2010-04-21 07:38 PM
We want to move to an AD Environ. for our Unix / Linux servers, using Winbind. Most servers are cut over but when we stopped our primary LDAP server the DFM server/App stopped working.
Can we configure Active Directory as a substitute?
2010-04-21 10:42 PM
This should be possible using PAM and pam_winbind (http://samba.org/samba/docs/man/manpages-3/pam_win
2010-04-22 06:22 AM
Thanks Hiyer - but we are pretty good with winbind already - We even set up our AIX servers to use winbind and ssh to AUTH against AD - but In DFM, "Setup -->Options -->LDAP " config - can we put in our Windows AD info? Even though the host server for dfm is Linux?
2010-04-22 06:55 AM
Yes you can point OM to A/D and use the LDAP extensions in A/D.
Personally I have not run this in production but have tested it extensively in a lab environment with RHEL 5.4, OM 3.8.1 and a A/D domain running a mix of W2K8 and W2K3 Domain Controllers.
Here are the configuration options you would need to set in OM. Please read to the end of this post and review the caveats:
Hope this helps.
2010-04-22 07:30 AM
richard -great detail -THANKS - i am getting some great feedback on this topic. ( I noticed you may have done a little hack to get OM running on RHEL 5.4 -I did the same!! )
I guess I need to know more about the interaction between DFM ( OM ), on a LINUX host, and its internal LDAP settings;
Why do we configure LDAP communication with in DFM (installed on LINUX)?
If we turn off the LDAP setting in DFM what will happen?
BTW - We have a small ENV of FOUR NetApps ( and some EMC)
Thanks to all - Joe
2010-04-22 11:53 PM
From the subject line, I thought you did not want to use the AD LDAP extensions, which is why I suggested pam_winbind. My mistake.
To answer your questions, OM, in general, authenticates the user using whatever the server uses. So, you would use LDAP in DFM where your system is not configured to use LDAP, but you want DFM to use it. If you disabled it, OM would authenticate with whatever your server uses (e.g. whatever NSS specifies on Linux, AD on Windows).
On Linux, a third option that exists is PAM. You can enable this by setting the "authUsePam" option to "yes". And you would need to create a file called "dfm" in /etc/pam.d with whatever configuration you want.
2010-04-23 06:41 AM
Thanks to all who responded - We are shutting down LDAP in our ENV and switching to a pure AD and Winbind AD (UNIX/LINUX) Auth structure.
I will simply set LDAP = no for the DFM config to avoid the hang that occurs when LDAP is turned off.