FlashArray and FlashBlade: Configuration LDAP Integration for Array Management
[ NOTE: machine translation with the help of DeepL translator without additional proofreading and spell checking ]
FlashArray and FlashBlade are fully manageable by ActiveDirectory users. Using the LDAP interface - port 389 - the ActiveDirectory can be connected to the Pure Storage Flash systems (FlashArray and FlashBlade).
It is also possible to work with LDAPS (LDAP over SSL on port 636).
What advantages does this offer me?: easy administration of storage access rights, user-related logging of logins and system changes - keyword: auditing.
ATTENTION: the communication of the flash systems and its VIP (virtual ip address) and the domain controllers must be possible - observe networks - route if necessary. Also the communication on port 389 or 636 must be possible!
This blog and its screenshots were created on a Windows Server 2016 German and a FlashBlade with Purity 2.2.10.
Step 1: Preparing the ActiveDirectory
To keep the administration effort for system adjustments low and to exclude possible problems already, it is recommended to invest a little time in advance. The use of multi-global administration/user accounts is not recommended!
Create LDAP function user
For the users of the LDAP integration, a domain user with read permission to the ActiveDirectory is required.
For this purpose, we create a dedicated LDAP user with the user name "ldap.lookup FunctionUser". By default, each new user is automatically a member of the "Domain Users" group, which is sufficient. To be on the safe side, check "User cannot change password" and "Password never expires" in the "Account" tab.
I went one step further and for blog series reasons decided to create another separate organizational unit "FunctionUsers". The LDAP function user is a member of this group.
Note the created user data for the future.
Create AD user groups for role linking
To link the user roles predefined in Purity (static - i.e. currently not customizable), a total of four AD user groups are now created.
This was done with the following naming convention:
PureStorage-*HostnameFlashSystem*_*Purity-User-Role*.
A unique name can help with the distribution of administrative rights.
I also went one step further here and for reasons of the blog series decided to create another separate organizational unit "Groups". All AD user groups are members of this group.
NOTE: the following step 2 can be skipped if the Flash system has already been configured with the correct DNS settings. Check for functionality!
Step 2: Setup DNS settings
For the domain integration to work, the DNS settings must be correct.
In Purity, go to Settings > Network and adjust the settings if necessary.
ATTENTION: Take effects into account when making system adjustments in productive operation! If necessary, contact Pure Storage Support!
(as the test system is not property of PUREFLASH.blog and contains confidential data, the above screenshot had to be pixelated).
Step 3: Configure LDAP integration
In Purity, go to Settings > Users > tab: Array Management - select "Configuration".
"Service Name" - is an immutable/predefined field.
"Enabled" slider - via this slider the LDAP connection can be simply paused-disconnected. Of course, associated functions are no longer available afterwards - at least temporarily!
TIP: if you are unsure about the next entries, you can use the ADSI editor for help. This can be found on every domain controller or with installed Windows RSAT tools. The 3rd-party "ADExplorer" from Sysinternals is also a good alternative.
"URIs" - the LDAP path is required for connection. If not known, this can be found out via the ADSI editor. Open ADSI editor > select "Connect ..." > copy path.
In our example "ldap://pfblog-dc01.pureflash.blog".
"Base DN" - the "Base DN" represents the organizational unit in which our PureStorage groups reside.
In our example "OU=Groups,DC=PUREFLASH,DC=blog".
"Bind User" - The "Bind User" is the configured "ldap.lookup FunctionUser" which performs the AD lookups.
In our example "CN=ldap.lookup FunctionUser,OU=FunctionUsers,DC=PUREFLASH,DC=blog".
"Bind Password" - Enter password, as pre-assigned in our example.
Step 4: Link Purity Roles to AD Groups
"Last but not least, the roles specified by Purity must now be linked to the AD groups created.
It is also possible to specify sub-organizational units that differ from the defined "Base DN". This would allow you to work even more granularly with multiple Flash systems. Here we leave the "Base DN" as defined before.
We assign/transfer the group names of the respective function/role.
After entering the groups, clicking on "Save" automatically validates the connection.
Excursus: Which function offers me which role? - In a nutshell
Role "readonly" - read-only permissions, cannot perform any customizations -> use: for e. g. monitoring of a helpdesk employee.
Role "storage_admin" - rights of "readonly" user + perform storage operations like FileSystem, Snapshots, Volumes, ObjectStore accounts, and Access Keys. BUT: no global array system configurations -> Usage: for e. g. FileServer administrators to create SMB shares, edit share permissions.
Role "array_admin" - "Chief/Head of/Global Administrator" can perform all operations on the systems.
Role "ops_admin" - read-only permissions, cannot perform any customizations -> use: for e. g. employee who should enable remote access through Pure Storage in case of support.
INFO: after setting up the LDAP integration, the function of the local Purity account e. g. "pureuser" remains active. In case of problems with the LDAP integration, this can be used for troubleshooting.
really easy - as you are used to ... simple as always. THAT'S IT!
Step 5: Test login
We can now log on to Purity with the ActiveDirectory user directly after appropriate AD group assignment, get assigned the roles in the backend and can now perform authorized operations.
Troubleshooting
If, contrary to expectations, there are problems, you can switch to Settings > Users - click the "Test" button (top right) to have the LDAP setup checked.
(as the test system is not property of PUREFLASH.blog and contains confidential data, the above screenshot had to be pixelated).
HINT+NOTE: performed changes to AD group mappings to users MUST not take effect directly! The configured permissions are cached. By default, Purity automatically clears this cache EVERY 8 hours.
An immediate cache cleanup can be forced by the CLI command: "pureadmin refresh".
More info - Links
All officially published setting options in the GUI but also CLI can be read via the "on-board" user guides of the Pure Storage systems.
Click on "Help" in the Purity main menu.
The User Guide is structured like the main menu and can be opened downwards. A search function is also integrated - within here you can also search for keywords.
WEB: Pure Storage (Pure1) support portal - Ticket system and support *(requires registered FlashSystems)
PHONE: Pure Storage phone support: GER - (+49) (0)800 7239467; INTERNATIONAL - (+1) 650 7294088
WEB: Pure Storage OFFICIAL blog