Subscribe

Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

We want to move to an AD Environ. for our Unix / Linux servers, using Winbind. Most servers are cut over but when we stopped our primary LDAP server the DFM server/App stopped working.

Can we configure Active Directory as a substitute?

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

This should be possible using PAM and pam_winbind (http://samba.org/samba/docs/man/manpages-3/pam_winbind.8.html). I believe some users have also had success with Vintela (http://www.quest.com/authentication-services/).

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

Thanks Hiyer - but we are pretty good with winbind already - We even set up our AIX servers to use winbind and ssh to AUTH against AD - but In DFM, "Setup -->Options -->LDAP " config - can we put in our Windows AD info? Even though the host server for dfm is Linux?

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

Yes you can point OM to A/D and use the LDAP extensions in A/D.

Personally I have not run this in production but have tested it extensively in a lab environment with RHEL 5.4, OM 3.8.1 and a A/D domain running a mix of W2K8 and W2K3 Domain Controllers.

Here are the configuration options you would need to set in OM.  Please read to the end of this post and review the caveats:

  1. Define LDAP servers (Domain Controllers) -> dfm ldap add –P <default-port> <address>
  2. Define LDAP options to communicate with A/D:
    1. dfm ldap template netscape
    2. dfm options set ldapBaseDN = dc=mydomain,dc=myforest,dc=myroot (replace with the conanical name of your domain)
    3. dfm options set ldapBindDN = cn=ldaplkup,ou=myou,dc=mydomain,dc=myforest,dc=myroot  (ldaplkup is an account in A/D that OM will use to establish a secure channel with the DC - you can pick your own account name)
    4. dfm options set ldapBindPass = ************** (set this option to the password of your account in the previous step)
    5. dfm options set ldapGID=memberOf
    6. dfm options set ldapMember=member
    7. dfm options set ldapUGID=CN
    8. dfm options set ldapUID=cn
    9. dfm options set ldapVersion=3
    10. dfm options set ldapEnabled=Yes
  3. If you already have an existing version of OM running on Windows your are going to have to update all your user info in OM from the Window SAM account format (domain\ID) to the canonical format to get it to work.  If this is a fresh install the users will automatically be created in the canonical format.
  4. You can test authentication using with the following command:
    1. dfm ldap test <id> <passwd>

Caveats

  1. You are hard coding LDAP server (Domain Controller) addresses into OM.   This means if Domain Controllers change IPs etc in your environment you are going to require a process by which you will need to be informed of this change and update the settings on your OM server.  This is not a problem on Windows because the native O/S supports the calls into A/D to update the list of available DCs ( I forget the name of the API call but you get the idea I hope)

Hope this helps.

Richard

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

richard -great detail -THANKS - i am getting some great feedback on this topic. ( I noticed you may have done a little hack to get OM running on RHEL 5.4 -I did the same!! )

I guess I need to know more about the interaction between DFM ( OM ), on a LINUX host, and its internal LDAP settings;

ie.

Why do we configure LDAP communication with in DFM (installed on LINUX)?

If we turn off the LDAP setting in DFM what will happen?

BTW - We have a small ENV of FOUR NetApps ( and some EMC)

Thanks to all - Joe

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

From the subject line, I thought you did not want to use the AD LDAP extensions, which is why I suggested pam_winbind. My mistake.

To answer your questions, OM, in general, authenticates the user using whatever the server uses. So, you would use LDAP in DFM where your system is not configured to use LDAP, but you want DFM to use it. If you disabled it, OM would authenticate with whatever your server uses (e.g. whatever NSS specifies on Linux, AD on Windows).

On Linux, a third option that exists is PAM. You can enable this by setting the "authUsePam" option to "yes". And you would need to create a file called "dfm" in /etc/pam.d with whatever configuration you want.

Re: Can DFM 3.8 Operations Manager, installed on Linux, Authenticate with Active Directory - not LDAP?

Thanks to all who responded - We are shutting down LDAP in our ENV and switching to a pure AD and Winbind AD (UNIX/LINUX) Auth structure.

I will simply set LDAP = no for the DFM config to avoid the hang that occurs when LDAP is turned off.