ViPR 2.1 - Add an authentication provider to EMC ViPR
Table of Contents
A ViPR user must be found through an authentication provider added to ViPR before the user can log in, and be assigned roles or ACLs. The only local users in ViPR are the special built-in administrative users (root, sysmonitor, svcuser, and proxyuser).Back to Top
Before you begin
This operation requires the Security Administrator role in ViPR. (The root user has this role.)
You need access to the authentication provider information listed in Authentication provider settings . Note especially the requirements for the Manager DN user.
- Select .
- Enter values for the attributes. Refer to Authentication provider settings .
- To verify the configuration, add a user or group from the authentication provider at , then try to log in as the new user or as a member of the new group.
- Select and add the required domain group to the Authentication User Mapping of the Provider Tenant. This is required in order to prevent all domain users from being able to log in to ViPR using the Provider Tenant.
The decision to add a single authentication provider, or multiple, depends on the number of domains in the environment, and the location on the tree from which the manager user is able to search. Authentication providers have a single search_base from which searches are conducted. They have a single manager account who must have read access at the search_base level and below.
Use the one-authentication-provider-for-multiple-domains if you are managing an Active Directory forest and these conditions are present: the manager account has privileges to search high enough in the tree to access all user entries, and the search will be conducted throughout the whole forest from a single search base, and not just the domains listed in the provider. Otherwise, configure an authentication provider for each domain.
Note that even if you are dealing with a forest and you have the correct privileges, you might not want to manage all the domains with a single authentication provider. You would still use one authentication provider per domain when you need granularity and tight control on each domain, especially to set the search base starting point for the search. Since there is only one search base per configuration, it needs to include everything that is scoped in the configuration in order for the search to work.
The search base needs to be high enough in the directory structure of the forest for the search to correctly find all the users in the targeted domains.
- If the forest in the configuration contains ten domains but you target only three, do not use a single provider configuration, because the search will unnecessarily span the whole forest, and this may adversely affect performance. In this case, use three individual configurations.
- If the forest in the configuration contains ten domains and you want to target ten domains, a global configuration is a good choice, because there is less overhead to set up.
The following example creates an authentication provider for security.local.Back to Top
- The port for the Global Catalog (central repository of domain information for the forest) in the server URL is 3268.
- The domains to be managed are the top domain, security.vipr.local, and the subdomains east.security.vipr.local, and west.security.vipr.local.
- The manager user on the Global Catalog has read access on the search base.
- The search base is high enough in the hierarchy that it encompasses the subpaths to include east and west subdomains. In this case, the common path between users.security.vipr.local, users.east.security.vipr.local, and users.west.security.vipr.local is security.vipr.local.
- The search scope parameter is set to Subtree.