Active IQ Unified Manager Discussions

LDAP Configuration

General
16,948 Views

Hello All,

 

I'm curious, is the LDAP setup for a Clusterd 9.x environment only done per SVM?

 

I got to believe you can setup LDAP for the login into the storage array somewhere.

 

Meaning, if you want to be able to access the storage array at  "<FQDN>/sysmgr/SysMgr.html" with your AD account, how is that done?

 

I notice when I go into the GUI and find the LDAP section under "Configuration > Serices" but it appears that section is only listing what has been setup somewhere else and it not editable.

 

 

 

35 REPLIES 35

General
5,919 Views

Yes, it's this nasty 7-mode crap. 

 

Last question (hopefully) can I do RBAC with one Admin LDAP group and another Read-Only LDAP group?

General
5,903 Views

Actually, for those reading, I belive this link is what I needed - https://library.netapp.com/ecmdocs/ECMP12405921/html/GUID-EC9F41A7-32D8-4A56-979A-8D11E107EBB8.html

General
5,886 Views

Well I got it running configured but still can't login with AD accounts..

 

I think the "options ldap.name" is the problem.

 

Using this article I don't really see the syntax to add Base DN, OU, etc...The command above should work but the example is vague on how to configure.

 

 

sdpn1nfs005> options ldap
ldap.ADdomain
ldap.base
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.fast_timeout.enable on
ldap.minimum_bind_level anonymous
ldap.name cn=LAxxxxxxx, o=xxxxxxx
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount posixAccount
ldap.nssmap.objectClass.posixGroup posixGroup
ldap.passwd ******
ldap.port 636
ldap.retry_delay 120
ldap.servers ldap.xxx.xxxxxx.com
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.base
ldap.usermap.enable off

General
5,841 Views

I appreciate everyone's help.

 

I was trying to avoid openign a ticket with NetApp but it looks like I should do that and work this until resolution.

 

Thank everyone!!

General
5,839 Views

Actually, I just remembered these are probably no longe runder warranty. Ugghhh

 

Does anyone just have the down and direty steps on how to configure LDAP in 7-mode?

 

I have been sent a ton of doucments and they all look differnt. Differnt steps etc and none seem to work. I don't want to do anything on my 9.x nodes until I can get at the very least this 7-mode working.

Ontapforrum
5,747 Views

I don't have Data Ontap 7-mode 8.2:  Hence I cannot really test your environment or even compare it with any exisitng ldap-based setup.

 

We are trying best to give you some direction with the help of KBs, and while you are trying your best, we hope some users/experts who knows it byheart and will chip in:

 

This triage is very well written step by step procedure to identify the shortcomings:

 

How to diagnose problems with Storage Controller LDAP Authentication (7-mode)
https://kb.netapp.com/app/answers/answer_view/a_id/1030198/~/how-to-diagnose-problems-with-storage-controller-ldap-authentication-

 

Question to you : Is it a AD-based Ldap or Non-AD based ldap ?

Non-Active Directory LDAP services cannot replace Active Directory for CIFS authentication on the Storage Controller. LDAP Service configuration on the Storage Controller is only used for mapping between protocols and for UNIX style service.

 

How to configure LDAP on a filer (7-mode) to connect to Microsoft"s Active Directory LDAP implementation
https://kb.netapp.com/app/answers/answer_view/a_id/1029874/~/how-to-configure-ldap-on-a-filer-to-connect-to-microsoft%26apos%3Bs-active

aborzenkov
5,796 Views

In 8.2 you need to designate on of data  SVM as authentication tunnel.

 

https://library.netapp.com/ecmdocs/ECMP1610202/html/security/login/domain-tunnel/create.html

 

General
6,040 Views

Hey @bkamil  - Making the change won't liock me out of my system correct? I can always still be able to use the "admin" account like normal to access the storage array?

bkamil
6,037 Views

Correct.

If you don't touch the "admin" account it will still be there.

General
5,042 Views

Thanks.

 

So what my systems that have NO CIFS, only FC?

 

How can I make this work for those or I have to create a data SVM with CIFS?

 

I'm learning more and more that NetApp really only uses LDAP for NFS authentication/access and not really for user access with AD.

bkamil
4,950 Views

AD is Microsoft's implementation of LDAP.

In most cases people use AD for authentication because it's being widely used in the organization anyway. If you don't have AD-connected SVM on a cluster then yes, you need to create one and define it as domain tunnel. It's quick, easy and such an SVM does not even need to have any data volumes or shares defined (empty/dummy SVM, if you will).

Having said that, it seems like there is actually a way to talk to AD as any other LDAP and use it in a way that, as you pointed out correctly, is typically used for NFS. You might want to check this out. I never used it myself like that, though:

https://kb.netapp.com/app/answers/answer_view/a_id/1074006/~/how-to-configure-ldap-authentication-for-cluster-%28admin%29-svm-

General
4,923 Views

Thank @bkamil I was able to get much of my AD Authentication working. I simply now just need to create thjat dummy SVM for some systems that don't have an SVM running CIFS.

 

Thanks everyone else for their hlepful info as well!

 

 

RajeshPanda
4,907 Views

@General  Thanks for the response! if you think any of the above reply have solved your issue then please consider markign it as solution so other can leverage it.

 

 

Thanks

Rajesh

Ontapforrum
7,040 Views

Yes, you can simply use Cluster (Admin) SVM, instead of data SVM.

 

Regarding ns-switch, it is simply telling SVM to follow the order in which it should lookup for group/host/passwd infomration.

::*> vserver services name-service ns-switch show -vserver ClusterSVMname
Source
Vserver Database Order
--------------- ------------ ---------
ClusterSVMname hosts files,dns
ClusterSVMname group ldap,files
ClusterSVMname passwd ldap,files

Public