topic Netapp with Centrify in Network and Storage Protocols

Netapp with Centrify

buim — Wed, 07 Sep 2011 16:04:40 GMT

We are using Centrify DirectControl v4 for Unix authentication and mapping with AD. The Filer, v7.3.1, has with LDAP enabled to map the Unix accounts, via Centrify, with AD. However, some AD accounts does not map with Centrify fromt the Filer. Centrify has multizones and the Unix account are in more than one zones. It 'seems' the problem occurs when the Unix accounts are in multiple Centrify zones and but the Filer only checks in one particular zone. Also, I'm 100% sure if I have ldap configure correctly on the Filer.

Any suggestions/assistance appreciated.

Here the ldap options.

ldap.ADdomain corp.company.net

ldap.base DC=corp,DC=company,DC=net

ldap.base.group

ldap.base.netgroup

ldap.base.passwd CN=Users,OU=Universal,OU=Zones,OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL;OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name NetAppQry

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable on

Netapp with Centrify

RSRINIVA66 — Wed, 07 Sep 2011 23:36:52 GMT

Can you please see section 2.2 of this whitepaper or the extract below. Specifically on options.ldap.base where its pointing to Centrify zone location (default location is Program Data) but yours is showing "DC=corp,DC=company,DC=net". If you have trouble accessing this document, please let me know.

http://www.centrify.com/downloads/public/resources/centrify_an005_netapp_filers.pdf

2.2 Mapping with RFC 2307 and DirectControl 3.0

If you wish to use the new RFC 2307 UNIX schema attributes that are included in Windows Server 2003 R2, you will need to use both Centrify DirectControl and Windows Server 2003 R2. First, ensure that the Active Directory forest is set to a Windows Server 2003 functional level. You then need to create an RFC 2307 DirectControl Zone associated with the Active Directory domain that is set up on the Windows Server 2003 R2 domain controller. The NetApp server will be able to access user and group records visible in a specific DirectControl Zone. Once this is done, start a terminal session on your NetApp server and type in the following to view your current LDAP settings:

options ldap

To configure the NetApp server to use the RFC 2307 attributes, make the following

changes using these options ldap commands:

options ldap.ADDomain ADDOMAIN

options ldap.name ldapuser

options ldap.passwd not24get

options ldap.enable on

options ldap.base CN=netappzone,CN=Zones,CN=Centrify,CN=Program Data,DC=addomain,DC=com

In the above example, the Active Directory domain is “ADDOMAIN”, the user name of an Active Directory user with directory read permission for the NetApp server to get Active

Directory data is “ldapuser”, the password for this user is “not24get” and the Zone name visible to the server containing the RFC-2307 user profile information is “netappzone

If the Active Directory user names and UNIX user names are not the same, then you need to make the same changes to the mapping file mentioned previously.

Re: Netapp with Centrify

aborzenkov — Thu, 08 Sep 2011 08:17:11 GMT

I became curious and got a got a look at what Centrify does. Behaviour you describe appears consistent and by design. Reading description for zones:

- A Zone can consist of any mixture of DirectControl-managed UNIX, Linux or Mac computers

...

- A single user or group ... cannot log in to computers in any Zone to which they are not a member

So zone looks like privileges separation boundary and server (which NetApp in this case is) can belong to one zone only. So only users in the same zone can access it.

Netapp with Centrify

buim — Thu, 08 Sep 2011 16:20:18 GMT

Clarification, what I meant above was I'm NOT 100% sure I have ldap setup correctly.

RSRINIVA66,

This is the 'cifs domain info' output. From this info, I input as the Domain in the 'ldap.ADdomain'. So should I use 'corp' or 'corp.company.net' for the 'ldap.ADdomain'?

NetBios Domain: CORP

Windows 2003 Domain Name: corp.company.net

Type: Windows 2003

This one zone, OU=Universal, have all the user/groups accounts. So should I put this zone in the 'ldap.base'? The 'ldap.base' is what I'm not clear about.

cheers, Marcus

Netapp with Centrify

RSRINIVA66 — Fri, 09 Sep 2011 22:26:47 GMT

Hi Marcus

The options ldap.base should be pointing to the Universal zone where you have all the users/groups are located and should be in the format shown below. Substitute the zone name and AD domain name in question. If it still does not work, I will be happy to do a webex with you as I am from Centrify support. This does not seem to be a Netapp issue per se. Thx

CN=netappzone,CN=Zones,CN=Centrify,CN=Program Data,DC=addomain,DC=com

Netapp with Centrify

RSRINIVA66 — Mon, 19 Sep 2011 20:30:06 GMT

We can close this forum posting. This morning, Centrify got on a webex with 'buim' and re-configured NetApps filer to point "ldap.base" to point to the Universal zone (in his case) where all the user accounts were residing and zone-enabled. There was no need for setting "ldap.base.passwd". After this, the query worked fine. On Netapps, we also setup "home directory" to "UnixHomeDirectory" so that we can query home directory properly. Marcus can add anything I missed. Thx

Re: Netapp with Centrify

mrdh — Wed, 22 Jul 2015 23:11:38 GMT

Does anyone know the configuration for Cluster Mode and Centrify

Re: Netapp with Centrify

LeanAlegre — Tue, 24 May 2016 04:03:30 GMT

Hi, have you find how to configure Centrify on Cluster Mode?

Re: Netapp with Centrify

demond_nc — Mon, 28 Nov 2016 18:46:45 GMT

I am trying to configure an SVM in Clustered Data OnTap to use Centrify DirectControl, however I can't find any configuration documentation for this. Has anyone found any?