Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to integrate Active Directory users to an already configured VCS two node (non-secure) cluster

Created: 28 Jul 2013 | 4 comments
osvaldo olmedo's picture

Hello colleagues,

I have the following situation:

An already configured two node VCS cluster (6.01 version) in Solaris 10 Sparc. We have installed the cluster in non-secure mode. The cluster has been working and the only configured used is the "admin" built in account.

We have a Active Directory environment and we want to integrate its users to the VCS cluster. Is it possible to do that? We have to reconfigure the cluster in secure mode to do that? If yes, how to reconfigure an already configured cluster?.

Thanks in advance and best regards

Osvaldo Olmedo

Operating Systems:

Comments 4 CommentsJump to latest comment

osvaldo olmedo's picture

Hi Gaurav,

Thanks for your reply. This note mention how to enable ldap when the cluster is in secure mode. The question is that my VCS configuration is not in secure mode. How can I enable ldap in non secure mode ?

Best regards

Osvaldo

gaurav_dong's picture

Hi Osvaldo,

To use any other authentication methods the cluster has to be running in secure mode.

One of the benfits of using secure cluster:

Authentication of users through native OS-based domains, such as nis, nisplus, Active Directory, and so on 

I did a little research but unfortunately i couldnt find any document that talks about non-secure and AD authentication.

Rg

Gaurav D

mikebounds's picture

Non-secure VCS means using VCS authentication which is insecure as this is just encrypted passwords in the main.cf file. Secure VCS gives option of using O/S authentication which is more secure, so to use AD authentication you must use a secure cluster, but you do not need to use ldap to use AD.

The way you would use AD authentication in a Solaris VCS 5.1 cluster was:

  1. Install Root broker (RB) on an external node
  2. Install an authentication broker (AB) on a Windows node specifying RB created in 1 - this could be installed on the same node as RB in step 1
  3. Configure Solaris cluster as Secure specifying RB created in step 1
  4. Add AD users or groups to main.cf
  5. When logging on to VCS using Java GUI or centralised Web GUI (this was SFM and VCSMC which is now replaced by VOM), specify AB specified in step 2, authentication type "nt" and enter the AD domain, AD user and password

I have done the above and it works fine, but it is a bit tricky as if RB is a UNIX server, then step 2 is difficult so it is better to have RB as a Windows server, but a lot of customers ending up having multiples RBs which didn't work that well as the RBs didn't trust either without manually adding trusts In 6.0, this has changed as now every node is an RB and I believe you have to setup trusts, and it looks as though created trusts has been made easier.

So in 6.0 I THINK you need to:

  1. Install an authentication broker (AB)on a Windows node if you don't have an AB already - this could be a Windows VCS cluster node or VOM if you have VOM installed on Windows
  2. Configure Solaris cluster as Secure
  3. Setup trust between Solaris cluster nodes and AB (looks like you need to run /opt/VRTS/install/installvcs -securitytrust - see VCS install guide)
  4. Add AD users or groups to main.cf
  5. When logging on to VCS using Java GUI or VOM, specify AB specified in step 2, authentication type "nt" and enter the AD domain, AD user and password.

For step 4 you can add users to VCS by adding names to UserNames cluster attribute like "mike@ntdomain" (and add user to cluster or group Administrators or Operators attribute), but I would recommended using AD user groups (create an AD user group especially for users accessing VCS or use an appropiate existing AD group) and then add AD user group to cluster attribute or group attribute AdministratorGroups or OperatorGroups.

Mike

UK Symantec Consultant in VCS, GCO, SF, VVR, VxAT on Solaris, AIX, HP-ux, Linux & Windows

If this post has answered your question then please click on "Mark as solution" link below