User authentication and authorization with Device Manager - Storage Navigator

Last updated
Save as PDF

An authentication server enables users to log in to Device Manager - Storage Navigator with the same password as the password they use for other applications. In addition, an authentication server can be configured to work with an authorization server so that user groups registered in the authorization server can be assigned to Device Manager - Storage Navigator users.

Setting up authentication and authorization with Device Manager - Storage Navigator

The following figures show the Device Manager - Storage Navigator login workflow without and with an authentication server. The authentication server must be configured for each user.

Logging in without an authentication server

The following figure shows the login workflow when an authentication server and an authorization server are used in combination. In this case, the user groups that are registered in the authorization server can be assigned to Device Manager - Storage Navigator users.

Logging in with an authentication server and an authorization server

If you register the information of the authentication server as an SRV record in the DNS server, you can use the authentication server without knowing the host names and port numbers. If you register multiple numbers of authentication servers to the SRV record, you can determine the authentication server to be used based on the priority that has been set in advance.

Caution

If the affiliated user group registered in the external authentication server and the user group registered locally in the storage system are different, the user group in the storage system has higher priority.
You cannot create a load balancer between the SVP and the external authentication server.
If you use external authentication of the SVP, you need to disable external authentication of the maintenance utility.

External authentication requirements using authentication server

Authentication servers support the following protocols:

LDAPv3 simple bind authentication (Note that Bind DN is used for authentication.)
RFC 2865-compliant RADIUS with PAP and CHAP authentication
Kerberos v5

NoteThe authentication server needs to support TLS1.2 as a transfer protocol.

The following root certificate file formats to be set on Device Manager - Storage Navigator are available for LDAP server settings:

X509 DER format
X509 PEM format
NoteFor the preceding file formats, you cannot use a field in the extended profile of X509 certificate.

One of the following encryption types must be used for the Kerberos server:

Windows
- AES128-CTS-HMAC-SHA1-96
- RC4-HMAC
- DES3-CBC-SHA1
- DES-CBC-CRC
- DES-CBC-MD5
Solaris or Linux
- DES-CBC-MD5

Caution

Two authentication servers (one primary and one secondary) can be connected to a storage system. In this case, the server configurations must be the same, except for the IP address and the port. For the secondary server, use the same configuration settings as the primary server, except for the host name and the port number.
If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied. For RADIUS servers, you cannot use the SRV records.
LDAP server conditions:
- The environmental setting for the DNS server is completed at the LDAP server.
- The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
Kerberos server conditions:
- The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
Because UDP/IP is used to access the RADIUS server, encrypted communications, including negotiation between processes, are not used. To access the RADIUS server in a secure environment, encryption in the packet level, such as IPsec, is required.

External authorization requirements using authorization server

The authorization server must satisfy the following requirements to work together with the authentication server:

NoteUse an operating system that continues to be supported by a vendor. Operations performed using firmware for which vendor support has expired cannot be guaranteed.

Prerequisite OS
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Prerequisite software
- Active Directory
Authentication protocol for user for searching
- LDAP v3 simple bind (Note that Bind DN is used for authentication.)
TLS Security Settings
- The TLS Security Settings made in Setting SSL communications using Device Manager - Storage Navigator must be supported.

Root certificate file format for Device Manager - Storage Navigator
- X509 DER format
- X509 PEM format
Requirements for root certificate format for Device Manager - Storage Navigator
- If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
- If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
  - ECDSA_P256 (secp256r1)
  - ECDSA_P384 (secp384r1)
  - ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
Requirements for certificate for the connected server
- If the public key of the certificate is RSA, the key length must be 2048 bits or more.
- If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
  - ECDSA_P256 (secp256r1)
  - ECDSA_P384 (secp384r1)
  - ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  - subjectAltName
  - CRLDistributionPoint
  - AuthorityInfoAccess
  - BasicConstraints
  - KeyUsage
  - SubjectKeyIdentifier
  When setting a host name for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > Environmental Settings > View External Authentication Server Properties > Setup Server), enter the host name of the server in subjectAltName or CommonName of the server certificate.
- When setting an IP address for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > Environmental Settings > View External Authentication Server Properties > Setup Server), enter the IP address of the server in subjectAltName or CommonName of the server certificate.
- When using DNS Lookup to connect to an external authentication server, enter the host name of the server in subjectAltName or CommonName of the server certificate.
- When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, communication with the authorization server fails.
- When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, communication with the authorization server fails.
- The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or less including the root CA certificate.
- If no DNS server is used, the IP address of the authorization server must be specified for the common name of the certificate.

Note

Acquire the root certificate for the authentication server from the authentication server administrator.
The certificates has an expiration date. If the certificate expires, you will not be able to connect to the authentication server. Make sure to set the expiration date carefully to prepare the certificate.
For more information about the certificate management, consult with the authentication server administrator and manage it appropriately.

NoteWhen using an LDAP server or a Kerberos server as an authentication server, and combining it with an authorization server, use the same host for the authentication and authorization servers.

When a RADIUS server is used as an authentication server, two authentication servers (one primary and one secondary) can be specified, but only one authorization server can be specified.

If you use Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 as an authorization server, the SSL communications might fail by using DHE in the default settings. When you use any of these servers as the authorization server, configure the SSL communication settings by using Device Manager - Storage Navigator to disable the cipher suites that use DHE for key exchange.

Connecting two authentication servers

Two authentication servers can be connected to a storage system. When the servers are connected, the server configurations must be the same, except for the IP address and the port.

If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied:

NoteFor RADIUS servers, you cannot use the SRV records.

LDAP server conditions:
- The environmental setting for the DNS server is completed at the LDAP server.
- The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.

Kerberos server conditions:
- The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.

Because UDP/IP is used to access the RADIUS server, no encrypted communications are available, such as negotiations between processes. To access the RADIUS server in a secure environment, encryption in the packet level is required, such as IPsec.

If an LDAP server or Kerberos server is used as an authentication server and works with an authorization server, the authentication server and the authorization server must use the same host.

If you use RADIUS servers as authentication servers, you can connect two authentication servers (primary server and secondary server) and one authorization server.

If you use RADIUS servers as authentication servers with both primary and secondary servers specified and you specify different domains of authorization servers for the primary and the secondary servers prior to SVP microcode version 70-02-5x/00, a server configuring operation in the Setup Server window in SVP microcode version 70-02-5x/00 or later will only enable the authorization server with the domain you have specified on the primary server.

Connecting authentication and authorization servers

Before you can connect an authentication server and an authorization server, you must configure your network.

Before you begin

If you have not already done so, obtain a security administrator account with the View & Modify role.
Contact your server administrator for information about the values to be written in the LDAP, RADIUS, or Kerberos configuration file. If you use LDAP servers, the files of the LDAP servers must be certified; obtain certification.
Contact your network administrator for information about the network settings.
Give your service representative the IP address of the DNS server and ask that representative to configure the SVP.

Procedure

Click Settings Environmental Settings View External Authentication Server Properties.
Click Setup Server to open the Setup Server window
Select the type of the authentication server.
Specify options to connect to the authentication server. If you use more than one authentication server or an authorization server, specify an option for each server.
To test the connection, in the Server Configuration Test field, click Check.
Click Finish.
Enter a task name, and then click Apply.
After you finish setting up the authentication and authorization servers and confirm that you can use the servers, save a copy of the configuration files for connecting the authentication server.

NoteWhen the SVP High Reliability Kit is used, the settings are automatically linked to the standby SVP.

Naming a user group in Device Manager - Storage Navigator

When you create a user group in Device Manager - Storage Navigator, you name the group with the user's memberOf attribute value which is found in the Active Directory. Device Manager - Storage Navigator supports Active Directory nested groups.

After entering the user group name, verify that the user group name that you entered is registered in the authorization server.

NoteThe domain name (DN) of the user group to be set to Active Directory must be between 1 and 250 characters. The number of user groups that can be registered at one time is 20 at maximum.

CautionIf a user needs to use different user groups for different purposes, create local user accounts on Device Manager - Storage Navigator. Do not use the authorization server.

Creating configuration files

Authentication servers and authorization servers must be configured using configuration files.

Configuration files can be created for LDAP, RADIUS, and Kerberos authentication protocols.

Creating an LDAP configuration file

You can use an LDAP server for authentication on your storage system.

To use an LDAP server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed.

auth.server.type=ldap 
auth.server.name=<server_name> 
auth.group.mapping=<value> 
auth.ldap.<server_name>.<attribute>=<value>

A full example is shown here:

auth.server.type=ldap 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.ldap.PrimaryServer.protocol=ldaps 
auth.ldap.PrimaryServer.host=ldaphost.domain.local 
auth.ldap.PrimaryServer.port=636
auth.ldap.PrimaryServer.timeout=3
auth.ldap.PrimaryServer.attr=sAMAccountName
auth.ldap.PrimaryServer.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.ldap.PrimaryServer.searchpw=password
auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local
auth.ldap.PrimaryServer.retry.interval=1 
auth.ldap.PrimaryServer.retry.times=3
auth.ldap.PrimaryServer.domain.name=EXAMPLE.COM

The LDAP attributes are defined in the following table.

Attribute	Description	Required / Optional	Default value
auth.server.type	Type of authentication server. Specify `ldap`.	Required	None
auth.server.name	Name of the authentication server (referred to as `<server_ name>`). When registering a primary and a secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The name can use all ASCII code characters except for the following: \ / : , ; * ? " < > \| $ % & ' ˜	Required	None
auth.group.mapping	Information about whether to work together with an authorization server: `true`: Works together. `false`: Does not work together.	Optional	False
auth.ldap.<server_name>.protocol	LDAP protocol to use. Specify `ldaps` (uses LDAP over SSL/TLS). Do not specify `starttls` (uses StartTLS).	Required	None
auth.ldap.<server_name>.host	Host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets. To use StartTLS as a protocol, specify a host name. If this value is specified, `auth.ldap.<server_name>.dns_lookup` will be ignored.	Optional¹	None
auth.ldap.<server_name>.port	Port number of the LDAP server. Must be between 1 and 65,535.²	Optional	389
auth.ldap.<server_name>.timeout	Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30.²	Required	10
auth.ldap.<server_name>.attr	Attribute name to identify a user (such as a user ID). Hierarchical model: An attribute name where the value that can identify a user is stored. Flat model: An attribute name for a user entry's RDN. sAMAccountName is used for Active Directory.	Required	None
auth.ldap.<server_name>.searchdn	DN of the user for searching. If omitted, `[value_of_attr]=[Login_ID],[value_ of _basedn]` is used for bind authentication.³	Otional	None
auth.ldap.<server_name>.searchpw	User password that is used for searching. Specify the same password that is registered in the LDAP server.	Required	None
auth.ldap.<server_name>.basedn	BaseDN for searching for users to authenticate.³ Hierarchical model: DN of hierarchy that includes all the targeted users for searching. Flat model: DN of hierarchy that is one level up from the targeted user for searching.	Required	None
auth.ldap.<server_name>.retry.interval	Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.²	Optional	1
auth.ldap.<server_name>.retry.times	Retry times when the connection to the LDAP server fails. Must be between 0 and 3. Zero means no retry.²	Optional	3
auth.ldap.<server_name>.domain.name	Domain name that the LDAP server manages.	Required	None
auth.ldap.<server_name>.dns_lookup	Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server. Specify `false` (Searches with the host name and port number). Do not specify `true` (Searches with the information registered in the SRV records in the DNS server).	Optional	False
Notes: This item can be omitted if `true` is specified for `auth.ldap.<server_name>.dns_lookup`. If the specified value is not valid, the default value is used. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter `abc++` in the basedn or searchdn field, type `abc\+\+`. To enter \ , /, or ", type a backslash (\) followed by the ASCII code in hex for the character: To enter a backslash (\), type `\5c`. To enter a forward slash (/), type `\2f`. To enter a quotation mark ("), type `\22`.

Creating a RADIUS configuration file

You can use a RADIUS server for authentication on your storage system.

To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.

auth.server.type=radius 
auth.server.name=server-name
auth.group.mapping=value
auth.radius.server-name.attribute=value
auth.group.domain-name.attribute=value

A full example is shown below:

auth.server.type=radius 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.radius.PrimaryServer.protocol=pap 
auth.radius.PrimaryServer.host=xxx.xxx.xxx.xxx 
auth.radius.PrimaryServer.port=1812 
auth.radius.PrimaryServer.timeout=3 
auth.radius.PrimaryServer.secret=secretword 
auth.radius.PrimaryServer.retry.times=3 
auth.radius.PrimaryServer.attr.NAS-Identifier=xxxxxxxx 
auth.group.auth.radius.PrimaryServer.domain.name=radius.example.com 
auth.group.auth.radius.PrimaryServer.domain.name.protocol=ldap 
auth.group.auth.radius.PrimaryServer.domain.name.host=xxx.xxx.xxx.xxx 
auth.group.auth.radius.PrimaryServer.domain.name.port=386 
auth.group.auth.radius.PrimaryServer.domain.name.searchdn=CN=sample1,CN=Users,DC=domain,DC=local 
auth.group.auth.radius.PrimaryServer.domain.name.searchpw=password 
auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local

The attributes are defined in the following tables.

RADIUS definition (for authentication server)
Attribute	Description	Required / Optional	Default value
auth.server.type	Type of authentication server Specify `radius`.	Required	None
auth.server.name	Name of the authentication server (referred to as `server-name`) When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following: \ / : , ; * ? " < > \| $ % & ' ˜	Required	None
auth.group.mapping	Information about whether to work together with an authorization server `true`: Works together. `false`: Does not work together.	Optional	False
auth.radius.`server-name`.protocol	RADIUS protocol to use PAP: Password authentication protocol that transmits plaintext user ID and password. CHAP: Challenge-handshake authentication protocol that transmits encrypted password.	Required	None
auth.radius.`server-name`.host	Host name, IPv4 address, or IPv6 address of the RADIUS server An IPv6 address must be enclosed in square brackets.	Required	None
auth.radius.`server-name`.port	Port number of the RADIUS server Must be between 1 and 65,535.¹	Optional	1,812
auth.radius.`server-name`.timeout	Number of seconds before the connection to the RADIUS server times out Must be between 1 and 30.²	Optional	10
auth.radius.`server-name`.secret	RADIUS secret key used for PAP or CHAP authentication	Required	None
auth.radius.`server-name`.retry.times	Retry times when the connection to the RADIUS server fails Must be between 0 and 3. 0 means no retry.¹	Optional	3
auth.radius.`server-name`.attr.NASIdentifier	Identifier for the RADIUS server to find SVP Specify this value if the `attr.NAS-Identifier` attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted.	Optional²	None
auth.radius.`server-name`.attr.NAS-IPv4-Address	IPv4 address of the SVP Specify this value if the `attr.NAS-Identifier` attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted.	Optional²	None
auth.radius.`server-name`.attr.NAS-IPv6-Address	IPv6 address of the SVP Specify the value of the `NAS-IPv6-Address` attribute. This value is transmitted to the RADIUS server when the authentication is requested.	Optional²	None
Notes: If the specified value is not applicable, the default value is used.

RADIUS definition (for authorization server)
Attribute	Description	Required / Optional	Default value
auth.radius.`server-name`.domain.name	Domain name that the LDAP server manages (referred to as `domain-name`)	Required	None
auth.radius.`server-name`.dns_lookup	Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server Specify `false` (searches with the host name and port number). Do not specify `true` (searches with the information registered in the SRV records in the DNS server).	Optional	false
auth.group.`domain-name`.protocol	LDAP protocol to use Specify `ldaps` (uses LDAP over SSL/TLS). Do not specify `starttls` (uses StartTLS).	Required	None
auth.group.`domain-name`.host	Host name, IPv4 address, or IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]).	Optional¹	None
auth.group.`domain-name`.port	Port number of the LDAP server Must be between 1 and 65535.²	Optional	389
auth.group.`domain-name`.searchdn	DN of the user for searching	Required	None
auth.group.`domain-name`.searchpw	User password for searching Specify the same password that is registered in the LDAP server.	Required	None
auth.group.`domain-name`.basedn	Base DN for searching for users to authenticate Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN.³	Optional	abbr
auth.group.`domain-name`.timeout	Number of seconds before the connection to the LDAP server times out Must be between 1 and 30.	Optional	10
auth.group.`domain-name`.retry.interval	Retry interval in seconds when the connection to the LDAP server fails Must be between 1 and 5.²	Optional	1
auth.group.`domain-name`.retry.times	Retry times when the connection to the LDAP server fails Must be between 0 and 3. 0 means no retry.²	Optional	3
Notes: This item can be omitted if `true` is specified for `auth.radius.server-name.dns_lookup`. If the specified value is not valid, the default value is used. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter `abc++` in the basedn or searchdn field, type `abc\+\+`. To enter a backslash (\), forward slash (/), or quotation mark ("), type a backslash (\) followed by the ASCII code in hex: To enter a backslash (\), type `\5c`. To enter a forward slash (/), type `\2f`. To enter a quotation mark ("), type `\22`.

Creating a Kerberos configuration file

You can use a Kerberos server for authentication on your storage system.

To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.

auth.server.type=kerberos 
auth.group.mapping=<value> 
auth.kerberos.<attribute>=<value> 
auth.group.<realm name>.<attribute>=<value>

A full example is shown below:

auth.server.type=kerberos 
auth.group.mapping=true 
auth.kerberos.default_realm=example.com 
auth.kerberos.dns_lookup_kdc=true 
auth.kerberos.clockshow=300 
auth.kerberos.timeout=10 
auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=localauth.group.example.com.searchpw=passwordauth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local

The Kerberos attributes are defined in the following table.

Kerberos definition (for authentication server)
Attribute	Description	Required / Optional	Default value
auth.server.type	Type of authentication server. Specify `kerberos`.	Required	None
auth.group.mapping	Information about whether to work together with an authorization server: `true`: Works together. `false`: Does not work together.	Optional	false
auth.kerberos.default_realm	Default realm name	Required	None
auth.kerberos.dns_lookup.kdc	Switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server. Specify `false` (searches with the host name and port number). Do not specify `true` (searches with the information registered in the SRV records in the DNS server).	Optional	false
auth.kerberos.clockskew	Acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating. Must be between 0 and 300 seconds.¹	Optional	300
auth.kerberos.timeout	Number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs.¹	Optonal	10
auth.kerberos.realm_name	Realm identifier name (referred to as <realm_name>) Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names.	Optional²	None
auth.kerberos.<realm _name>.realm	Realm name set to the Kerberos server.	Optional²	None
auth.kerberos.<realm_name>.kdc	Host name, the IPv4 address, and port number of the Kerberos server. Specify these in the format of `<Host name or IP address>[:Port number]`.	Optional²	None
Notes: This item can be omitted if `true` is specified for `auth.ldap.<server_name>.dns_lookup`. If the specified value is not valid, the default value is used. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the basedn or searchdn field, type `abc\+\+`. To enter a backslash (\) , forward slash (/), or quotation mark ("), type a backslash followed by the ASCII code in hex: To enter a backslash (\), type `\5c`. To enter a forward slash (/), type `\2f`. To enter a quotation mark ("), type `\22`.

Kerberos definition (for authorization server)
Attribute	Description	Required / Optional	Default value
auth.group.<realm_na me>.protocol	LDAP protocol to use. Specify `ldaps` (uses LDAP over SSL/TLS). Do not specify `starttls` (uses StartTLS).	Required	None
auth.group.<realm_name>.port	Port number of the LDAP server. Must be between 1 and 65535. ¹	Optional	389
auth.group.<realm_name>.searchdn	DN of the user for searching.²	Required	None
auth.group.<realm_name>.searchpw	Password of the user for searching. Specify the same password that is registered in the LDAP server.	Required	None
auth.group.<realm_name>.basedn	BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN.²	Optional	abbr
auth.group.<realm_name>.timeout	Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs.¹	Optional	10
auth.group.<realm_name>.retry.interval	Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.¹	Optional	1
auth.group.<realm_name>.retry.times	Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.¹	Optional	3
Notes: If the specified value is not valid, the default value is used. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter `abc++` in the basedn or searchdn field, type `abc\+\+`. To enter a backslash (\) , forward slash (/), or quotation mark ("), type a backslash followed by the ASCII code in hex: To enter a backslash (\), type `\5c`. To enter a forward slash (/), type `\2f`. To enter a quotation mark ("), type `\22`.

We've Moved!

Product Documentation has moved to docs.hitachivantara.com

Setting up authentication and authorization with Device Manager - Storage Navigator

External authentication requirements using authentication server

External authorization requirements using authorization server

Connecting two authentication servers

Connecting authentication and authorization servers

Naming a user group in Device Manager - Storage Navigator

Creating configuration files

Creating an LDAP configuration file

Creating a RADIUS configuration file

Creating a Kerberos configuration file

Still Looking?

Quick Links

Setting up authentication and authorization with Device Manager - Storage Navigator

External authentication requirements using authentication server

External authorization requirements using authorization server

Connecting two authentication servers

Connecting authentication and authorization servers

Naming a user group in Device Manager - Storage Navigator

Creating configuration files

Creating an LDAP configuration file

Creating a RADIUS configuration file

Creating a Kerberos configuration file