Veritas Access Solutions Guide for Software-Defined Storage (SDS) Management Platform
- Introduction
- Deploying the SDS Management Platform with Veritas Access
- Using the SDS Management Platform interface
- Setting up SSL in the SDS Management Platform
- Performing authentication
- System backup and restore
- Troubleshooting
- SDS Management Platform known issues
Authentication modules
The SDS Management Platform implements a powerful security concept that supports different directory services. The authentication mechanism is associated with a role concept. There are different authentication modules and this section gives best practices for their configuration.
An authentication module authenticates users against a specific directory service. The SDS Management Platform supports the following authentication modules:
These modules can be combined into an authentication chain. The SDS Management Platform evaluates the modules in the configured order until one module succeeds or all of them have failed. If one of the modules is not configured properly, it is ignored and the evaluation continues with the next module in the chain.
This authentication module lets you authenticate the local SDS Management Platform users. Within the authConfigOptions parameter, you can specify an optional value called the local.domain value. When this value is set, the user needs to specify this value as the domain during authentication. The passwords of local users are hashed by default. The configuration setting, hashUserPasswords can be used to change the default behavior.
This module lets you authenticate users against an LDAP server. The location of the server is configured with the authConfigOptions parameter. You can either use the
Wizard or compile the configuration string manually.
| Specifies the LDAP server's URL, for example ldap://my.ldap.server:389. You cannot specify the LDAP endpoint using the IP address. You can specify the LDAP endpoint only by a fully qualified domain name. If you want to authenticate against an Active Directory where the users are in the global catalog, use port 3268. |
(OPTIONAL) | Specifies the LDAP domain. If specified, only users with the exact domain are allowed. |
(OPTIONAL) | Specifies the admin group (defaults to Administrators) within the domain. Can be used to specify other admin groups (for example, if localized names are in place). |
Example configuration string:
authConfigOptions=ldap.url\=ldap\://mt.company.corp\:389, ldap.domain\ =my.company.corp, ldap.guestgroup\=LDAPGuests, ldap.admingroup\=LDAPAdmins:LDAPManagement, ldap.sesusergroup\=LDAPExternalUsers
It is possible to customize the rights of user groups using the LDAP module. To use authentication, each LDAP group that is granted access must be mapped to an SDS Management Platform group. This mapping is a prerequisite for you to be able to log on to the system.