Purity version 6.8.7 brings one of most demanded feature - ability to join multiple Active Directories or use multiple LDAP servers to authenticate clients.
File support on FlashArray gets another high demanded feature. With version 6.8.7, purity introduces a concept of Server, which connects exports and directory services and all other necessary objects, which are required for this setup, namely DNS configuration and networking.
From this version onwards, all directory exports are associated with exactly one server.
To recap, server has (associations) to following objects:
- DNS
- Active Directory / Directory Service (LDAP)
- Directory Export
- Local Directory Service
Local Directory Service is another new entity introduced in version 6.8.7 and it represents a container for Local Users and Groups. Each server has it's own Local Directory Service (LDS) assigned to it and LDS also has a domain name, which means "domain" is no longer hardcoded name of a local domain, but it's user-configurable option.
All of these statements do imply lots of changes in user experience. Fortunately, commonly this is about adding a reference or possibility to link a server and our GUI contains newly Server management page, including Server details page, which puts everything together and makes a Server configuration easy to understand, validate and modify.
One question which you might be asking right now is - can I use File services without Servers?
The answer is - no, not really. But don't be alarmed. Significant effort has been made to keep all commands and flows backwards compatible, so unless some script is parsing exact output and needs to be aligned because there is a new "Server" column added, there should be any need for changing those. How did we managed to do that? Special Server called _array_server has been created and if your configuration has anything file related, it will be migrated during upgrade.
Let me also offer a taste of how the configuration could look like once the array is updated to the latest version
List of Servers
# pureserver list
Name Dns Directory Services Local Directory Service Created
_array_server management - domain 2025-06-09 01:00:26 MDT
prod prod - prod 2025-06-09 01:38:14 MDT
staging management stage staging 2025-06-09 01:38:12 MDT
testing management testing testing 2025-06-09 01:38:11 MDTList of Active Directory accounts
Since we can join multiple AD servers, we now can have multiple AD accounts, up to one per server
# puread account list
Name Domain Computer Name TLS Source
ad-array <redacted>.local ad-array required -
prod::ad-prod <redacted>.local ad-prod required -ad-array is a configuration for the _array_server and for backwards compatibility reasons, the prefix of the server name hasn't been added. The prefix is there for account connected to server prod (and to any other server).
List of Directory Services (LDAP)
Directory services got also slightly reworked, since before 6.8.7 there were only two configurations, management and data. Obviously, that's not enough for more than one server (management is reserved for array management access and can't be used for File services).
After 6.8.7 release, it's possible to completely manage Directory Service configurations and linking them to individual servers.
# pureserver list
Name Dns Directory Services Local Directory Service Created
_array_server management - domain 2025-06-09 01:00:26 MDT
prod prod - prod 2025-06-09 01:38:14 MDT
staging management stage staging 2025-06-09 01:38:12 MDT
testing management testing testing 2025-06-09 01:38:11 MDTPlease note that these objects are intentionally not enabled / not configured.
List of Directory exports
# puredir export list
Name Export Name Server Directory Path Policy Type Enabled
prod::smb::accounting accounting prod prodpod::accounting:root / prodpod::smb-simple smb True
prod::smb::engineering engineering prod prodpod::engineering:root / prodpod::smb-simple smb True
prod::smb::sales sales prod prodpod::sales:root / prodpod::smb-simple smb True
prod::smb::shipping shipping prod prodpod::shipping:root / prodpod::smb-simple smb True
staging::smb::accounting accounting staging stagingpod::accounting:root / stagingpod::smb-simple smb True
staging::smb::engineering engineering staging stagingpod::engineering:root / stagingpod::smb-simple smb True
staging::smb::sales sales staging stagingpod::sales:root / stagingpod::smb-simple smb True
staging::smb::shipping shipping staging stagingpod::shipping:root / stagingpod::smb-simple smb True
testing::smb::accounting accounting testing testpod::accounting:root / testpod::smb-simple smb True
testing::smb::engineering engineering testing testpod::engineering:root / testpod::smb-simple smb True
testing::smb::sales sales testing testpod::sales:root / testpod::smb-simple smb True
testing::smb::shipping shipping testing testpod::shipping:root / testpod::smb-simple smb TrueThe notable change here is that the Export Name and Name has slightly different meaning. Pre-6.8.7 version used the Export Name as a unique identifier, since we had single (implicit, now explicit) server, which naturally created a scope. Now, the Export Name can be the same as long as it's unique in scope of a single server, as seen in this example.
The Name is different and provides array-unique export identifier. It is a combination of server name, protocol name and the export name.
List of Network file interfaces
# purenetwork eth list --service file
Name Enabled Type Subnet Address Mask Gateway MTU MAC Speed Services Subinterfaces Servers
array False vif - - - - 1500 56:e0:c2:c6:f2:1a 0.00 b/s file - _array_server
prod False vif - - - - 1500 de:af:0e:80:bc:76 0.00 b/s file - prod
staging False vif - - - - 1500 f2:95:53:3d:0a:0a 0.00 b/s file - staging
testing False vif - - - - 1500 7e:c3:89:94:8d:5d 0.00 b/s file - testingAs seen above, File network VIFs now are referencing specific server. (this list is particularly artificial, since neither of them is properly configured nor enabled, anyway the main message is that File VIF now "points" to a specific server).
Local Directory Services
Local Directory Service (LDS) is a newly introduced container for Local Users and Groups.
# pureds local ds list
Name Domain
domain domain
testing testing
staging staging.mycorp
prod prod.mycorpAs already mentioned, all local users and groups now has to belong to a LDS, which means management of those also contains that information
# pureds local user list
Name Local Directory Service Built In Enabled Primary Group Uid
Administrator domain True True Administrators 0
Guest domain True False Guests 65534
Administrator prod True True Administrators 0
Guest prod True False Guests 65534
Administrator staging True True Administrators 0
Guest staging True False Guests 65534
Administrator testing True True Administrators 0
Guest testing True False Guests 65534
# pureds local group list
Name Local Directory Service Built In Gid
Audit Operators domain True 65536
Administrators domain True 0
Guests domain True 65534
Backup Operators domain True 65535
Audit Operators prod True 65536
Administrators prod True 0
Guests prod True 65534
Backup Operators prod True 65535
Audit Operators staging True 65536
Administrators staging True 0
Guests staging True 65534
Backup Operators staging True 65535
Audit Operators testing True 65536
Administrators testing True 0
Guests testing True 65534
Backup Operators testing True 65535Conclusion
I did show how the FA configuration might look like, without providing much details about the actual way how to configure or test these configs, anyway, this article should provide a good overview about what to expect from 6.8.7 version.
There is plenty of information about this particular aspect of the release in the updated product documentation.
Please let me know if there is any demand to deep-dive into any aspect of this feature.
