Skip to main content
NetApp Knowledge Base

What are the prerequisites for Active Directory Remote Authentication with AIQUM?

Views:
572
Visibility:
Public
Votes:
1
Category:
active-iq-unified-manager
Specialty:
om
Last Updated:

Applies to

Active IQ Unified Manager (AIQUM)

Answer

​​​​​​​Prerequisites for enabling Active Directory (AD) remote authentication with AIQUM

  • The firewall must allow the ports mentioned below
    • These ports need to be open between LDAP and the Unified Manager server
      • Port 389
      • Port 636
      • Port 445
      • Port 88
      • Port 53
      • If using Global Catalog LDAP server
        • Port 3268
        • Port 3269
      • If using a single FQDN address for multiple authentication servers,  the x.509 certificate Subject Alternative Name section of the certificate must have the hostnames for each of the authentication servers present.
    • The following command can run from UM server to check the port is open in between UM and the LDAP server
      • UM Windows Server
        • Use Power shell command prompt window, details of Test-NetConnection found here.
        • Command -->Test-NetConnection -ComputerName <ldap_server_name> -InformationLevel "Detailed" -Port 389
      • UM Linux Server 
        Use your favorite command in Linux to test the ports between the two server
        • command from UM server --> nc -zvw10 <ldap_server_name_or_ip> port
          • Example --> nc -zvw10 192.168.0.1 389
  • ​​​​​​​​​​​​​​​​​​​​​Domain user or Domain service account with "password never expire" attribute should be used
  • Domain groups to allow users with different access roles in Unified manager server
  • ​​​​​​​The following commands can be run from the Windows CLI by a Domain User to  gather information regarding the Active Directory settings:
    • systeminfo <--- provides the login domain controller and the domain name
    • gpresult /R<---will provide the base distinguished name (DN) of the Domain user that is running the command and the Domain Group that the Domain user belongs to.

 

Scan to view the article on your device