User Administration Guide.OK Click to save the group details. The SMU checks that the group exists in Active Directory. If the group does not exist (or if the SMU failed to access any AD server) the user is asked for confirmation that they still wish to save it. After saving the group, the updated group list page is displayed. cancel Cancels input. There are two ways to add groups:
- Enter the full Distinguished Name for the group (for example "CN=Mygroup,CN=users,DC=example,DC=com") and click the add button. Special characters: comma, semi-colon, backslash, and leading/trailing spaces within the group name have to be escaped with a “\” backslash character.
- Click the
find group button.
- Groups that exist under the configured Base Distinguished Names are displayed in a window. The full Distinguished Name for a group can be viewed by hovering the mouse over the group name. The order of the groups matches the order of the Base Distinguished Names. The list can be filtered by entering a partial group name and/or partial domain DNS name. The "*" wildcard character is supported anywhere in the filter string. The filter is case insensitive. The left-hand box of the filter will be matched anywhere in the group name. The right-hand box, if it does not start with "*", will be matched at the beginning of the domain DNS name. A maximum of 1000 group names is displayed. Select a group from the list. Only one group can be added at a time.
- Click add to add the group's Distinguished Name to this page.
- Click close to return to the Active Directory Groups page without selecting a group from the list.
Select a User Level to be assigned to members of the group.
CLI access is given to members of all groups configured with the Global level. Active directory users are given the same access level to all managed HNAS servers.Click OK to save the group.
NAS Manager will warn if the group is not found in Active Directory, giving the user the opportunity to modify the group.
Any information, warnings and errors related to Active Directory configuration or authentication are logged to /var/opt/smu/log/mgr/mgr.log and /var/opt/smu/log/mgr/security.log
On returning to Active Directory Groups page, the current list of configured groups is displayed.
Click the details button in the right-hand column to view details of a previously configured group.
When displaying the group details, the SMU checks that the group exists in Active Directory and displays a warning if it does not exist or if the SMU could not access an Active Directory server. The user level cannot be modified once the group has been added. In order to modify the user level, the group would have to be deleted, then added again. Click the cancel button to return to the Active Directory Groups page.
The following table describes the fields on this page:
Field/Item Description Group Name The LDAP Common Name attribute of the group. Group Distinguished Name The LDAP Distinguished Name attribute of the group. User Level for Group Members The user levels that can be assigned to group members are the same as those that can be assigned to local or RADIUS users and have the same meanings. The default is Global , but the level can be modified by selecting one of the other radio buttons. OK No details can be modified for a group, so the OK button is disabled. cancel Returns to the Active Directory Groups page.