Add an authentication provider to EMC ViPR

Table of Contents

Back to Top

Authentication providers

User authentication is done through an authentication provider added to ViPR.

This article applies to EMC ViPR 2.0.

A ViPR user must be found through an authentication provider added to ViPR before the user can log in, and be assigned roles or ACLs. The only local users in ViPR are the special built-in administrative users (root, sysmonitor, svcuser, and proxyuser).

Back to Top

Adding an authentication provider

You need to add at least one authentication provider to ViPR in order to perform operations using accounts other than the built-in administrative accounts.

Before you begin

This operation requires the Security Administrator role in ViPR. (The root user has this role.)

You need access to the authentication provider information listed in . Note especially the requirements for the Manager DN user.

Procedure

  1. In Administration mode select Security > Authentication Providers.
  2. Add.
  3. Enter values for the attributes. Refer to .
  4. Save.
  5. To verify the configuration, add a user from the authentication provider at Security > Role Assignments, then try to log in as the new user.
Back to Top

Authentication provider settings

You need to provide certain information when adding or editing an authentication provider.

Back to Top

Considerations when adding authentication providers

When you configure ViPR to work with Active Directory, you must decide whether to manage several domains in a single authentication provider, or to add separate authentication providers for each domain.

The decision to add a single authentication provider, or multiple, depends on the number of domains in the environment, and the location on the tree from which the manager user is able to search. Authentication providers have a single search_base from which searches are conducted. They have a single manager account who must have read access at the search_base level and below.

Use the one-authentication-provider-for-multiple-domains if you are managing an Active Directory forest and these conditions are present: the manager account has privileges to search high enough in the tree to access all user entries, and the search will be conducted throughout the whole forest from a single search base, and not just the domains listed in the provider. Otherwise, configure an authentication provider for each domain.

Note that even if you are dealing with a forest and you have the correct privileges, you might not want to manage all the domains with a single authentication provider. You would still use one authentication provider per domain when you need granularity and tight control on each domain, especially to set the search base starting point for the search. Since there is only one search base per configuration, it needs to include everything that is scoped in the configuration in order for the search to work.

The search base needs to be high enough in the directory structure of the forest for the search to correctly find all the users in the targeted domains.

Back to Top

Example of one authentication provider per domain

In environments where the whole ViPR virtual data center integrates with a single domain, or with several individually-managed domains, use one domain per authentication provider.

The following example creates an authentication provider for security.local.

Back to Top

Example of one authentication provider managing multiple domains in a single forest

In this example, the environment includes a forest with one top domain and two subdomains. A single authentication provider manages all the domains.

In this example:
  • The port for the Global Catalog (central repository of domain information for the forest) in the server URL is 3268.
  • The domains to be managed are the top domain, security.vipr.local, and the subdomains east.security.vipr.local, and west.security.vipr.local.
  • The manager user on the Global Catalog has read access on the search base.
  • The search base is high enough in the hierarchy that it encompasses the subpaths to include east and west subdomains. In this case, the common path between users.security.vipr.local, users.east.security.vipr.local, and users.west.security.vipr.local is security.vipr.local.
  • The search scope parameter is set to Subtree.