Having Active Directory integration certainly helps with organizing users in the various groups to control what actions can be performed on the FlashArray. The most complicated part of setting up Directory Service integration is on the Active Directory side. Once you have the below ingredients it very straight-forward.
Basic ingredients:
- 1 Active Directory (AD) Server
- 1 Organizational Unit (OU)
- 1 Organization Group (Global)
- 3 Security Groups
- 1 Array Admin Group — Full permissions.
- 1 Storage Admin Group — Perform storage tasks (add hosts, wwns/iqns, volumes)
- 1 Read Only Group — View permissions to focus on the Analysis tab use.
- 1 AD user account that has privileges to query (Eg. MSLABPureDSSync).
Each of the Active Directory Groups that need to be created can have any name you choose but obviously make sure that each of the groups can easily be identified as related to Pure Storage for easy management.
Active Directory Integration 101
Once all of the details have been gathered substiture them into the hashtable items of the $oDS PowerShell variable below and run the script. The script will setup the Directory Service configuration and at the end test that the Directory Services works.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$FlashArray = New-PfaArray -EndPoint 1.1.1.1 -Credentials (Get-Credential) -IgnoreCertificateError $oDS = @{ LdapUri = "ldap://10.21.201.50" BaseDN = "DC=mslab,DC=purestorage,DC=com" GroupBase = "OU=PureStorageDirectoryServices" ArrayAdminGroup = "PureStorage_AdminGroup" StorageAdminGroup = "PureStorage_StorageAdminGroup" ReadOnlyGroup = "PureStorage_ReadOnlyGroup" BindUser = "Administrator" BindPassword = "***********" } # Note: A dialog or encrypted file can be used to capture the BindUser and BindPassword. Get-PfaDirectoryServiceConfiguration -Array $FlashArray Get-PfaDirectoryServiceGroups -Array $FlashArray Set-PfaDirectoryServiceArrayAdminGroup -Array $FlashArray -ArrayAdminGroup $oDS.ArrayAdminGroup Set-PfaDirectoryServiceGroupBase -Array $FlashArray -GroupBase $oDS.GroupBase Set-PfaDirectoryServiceReadOnlyGroup -Array $FlashArray -ReadOnlyGroup $oDS .ReadOnlyGroup Set-PfaDirectoryServiceStorageAdminGroup -Array $FlashArray -StorageAdminGroup $oDS.StorageAdminGroup Set-PfaDirectoryServiceConfiguration -Array $FlashArray -BaseDN $oDS.BaseDN -BindUser $oDS.BindUser -BindPassword $oDS.BindPassword -URI $DirectoryObj.LdapUri Test-PfaDirectoryService -Array $FlashArray | Format-Table -Autosize |
Below shows my environment after setting up the Directory Services.
Cheers,
Barkz
