User management and LDAP(S) setup in Prism Element and Prism Central.

  • 30 March 2020
  • 0 replies

Userlevel 3
Badge +4

Out of the box, Prism Element (PE) and Prism Central (PC) deploy with one local user configured, called ‘admin’. For initial setup this is useful but for the sake of security and auditing, it is strongly recommended to configure and use other accounts.

For reference, User Management is covered in the Nutanix Security Guide.

One option is to create individual local accounts in Prism. This is done from Settings – Local User Management. Whether on PE or PC (up to the current latest major release AOS 5.16), the role options for local users are:

  • User Admin - allows the user to view information, perform any administrative task, and create or modify user accounts.
  • Cluster Admin - allows the user to view information and perform any administrative task, but does not allow control of user accounts.
  • Viewer – allows the user to view information only.

The UI shows checkbox options for cluster admin and user admin. If user admin is checked, cluster admin is automatically checked also. If neither is checked, the user is configured as a view user.

Detailed information on user management is located in the Nutanix Security Guide User Management section.

You may prefer to configure LDAP or LDAPS authentication for Prism Element or Prism Central. This setup can be described in two basic steps: authentication configuration and role assignment.

To configure authentication, go to the Authentication page under Settings in Prism Element or Prism Central. For the full documentation see the section “Configuring Authentication” in the Security Guide. 

While additional options exist, such as using an identity provider, in this example I will be focusing on LDAP/LDAPS authentication.

You can add one or more authentication directories, either Active Directory or OpenLDAP. To add an authentication directory click on Directory List and then click the New Directory button. Most of the fields are self-explanatory, but the Directory URL field merits special attention.

Specifying LDAPS as opposed to LDAP is done via the formatting in this Directory URL field. If you want to use LDAP (without SSL), your URL should look like “ldap://”, but if you want to use LDAPS the URL will look like “ldaps://”. In some cases, it is beneficial to use the global catalog port for LDAP(S). To do this just substitute port 3268 for global catalog via LDAP, or port 3269 for global catalog via LDAPS. If you are experiencing long lookup times and your selected directory server has the global catalog role enabled, you may see improved lookup times by using the global catalog port.

Another note on configuring LDAPS. Due to enhanced security in later versions of OpenSSL, the LDAPS handshake negotiated by Prism will include SSL endpoint verification. This means that the LDAP server’s SSL certificate must include a Subject Alternative Name (SAN) that matches the URL provided during the LDAPS setup. By default, this often is limited to the IP address of the LDAP server (Active Directory Domain Controller). Going a step further, if you are using a single URL to load-balance between multiple domain controllers they would each need to have an SSL certificate which reflects the load-balanced URL you would enter in the Directory URL field. For more details on this certificate requirement and related errors seen, check the article “Invalid service account details" error is thrown when configuring LDAP authentication in Prism Central” (login required).

When entering the service account details you need to provide an account that will be allowed to perform a lookup of users and groups. This can be but does not have to be a domain administrator account. Authentication will be tested when you attempt to save the configuration, and will fail if there is an error in this authentication test. 

After you have configured authentication with a directory, it is time to associate users or groups with their needed roles.

On Prism Element, the role options available are the same as described above. The configuration for each role can be set once for users and once for groups per each domain, so for a single directory you would have at most six role configurations, each with one or more users or groups.

On Prism Central additional role-based access control (RBAC) options are available. User Admin, Cluster Admin, and Viewer are listed as Super Admin, Prism Admin, and Prism Viewer respectively. Additional built-in roles have been defined and you can also build custom roles for users. The full detail of permissions and roles available would be a bit much to cover here. For more detail on RBAC and role assignment in Prism Central, please see the section “Controlling User Access (RBAC)” in the Security Guide. 

This topic has been closed for comments