Active IQ Unified Manager Discussions

QUESTION - Interaction between OnCommand and a LDAP server with users/groups

emanuel
2,060 Views

Hello

I am following up on a previous discussion about establishing authentication; we got that working.  But a couple of new issues have appeared and I am hoping for community feed back.  We have a Linux host with a package that allows authentication through a Windows W2K8 domain.

Q1:     They are authenticating using something other than "PAM" on the Linux host with Windows AD; this seems to be okay for users but not groups; groups are not showing up as contain name objects.

When we enter a group in a full W2K8 domain we enter them as admin users as - "DOMAIN/Domain Group" name ( i think... its been a while for me ); when we enter the AD group with just the name it seems to accept it but does not enter the group name as a container-name style as it does for individual users.  Is there a specific way to add groups in this sort of configuration?

Q2:     A successful admin user on the GUI ( able to make changes to the database ) does not have the same privilege on the command line; only ROOT seems to work for them.

We have one of their admin users log into the GUI and change properties on a storage controller ( changing the default protocol from global to SSH and committing the change ).  this works fine but in the command line the same user is not allowed to run DFM commands ( like dfm eventType list ); complaining user does not have READ privileges.  This would be a caching issue on the host or something else.  Has anyone else experienced this?

Looking for ideas ... thanks!

1 REPLY 1

dburkland
2,060 Views

Hi Emanuel,

I just recently setup OnCommand 5 on a RHEL 5 x86_64 system and ran into some similar issues regarding the AD/LDAP configuration. First make sure your OnCommand LDAP configuration matches the following screenshot (I got these settings through several other communities.netapp.com posts):

Next when you add a group to the administrative users page you will need to specify the full LDAP path for example:

cn=LDAP Group Name,ou=Groups,dc=domain,dc=org

As far as your second questions goes, I have not dealt with this as I have been using the root account when working from the command line.

-Dan

Public