Subscribe

HELP - LDAP Authentication Issues

Hello all

I have a customer that is using Operations Manager ( version x.x.x ) and are having issues with getting LDAP configured.  This is going to be interesting because my customers do not have ROOT access to the box so the only way to configure DFM is through the command line using SUDO.

Can you configure LDAP server information into DFM through the command line?  If we can do this then we can bypss the ROOT user.

They are using a version of LDAP called "open ldap" 3 ... Since I do not use ldap myself i know for a fact that does not mean a whole and i will need to ask the customer specifics about their LDAP version.

Thanks in advance, emanuel

Re: HELP - LDAP Authentication Issues

OM version 3.8.

Re: HELP - LDAP Authentication Issues

You can configure the ldap options from the command line. You will need to set some of the following options using the "dfm option set" command:

[root@trinity ~]# dfm option list | grep -i ldap
ldapBaseDN                            <base DN for LDAP users>

ldapBindDN                            <bind DN for LDAP server>
ldapBindPass                          <password for the above user>
ldapEnabled                           <Yes>
ldapGID                                <optional - may be required for LDAP groups>
ldapMember                            <optional - may be required for LDAP groups>
ldapUGID                             <optional - may be required for LDAP groups>
ldapUID                               <most likely will be "uid" for OpenLDAP>
ldapVersion                           <3>

You will also need to add LDAP servers using the "dfm ldap add" command.

Re: HELP - LDAP Authentication Issues

okay i got some info from my customer's environment and i will attempt to formulate a command sequence to get them online; i may need some help later to clarify my syntax

I have searched the NOW site for information on how to formulate a sequence; do you add a server first, then apply attributes?  Downloading the PDFs

I also browsed the compatibility matrix for DFM ( http://now.netapp.com/NOW/knowledge/docs/olio/guides/dfm_compatibility/ ) and noticed there is no entries for LDAP; i know there are many flavors of LDAP and was wondering which flavors are supported

Re: HELP - LDAP Authentication Issues

here is the sequence i have created but there is GAPS and the infromation i recieved does not have any GID/UID information.

Plus they are trying to create user certificates with our DFM server but are geting errors

Generating a 1024 bit RSA private key

.............++++++

..++++++

writing new private key to '/x/NTAPdfm/conf/server.key'

-----

problems making Certificate Request

1678:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:147:minsize=1

Error: Failed to initialize the DataFabric Manager SSL server.

[root@den01nasmon01 NTAPdfm]#

can they use a "user certificate" from the LDAP server and install it on the DFM server instead of using all the options below?

Sequence of commands ( working copy; needs to be verified )

1.    Select your “product line” / “template”
    a.    dfm ldap template umich
2.    Enter the BIND information of the remote LDAP server
        a.     dfm options ldapBaseDN dc=company,dc=com
    b.    dfm options ldapBindDN uid=proxy01,ou=Special Users,dc=company,dc=com
    c.    dfm options ldapBindPass prsp0t1
    d.    dfm options ldapGID ???
    e.    dfm options ldapMember ???
    f.    dfm options ldapUID ???
    g.    dfm options ldapVersion 3
    h.    dfm options ldapEnabled Yes ( when ready )
3.    Enter the server information
    a.    dfm ldap add ldapserver.location.company.com:636 ldapserver.location2.company.com:636 ldapserver.location3.company.com:636
    b.    servers can be added as needed depending on geo/network configuration
    c.    first server listed is priority
4.    Create DFM user
    a.    Select a user name that matches ( letter for letter ) with an LDAP user
    b.    Create the DFM user
        dfm user add –e <emailaddress> -r <rolename> <username>
        rolename global full – GlobalFullControl
        rolename global read – GlobalRead
        add as many DFM users as needed to get started; the rest you can configure inside the gui easier
5.    Test LDAP from DFM context
    a.    dfm ldap find <username>
    b.    dfm ldap test <username> <password>
    c.    run these a few times to make sure queries are working
6.    Test LDAP from USER context
    a.    Connect to DFM hostserver through preferred shell  / telnet / shh client
    b.    Log in with a LDAP user
    c.    Execute DFM commands from commandline
        1.    Add a filer
        2.    dfm host add <hostname or ip> -U <fileruser> -P <fileruserpassword>
        3.      verify that works with a  globalfullcontroll user
    d.    use a web browser from any client to connect to http://dfmservername:8080 ( or port 80 or https – depending if you had made any changes ) … log in with your LDAP user.

Re: HELP - LDAP Authentication Issues

Oops. Looks like the customer is running a secure LDAP server. This is not supported natively from DFM. Their options are to configure the box itself to use LDAP, or to use PAM in DFM and use the pam_ldap.so library.

As an aside, the SSL options are not used for this. They are used for https access to the DFM web UI.

Re: HELP - LDAP Authentication Issues

oh my .... good thing i am asking this now.  It seems to be configuring the box as an LDAP client is the best way to go and if I do this, do I still need to enter LDAP parameters in DFM?

Re: HELP - LDAP Authentication Issues

No. In that case you do not need to set the LDAP options in DFM.

Re: HELP - LDAP Authentication Issues

okay ... let me run with this tomorrow and see what can come up with their LDAP admins.

btw ... i have searched throught he docs on LDAP configuration and there is not a whole lot of info there so i am assuming that we expect people to know what these options are in relation to their LDAP server?

Re: HELP - LDAP Authentication Issues

Except for the very specific ones like Bind DN or Bind Password, the LDAP configuration is more or less tied to the type of LDAP server being used - OpenLDAP and Microsoft AD are two common ones that we hear of customers using. There is a KB article (kb58326) explaining the setup for AD, but there is nothing for OpenLDAP AFAIK. Be that as it may, OpenLDAP configuration is easier, and one can find lots of examples with the default values on the web.