How to integrate Active Directory users to an already configured VCS two node (non-secure) cluster

Hi,

You may want to refer to this article here:

https://sort.symantec.com/public/documents/vcs/6.0/solaris/productguides/html/vcs_install/ch26s01s01.htm

Gaurav D.

Hi Gaurav,

Thanks for your reply. This note mention how to enable ldap when the cluster is in secure mode. The question is that my VCS configuration is not in secure mode. How can I enable ldap in non secure mode ?

Best regards

Osvaldo

Hi Osvaldo,

To use any other authentication methods the cluster has to be running in secure mode.

One of the benfits of using secure cluster:

Authentication of users through native OS-based domains, such as nis, nisplus, Active Directory, and so on 

I did a little research but unfortunately i couldnt find any document that talks about non-secure and AD authentication.

Rg

Gaurav D

Non-secure VCS means using VCS authentication which is insecure as this is just encrypted passwords in the main.cf file. Secure VCS gives option of using O/S authentication which is more secure, so to use AD authentication you must use a secure cluster, but you do not need to use ldap to use AD.

The way you would use AD authentication in a Solaris VCS 5.1 cluster was:

1. Install Root broker (RB) on an external node
2. Install an authentication broker (AB) on a Windows node specifying RB created in 1 - this could be installed on the same node as RB in step 1
3. Configure Solaris cluster as Secure specifying RB created in step 1
4. Add AD users or groups to main.cf
5. When logging on to VCS using Java GUI or centralised Web GUI (this was SFM and VCSMC which is now replaced by VOM), specify AB specified in step 2, authentication type "nt" and enter the AD domain, AD user and password

I have done the above and it works fine, but it is a bit tricky as if RB is a UNIX server, then step 2 is difficult so it is better to have RB as a Windows server, but a lot of customers ending up having multiples RBs which didn't work that well as the RBs didn't trust either without manually adding trusts In 6.0, this has changed as now every node is an RB and I believe you have to setup trusts, and it looks as though created trusts has been made easier.

So in 6.0 I THINK you need to:

1. Install an authentication broker (AB)on a Windows node if you don't have an AB already - this could be a Windows VCS cluster node or VOM if you have VOM installed on Windows
2. Configure Solaris cluster as Secure
3. Setup trust between Solaris cluster nodes and AB (looks like you need to run /opt/VRTS/install/installvcs -securitytrust - see VCS install guide)
4. Add AD users or groups to main.cf
5. When logging on to VCS using Java GUI or VOM, specify AB specified in step 2, authentication type "nt" and enter the AD domain, AD user and password.

For step 4 you can add users to VCS by adding names to UserNames cluster attribute like "mike@ntdomain" (and add user to cluster or group Administrators or Operators attribute), but I would recommended using AD user groups (create an AD user group especially for users accessing VCS or use an appropiate existing AD group) and then add AD user group to cluster attribute or group attribute AdministratorGroups or OperatorGroups.

Mike