Ryan Matthews

Nimble OS 3.1 – Active Directory Integration

Blog Post created by Ryan Matthews Employee on Mar 1, 2016

By Ryan Matthews


Nimble is committed to improving security and accountability for Nimble OS. In the summer of 2014 with Nimble OS 2.1 we improved from just a single administrative login to multiple administrative logins with role-based access control (Nimble OS 2.1, Part 8: Role-Based Access Control). A year later in Nimble OS 2.3 we enhanced things again with the introduction of true Audit Logging (Nimble OS 2.3 – Audit Log) which allowed customers to better track which administrators were making which changes. Until today however all administrative users needed to be created and managed locally on the array. This challenge was compounded for customers with multiple arrays. With the release of Nimble OS 3.1 we are announcing the capability to use Microsoft Active Directory (AD) to create and manage administrative users. This enhancement allows customers to have a single source of truth for administrative control across the entire organization including Nimble Storage arrays.

 

Using the AD integration is really quite simple:


1. Use the local "admin" login on the array to join the Active Directory domain. This will require an AD user account with privileges to join the domain. It is accessible under "Administration->Security->Microsoft Active Directory".

Screen Shot 2016-02-12 at 8.30.01 AM.png

2. Create groups in AD for the user roles that you intend to use on the Nimble array (i.e. Nimble-PowerUser-Group, Nimble-Administrator-Group)

3. On the array, under "Administration->Security->Users and Groups" click "Add->Group" to create local groups that map array management roles (Administrator, PowerUser, Operator, Guest) to AD groups created in step 2

Screen Shot 2016-02-12 at 8.32.48 AM.png

 

Once configured, the array will check with AD at login time to confirm whether the user attempting to login has provided a valid password. If the user successfully authenticates the array checks whether they are a member of one of the mapped groups. If the user is in one of the mapped groups they will be logged in with the appropriate privileges based on the role associated with the mapped group. With the exception of "admin", AD will be checked BEFORE any local accounts ensuring that password and security policies can be enforced. Nimble's Audit Logging facility will track AD logins just the same as it tracks local logins:

 

Screen Shot 2016-02-12 at 8.36.21 AM.png

 

This new capability will make it much easier to manage Nimble arrays in environments with lots of administrators and in environments with a large number of Nimble arrays while simultaneously improving security compliance in the many environments that use AD as a single source of truth for authentication and authorization. We’re excited to ship Nimble OS 3.0, and deliver this new functionality to every customer that has ever bought a Nimble array. Let us know what you think.

 

Outcomes