Authentication Provider:Create Provider

Search (SHIFT+S)




New in this release

Create Provider

POST /vdc/admin/authnproviders

Creates an authentication provider using the specified attributes. The submitted provider element values will be validated. The minimal set of parameters are:

  • mode
  • server_urls
  • manager_dn
  • manager_password
  • domains
  • search_base
  • search_filter
  • group_attribute


Required Roles

  • SYSTEM_ADMIN


Request Payload

All parameters are required unless otherwise stated.

Field Description Type Notes
<authnprovider_create>
<server_urls> Valid LDAP or LDAPS URL strings.
<server_url> String 0-* Elements
Valid Values:
  •  Example: LDAP://10.10.10.145
  •  Example: LDAPS://10.10.10.145
</server_urls>
<domains> Active Directory domain names associated with this provider. If the server_url points to a Active Directory forest global catalog server, you may specify all or a subset of the forest's domains which this provider needs to interact with. For non Active Directory servers, domain represents a logical abstraction for this server which may not correspond to a network name.
<domain> String 0-* Elements
Valid Values:
  •  Example: domain.com
</domains>
<group_whitelist_values> Names of the groups to be included when querying Active Directory for group membership information about a user or group. If the White List is set to a value, the provider will only receive group membership information about the groups matched by the value. If the White List is empty, all group membership information will be retrieved. (blank == "*").
<group_whitelist_value> String 0-* Elements
Valid Values:
  •  The value accepts regular expressions.
  •  When empty, all groups are included implicitly
  •  Example: *Users*.
</group_whitelist_values>
<mode> Type of provider. Active Directory(AD) or generic LDAPv3 (LDAP) String Valid Values:
  •  ad
  •  ldap
<name> Name of the provider String Valid Values:
  •  any string.
  •  provider names must be unique within a virtual data center
  •  Length: 2..128
<description> Description of the provider String Valid Values:
  •  any string
<disable> Specifies if a provider is disabled or enabled. During provider creation or update, if disable is set to false, a basic connectivity test will be performed against the LDAP/AD server. If the disable parameter is set to true, no validation will be done and the provider will be added/updated as long as the parameters are syntactically correct. During the operation of the system, a disabled provider will exist but not be considered when authenticating principals. Boolean Valid Values:
  •  true to disable
  •  false to enable
<manager_dn> Distinguished Name for the bind user. String Valid Values:
  •  Example: CN=Administrator,CN=Users,DC=domain,DC=com
  •  Example: domain\Administrator
<manager_password> Password for the manager DN "bind" user. String
<search_base> Search base from which the LDAP search will start when authenticating users. See also: search_scope String Valid Values:
  •  Example: CN=Users,DC=domain,DC=com
<search_filter> Key value pair representing the search filter criteria. String Valid Values:
  •  %u or %U needs to be present on the right side of the equal sign (Example: filterKey=%u).
  •  %u stands for the whole username string as typed in by the user.
  •  %U stands for the username portion only of the string containing the domain
  •  Example: in user@company.com, %U is user. %u is user@company.com
<search_scope> In conjunction with the search_base, the search_scope indicates how many levels below the base the search can continue. String Valid Values:
  •  ONELEVEL = The search will start at the search_base location and continue up to one level deep
  •  SUBTREE = The search will start at the search_base location and continue through the entire tree
<group_attribute> Attribute for group search. This is the attribute name that will be used to represent group membership. Once set during creation of the provider, the value for this parameter cannot be changed. String Valid Values:
  •  Example: "CN"
<max_page_size> Maximum number of results that the LDAP server will return on a single page. Integer Valid Values:
  •  If provided, the value must be greater than 0
  •  The value cannot be higher than the max page size configured on the LDAP server.
<validate_certificates> Whether or not to validate certificates when LDAPS is used. Boolean Valid Values:
  •  true
  •  false
</authnprovider_create>

Response Body

Newly created provider details

Field Description Type Notes
<authnprovider>
<description> Description of the provider String
<disable> Specifies if a provider is disabled or enabled. During the operation of the system, a disabled provider will exist but not be considered when authenticating principals. Boolean Valid Values:
  •  true = disabled
  •  false = enabled
<domains> Active Directory domain names associated with this provider. If the server_url points to an Active Directory forest global catalog server, each such element may be one of the many domains from the forest. For non Active Directory servers, domain represents a logical abstraction for this server which may not correspond to a network name.
<domain> String 0-* Elements
Valid Values:
  •  Example: domain.com
</domains>
<group_attribute> Attribute for group search. This is the attribute name that will be used to represent group membership. String Valid Values:
  •  Example: "CN"
<group_whitelist_values>
<group_whitelist_value> String 0-* Elements
</group_whitelist_values>
<manager_dn> Distinguished Name for the bind user. String Valid Values:
  •  Example: CN=Administrator,CN=Users,DC=domain,DC=com
  •  Example: domain\Administrator
<max_page_size> Maximum number of results that the LDAP server will return on a single page. Integer Valid Values:
  •  Valid values must be greater than 0.
  •  The value cannot be higher than the max page size configured on the LDAP server.
<mode> Type of provider. Active Directory(AD) or generic LDAPv3 (LDAP) String Valid Values:
  •  AD
  •  LDAP
<search_base> Search base from which the LDAP search will start when authenticating users. See also: search_scope String Valid Values:
  •  Example: CN=Users,DC=domain,DC=com
<search_filter> Key value pair representing the search filter criteria. String Valid Values:
  •  %u or %U must be present on the right side of the equal sign.
  •  %u stands for the whole username string as typed in by the user.
  •  %U stands for the username portion only of the string containing the domain name. (for example: in user@company.com, %U is user. %u is user@company.com)
<search_scope> In conjunction with the search_base, the search_scope indicates how many levels below the base the search can continue. String Valid Values:
  •  ONELEVEL = The search will start at the search_base location and continue up to one level deep
  •  SUBTREE = The search will start at the search_base location and continue through the entire tree
<server_urls> Valid LDAP or LDAPS URL strings.
<server_url> String 0-* Elements
Valid Values:
  •  Example: ldap://10.10.10.145
  •  Example: ldaps://10.10.10.145
</server_urls>
<name> Name assigned to this resource in ECS. The resource name is set by a user and can be changed at any time. It is not a unique identifier. String
<id> Identifier that is generated by ECS when the resource is created. The resource Id is guaranteed to be unique and immutable across all virtual data centers for all time. URI Valid Values:
  •  urn:storageos:resource-type:UUID:
<link> Hyperlink to the details for this resource
<creation_time> Timestamp that shows when this resource was created in ECS DateTime Valid Values:
  •  YYYY-MM-DDTHH:mm:ssZ
<tags> Keywords and labels that can be added by a user to a resource to make it easy to find when doing a search.
<tag> String 0-* Elements
</tags>
<inactive> Indicates whether the resource is inactive. When a user removes a resource, the resource is put in this state before it is removed from the ECS database. Boolean Valid Values:
  •  true
  •  false
<global> Indicates whether the resource is global. Boolean Valid Values:
  •  true
  •  false
<remote> Indicates whether the resource is remote. Boolean Valid Values:
  •  true
  •  false
<vdc>    
<id> Id of the related object URI
<link> Hyperlink to the related object
</vdc>      
<internal> Indicates whether the resource is an internal resource. Boolean Valid Values:
  •  true
  •  false
</authnprovider>

Examples

Request
POST https://192.168.0.0:4443/vdc/admin/authnproviders HTTP/1.1

Content-Type: application/xml
X-SDS-AUTH-TOKEN: <AUTH_TOKEN>

<authnprovider_create>
  <name>ad configuration</name> 
  <mode>ad</mode>  
  <server_urls>
       <server_url>ldap://192.168.0.10</server_url>
  </server_urls> 
  <domains>
       <domain>mycompany.com</domain>
  </domains>
  <group_whitelist_values>
       <group_whitelist_value>*Admin*</group_whitelist_value>
  </group_whitelist_values> 
  <search_filter>userPrincipalName=%u</search_filter> 
  <search_attribute_key>userPrincipalName</search_attribute_key>
  <search_base>CN=Users,DC=mycompany,DC=com</search_base> 
  <manager_dn>CN=Administrator,CN=Users,DC=mycompany,DC=com</manager_dn>
  <manager_password>password</manager_password>
  <search_scope>SUBTREE</search_scope>
  <group_attribute>CN</group_attribute>
</authnprovider_create>
Response
HTTP/1.1 200 OK
Content-Type: application/xml

<authnprovider>
	<name>ad configuration</name>
	<id>urn:storageos:AuthnProvider:376238bf-dc31-43ee-850b-ef49a15f5c49:</id>
	<link "rel" "self","href":"/vdc/admin/authnproviders/urn:storageos:AuthnProvider:376238bf-dc31-43ee-850b-ef49a15f5c49:</link>
	<inactive>false</inactive>
	</tags>
	<mode>ad</mode>
	<domains>mycompany.com</domains>
	<disable>false</disable>
	<creation_time>1379087030417</creation_time>
	<search_filter>userPrincipalName=%u</search_filter>
	<search_base>CN=Users,DC=mycompany,DC=com<s/earch_base>
	<search_attribute_key>userPrincipalName</search_attribute_key>
	<manager_dn>CN=Administrator,CN=Users,DC=mycompany,DC=com</manager_dn>
	<group_attribute>CN</group_attribute>
	<server_urls>ldap://192.168.0.10</group_attribute>
	<group_whitelist_values>*Admin*<group_whitelist_values>
	<search_scope>SUBTREE</search_scope>
</authnprovider>
Notes: