Rubrik : Configure AD Authentication

Background

As an IT guy focusing on security for privileged accounts, you would like to have a single source of authentication to facilitate user access to resources. Rubrik is a sensitive platform since anyone with admin access to that platform can read/steal data from your Enterprise. It would be nice to authenticate any access to that platform using LDAP or AD. Rubrik got you covered !

Authentication with Rubrik

Apart from local user accounts, Rubrik can as well ask to a 3rd party directory to validate credentials and then you can manage RBAC.

This can be setup in the Users section of the Gear menu of the CDM, but fist, we need to create the relevant groups and accounts in AD. Indeed, as a best practice, you would like to create 2 things prior the configuration : 

- First a service account to connect from Rubrik to your AD to perform the account checking

- Second, a Rubrik Admins group, where you place all your qualified users

Once the above is created, we can create the LDAP entry in the Rubrik UI and add the Rubrik Admins group with the Admin role in the cluster. This will then grant all members of that group to be Rubrik admin once logged in.

The Rubrik admin is just a simple AD user, nothing special here :

As well as the Rubrik Admins group, just make it a security group, could be useful if your plan is to share files with that group, in case of.

Put all required users in the members section of that group : 

Now, we can jump in the Rubrik UI and directly go the the Users section under the gear menu and click the Add LDAP Server on any of the available buttons : 

This where these settings are always tricky, you need to enter the right information and this is always painful. I hope you will find this useful ;)

- So, for the Base DN, you don't need to enter anything. 

- The Bind DN is the username of the service account used to perform the LDAP query. In our case, this is the full path of the Rubrik admin/service account that's been created earlier. Be sure to enter the full path. Something like :  CN=Rubrik Service Account,OU=Users,DC=My,DC=AD,DC=com

- Password is no mystery :)

Next, we need to tell Rubrik on what DC to authenticate, one is the minimum, if you have others, enter them as well. Either IP or name (as soon as this is resolvable!). The port here is 636 (SSL).

On the left-hand side, there are User Settings and Group Setting, be sure to match these parameters : 

For user section : 

Search Filter : (&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

Username attribute : sAMAccountName

Group Membership Attribute : memberOf

For group section : 

Search Filter : (objectCategory=group)

Group Member Attribute

Group Member Attribute

Group Membership Attribute : member

Max Level of group to query : you can ignore this

The above parameters can be found in the Rubrik documentation.

The next screen is related to MFA (Multi-Factor Auth). We are not talking about that now. Once the entry has been created (it could be long) go back to the user screen.

Click on the Assign Role button

Select the newly created AD as Directory (and not local). Start typing the name of the Admin group we have created on the AD side, when you have it select it.

Next, select the role you would like to give to the group, AdministratorRole in our case.

When done, we can see our Rubrik Admins group in the list of user.

At this stage, any user member of the Rubrik Admins group on the AD site is granted to logon with their AD credential on the Rubrik cluster and he will be granted the AdministratorRole.

If any user member of that group is leaving the company, you simply need to either change her/his password on AD - or - disable the user account - or - delete the user. Whatever your choice is, she/he won't be able to access this cluster anymore. This is the beauty of central authentication.

Going further (API inside)

Ok, that was easy. For one cluster ! Now, imagine you have 2000 clusters to configure this way. Yeah, automation ;) So, API will definitely help for such activities. There are two steps, first, create the AD entry, second, grant rights to a group.

There are 2 useful functions in my php Framework for this : rkAddLDAP and rkAddAdminRoleLDAP. They can be used in conjunction in a very simple script in less than 30 active lines ...

<?php

// ====================================================

// Includes section

// ====================================================

include_once "rkCredentials.php";

include_once "rkFramework.php";

// ====================================================

// Config section

// ====================================================

$admin="Rubrik Admins";

// My AD

$LDAP=array(

"bindUserName" => "CN=Rubrik Service Account,OU=Users,DC=My,DC=AD,DC=com",

"bindUserPassword" => "xxxxxxxxx",

"authServer" => "192.168.1.10,192.168.1.11",

"name" => "My AD"

);

// ====================================================

// Main entry point

// ====================================================

// Initiate timer

$dateFormat='H:i:s';

$startTime=time();

Print("Creating LDAP auth source on cluster ...");

$ldapAdd=rkAddLDAP($clusterConnect,$LDAP);

if($ldapAdd=="TRUE")

{

$endTime=time();

$duration=$endTime-$startTime;

$duration=date($dateFormat,$duration);

print("\n");

print("New AD source (".rkColorOutput($LDAP["name"]).") ");

print("added successfully on ".rkColorOutput($clusterConnect["ip"])." ");

print("in ".rkColorOutput($duration)." (HH:MM:SS).\n");

}

else

{

print(rkColorRed("ERROR! ")."\n");

print("DEBUG => ".rkColorRed($ldapAdd->message).".\n");

exit();

}

print("Adding user/group as cluster admin ...");

$return=rkAddAdminRoleLDAP($clusterConnect,$admin);

if($return=200) print(rkColorOutput($admin)." has been added ad local admin.\n\n");

else print("Error!\n\n");

?>

It cannot be more straightforward ;)

I hope this helps !