Thanks Hiyer - but we are pretty good with winbind already - We even set up our AIX servers to use winbind and ssh to AUTH against AD - but In DFM, "Setup -->Options -->LDAP " config - can we put in our Windows AD info? Even though the host server for dfm is Linux?

Yes you can point OM to A/D and use the LDAP extensions in A/D.

Personally I have not run this in production but have tested it extensively in a lab environment with RHEL 5.4, OM 3.8.1 and a A/D domain running a mix of W2K8 and W2K3 Domain Controllers.

Here are the configuration options you would need to set in OM.  Please read to the end of this post and review the caveats:

1. Define LDAP servers (Domain Controllers) -> dfm ldap add –P <default-port> <address>
   
2. Define LDAP options to communicate with A/D:
   
   1. dfm ldap template netscape
      
   2. dfm options set ldapBaseDN = dc=mydomain,dc=myforest,dc=myroot (replace with the conanical name of your domain)
      
   3. dfm options set ldapBindDN = cn=ldaplkup,ou=myou,dc=mydomain,dc=myforest,dc=myroot  (ldaplkup is an account in A/D that OM will use to establish a secure channel with the DC - you can pick your own account name)
      
   4. dfm options set ldapBindPass = ************** (set this option to the password of your account in the previous step)
      
   5. dfm options set ldapGID=memberOf
      
   6. dfm options set ldapMember=member
      
   7. dfm options set ldapUGID=CN
      
   8. dfm options set ldapUID=cn
      
   9. dfm options set ldapVersion=3
      
   10. dfm options set ldapEnabled=Yes
       
3. If you already have an existing version of OM running on Windows your are going to have to update all your user info in OM from the Window SAM account format (domain\ID) to the canonical format to get it to work.  If this is a fresh install the users will automatically be created in the canonical format.
   
4. You can test authentication using with the following command:
   
   1. dfm ldap test <id> <passwd>
      

Caveats

1. You are hard coding LDAP server (Domain Controller) addresses into OM.   This means if Domain Controllers change IPs etc in your environment you are going to require a process by which you will need to be informed of this change and update the settings on your OM server.  This is not a problem on Windows because the native O/S supports the calls into A/D to update the list of available DCs ( I forget the name of the API call but you get the idea I hope)
   

Hope this helps.

Richard

richard -great detail -THANKS - i am getting some great feedback on this topic. ( I noticed you may have done a little hack to get OM running on RHEL 5.4 -I did the same!! )

I guess I need to know more about the interaction between DFM ( OM ), on a LINUX host, and its internal LDAP settings;

ie.

Why do we configure LDAP communication with in DFM (installed on LINUX)?

If we turn off the LDAP setting in DFM what will happen?

BTW - We have a small ENV of FOUR NetApps ( and some EMC)

Thanks to all - Joe

From the subject line, I thought you did not want to use the AD LDAP extensions, which is why I suggested pam_winbind. My mistake.

To answer your questions, OM, in general, authenticates the user using whatever the server uses. So, you would use LDAP in DFM where your system is not configured to use LDAP, but you want DFM to use it. If you disabled it, OM would authenticate with whatever your server uses (e.g. whatever NSS specifies on Linux, AD on Windows).

On Linux, a third option that exists is PAM. You can enable this by setting the "authUsePam" option to "yes". And you would need to create a file called "dfm" in /etc/pam.d with whatever configuration you want.