Prerequisites

Directory Services on FlashArray

Audience
Public
Product
FlashArray > FlashArray Directory Services
FlashArray
FlashArray > Purity//FA
Source Type
Documentation

Requirements

  • The FlashArray must be of a Purity version that supports Directory Services (3.2.0+).
  • The FlashArray must be able to see the Windows domain controller(s).

Constraints

  • "Security Groups" must be used with your Directory Services configuration. Note: "There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. (For more information, see this TechNet article on Group Types).
  • Groups must have a common name (CN). Don't use an OU as a group. OUs don't set memberOf attributes, which are used to restrict FlashArray access.
  • Making someone's group their "Primary Group" in AD will also remove the memberOf attribute. Therefore the feature will not work if the configured group in Directory Services is a user's Primary Group. (This is not default and can usually be ignored).
  • All designated Pure Groups must exist within the same OU.
  • sAMAccountNames must not be a local linux user of the Pure FlashArray. These include:

    ['root', 'daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp', 'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup', 'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog', 'mysql', 'messagebus', 'avahi', 'postfix', 'sshd', 'snmp', 'ntp', 'os76', 'pureuser', pureeng, pureadmin]

  • All Windows Domain Controller "URIs" (addresses) that you specify in the config must be in the same domain, and be either parent or child domain, not both. Purity currently supports only a single domain, though up to 30 domain controllers can be defined.
  • All Domain Controller URIs must either be ldaps or ldap, no mixing is supported.
  • Bind User account and all intended AD login users must all be under the same exact domain as the domain specified for the BaseDN and URI (see below).
  • The Bind User must not have “Read Member Of” denied.
  • User must NOT be a member of the standard "Protected Users Security Group" (see https://docs.microsoft.com/en-us/win...security-group).