Category: RP4VM

Enable LDAP Auth for RP4VMs

To avoid using local admin accounts it is recommended to integrate RecoverPoint for Virtual Machines (RP4VMs) with AD/LDAP. RP4VMs supports Role Based Access Control (RBAC) where you can create custom roles and assign those custom roles to an AD user or group. To do this you first need to setup LDAP integration. For simplicity this post uses default passwords for the local RP4VM users. Passwords for all local RP users should be changed once the system has been deployed for security reasons.

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To configure LDAP integration enter config_ldap
  5. To enable Active Directory Support select option 1 and press Enter
  6. Select either LDAP or LDAPs
  7. Enter the primary LDAP server (in my example i use the AD domain as this will allow round robin across all DCs)
  8. Enter the primary LDAP server port
  9. Enter the secondary LDAP server (in my example i left this blank)
  10. Enter the secondary LDAP server port
  11. Enter the base distinguished Name
  12. Enter the search base distinguished name
  13. Enter the bind distinguished name
  14. Enter the password for above AD bind account
  15. Enter a search time limit in seconds. Default is 30. Increase this in larger AD environments

Here is a screenshot of the entire sequence

Once LDAP is configured you then need to create a custom role to assign to an AD user/group.

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To configure a custom role enter add_role
  5. Enter a name for the new role (e.g. RP4VM_Admins)
  6. Select the desired permissions from the available role permissions. Separate selections with a space
  7. Press Enter when done

Here is a screenshot of the process

Once the role is created you can then assign it to your AD user/group

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To add a user or group enter add_user (the same function is used to add users & groups)
  5. Select option to add either local user, LDAP user or LDAP group
  6. Enter the username/groupname (sAMAccountName format e.g. the group i am using in this example is called RP4VM_Admins)
  7. Enter the role created previously (e.g. RP4VM_Admins)
  8. For enter group names i tried entering the group name in multiple formats, none of which were accepted so i just hit enter without an entry and it completed
    1. The RP4VM documentation is not clear on what the Group Name field is for but I tested to ensure only users from the desired group have access to the vRPA.

Here is a screenshot of the process