Connecting the File Fabric to Active Directory
Storage Made Easy’s File Fabric can support a delegated authentication model in which users’ credentials are validated not by the File Fabric but by an external authentication system such as SAML or Active Directory (AD). The File Fabric offers two ways to connect to Active Directory. One way is to communicate directly with the AD server using LDAP (Lightweight Directory Access Protocol). The other is to use a proxy program, Active Directory Proxy (AD Proxy), provided by Storage Made Easy. When the proxy program is used the File Fabric speaks to the proxy and the proxy speaks to the AD server.
Allowing the File Fabric to connect directly to the AD server using LDAP requires that the AD server be visible to the File Fabric over a network. If both the File Fabric and the AD server are running behind the customer’s firewall, this arrangement doesn’t present any special security challenges. If, however, the File Fabric Appliance is running in a third party data centre, as is the case for SME’s IaaS customers, then the AD server will have to be accessible to the File Fabric over the public internet. To secure this kind of connection customers may choose to use either a firewall to filter traffic by IP address or a virtual private network (VPN) to provide a private network tunnel between the File Fabric Appliance and the AD server. Additionally they will almost certainly want to use either TLS or LDAPS, both of which are supported by the File Fabric, to encrypt the traffic.
When AD Proxy is used instead of a direct connection there is no need to expose the AD server over a network; only the proxy needs to be exposed. The proxy need not run on the AD host. Traffic between AD Proxy and the File Fabric Appliance is automatically encrypted using symmetrical encryption keys.
Although both connectivity options - direct connection with LDAP and AD Proxy - allow SME to use AD for authentication, direct LDAP provides richer functionality than does AD Proxy. When a direct connection with LDAP is used, the mapping between users and their SME roles is updated automatically when the users’ AD group assignments change, and AD users can be auto-provisioned on SME. Neither of these features is available when AD Proxy is used. Also, the configuration for a direct LDAP connection includes provisions for AD high availability; the AD Proxy configuration does not.
Organisations that are implementing AD authentication with the File Fabric should weigh the simplicity of the AD Proxy’s network security model versus the functional advantages of the direct LDAP connection when deciding which method of integration to pursue.