Subscribe
Accepted Solution

DFM Linux and Active Directory service account

Dear NetApp Community members,

I looking for a solution to be able to configure DFM 4.02 (Linux Version)

for Service Account integration for an active directory forest.

and web authentification with windows account

I think the DFM 4.02 LDAP should be the solution, however I'm not able to configure IT

Regards,

CGA

DFM Linux and Active Directory service account

Hi Christophe,

To configure ldap, please configure following DFM options by using dfm option set command:

1.

dfm option set

ldapBaseDN                            ou=site,dc=local,dc=xxxxx,dc=com

ldapBindDN                            <your-username>

ldapBindPass                          <your-password>

ldapEnabled                           Yes

ldapGID                               (depends on your directory structure)

ldapMember                            (depends on your directory structure)

ldapUGID                              CN (Not required)

ldapUID                               (depends on your directory structure)

ldapVersion                           3

2. Use dfm ldap add  command to add ldap server.

SYNOPSIS

    dfm ldap add [-P <default-port>] <address>[:<port>] ...

3. Use dfm user add to add user & check dfm user list to verify if your user is displayed by its DN.

Eg:

# dfm user add abcd

Added administrator abcd.

# dfm user list

Id    Administrator          Email                    Pager                  

----- ---------------------- ------------------------ ------------------------

53139 CN=xyz\, abcd,OU=User,OU=RRT,OU=site,DC=local,DC=xxxxx,DC=com

4. You can add AD groups too as user & assign them sufficient RBAC roles.

Eg:

# dfm user add 'CN=X,OU=X,OU=Group,OU=HQ,OU=Site,DC=local,DC=xxxxx,DC=com'

Thanks & Regards,

Fahad

Re: DFM Linux and Active Directory service account

In my case the ldap configuration:

Dear all,

Yhe solution is here: https://kb.netapp.com/support/index?page=content&id=1011398

  • configuration

dfm options set ldapBaseDN=DC=my_sub_domain,DC=domain,DC=com

dfm options set dapBindDN=user_1

dfm options set ldapUID=CN

dfm options set ldapUID=sAMAccountName

dfm options ldapMember =member

dfm options ldapBindPass=********

dfm options ldapEnabled=Yes

  • ldap information check

ldapBaseDN                            DC=my_sub_domain,DC=domain,DC=com

ldapBindDN                            useraccount

ldapBindPass                          ********

ldapEnabled                           Yes

ldapGID                                    memberOf

ldapMember                            member

ldapUGID                                CN

ldapUID                                   sAMAccountName

ldapVersion                           3

  • Find CN dor User or Group

dfm ldap find 'user_1_name'

Username     Full Name

------------ ----------------------------------------------------------------

user_1_name     CN=Genevois Christophe,OU=Users,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com

  • add User

dfm user add 'CN=Genevois Christophe,OU=Users,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com'

Added administrator CN=Genevois Christophe,OU=Users,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com.

  • Add role to new user --> check for roles

dfm  role list

Role Id Role Name                 Description

------- ------------------------- -------------------------------------------

2       GlobalRead                View information in DataFabric Manager

3       GlobalQuota               View user quota reports and events

4       GlobalWrite               View and modify information in DataFabri...

5       GlobalDelete              View, modify and delete information in D...

6       GlobalBackup              Create and manage backups

7       GlobalRestore             Perform restore operations from backups

8       GlobalMirror              Manage replication and failover policies

9       GlobalSAN                 Create, expand and destroy LUNs

10      GlobalSRM                 View SRM path walk information

12      GlobalEvent               Manage events

13      GlobalExecute             Execute commands on storage system

14      GlobalConfigManagement    Manage appliance configuration

15      GlobalDataSet             Manage datasets

16      GlobalDataProtection      Manage backup and datasets

17      GlobalFullControl         Manage everything in DataFabric Manager

61304   GlobalPerfManagement      Manage Performance Advisor

61305   GlobalReport              Manage custom reports and report schedules

61306   GlobalSDStorage           Manage storage with SnapDrive

61307   GlobalSDConfig            Manage SnapDrive configurations

61308   GlobalSDSnapshot          Manage snapshots with SnapDrive

61309   GlobalSDDataProtection    Manage backups and datasets with SnapDrive

61310   GlobalSDFullControl       Full use of SnapDrive

61311   GlobalSDDataProtectionAndRestore Perform backup and restore operations wi...

61312   GlobalResourceControl     Active Management of Storage Resources

61313   GlobalProvisioning        Provisioning of Datasets

61314   GlobalFailover            Manage disaster recovery for datasets

65347   STORAGE View & Report     STORAGE View and Report

95790   GlobalAlarm               Manage alarms

144606  GlobalPerfThreshTemplate  Manage performance threshold templates

144607  GlobalStorageService      Manage storage services

  • add role to user

dfm user role add user_ID role_ID role_id

dfm user role add 271962 17 16


Set 2 roles for administrator 271962.

  • add email address

dfm user modify [ -e <email> ] [ -P <pager> ] [ -r <role-name> ( -r <role-name> ... ) ] <administrator-name> ...

dfm user modify -e my@netapp.com.test  271962

Updated adminEmailAddress for 271962.

dfm user list

271962 CN=Genevois Christophe,OU=System Accounts,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com my@netapp.com.test

271967 CN=user_2,OU=System Accounts,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com

271966 CN=user_3,OU=System Accounts,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com

271963 CN=user_4,OU=System Accounts,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com

271965 CN=group_1,OU=Distribution Lists,OU=My_OU,DC=My_SubDomain,DC=My_Domain,DC=com SPFRSANAdmin@.My_Domain.com

If the CN contains any / \ char, and you would not change the CN, it's possible to add a AD group witch contains the user account

It's working find, for Group and user

Regards