NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Network and Storage Protocols

LDAP and AD on same filer

baijulal
6,635 Views

Can a filer be configured  to have  cifs registered with a windows AD domain and the  filer configured to join another LDAP server?.Do you have a similar config?

Thanks.

5 REPLIES 5

radek_kubka
6,635 Views

Hi,

I am not 100% sure what you are after, but I don't think it is doable - "joining" AD domain is something which always happens in a CIFS service context.

Maybe MultiStore is worth looking at? Each of vFilers can join a separate domain, if it helps.

Regards,
Radek

dearmon
6,635 Views

I believe that the correct way to achieve integration with multiple directory services would be through leveraging a unified/federated login service like Centrify.  That will allow ONE service to control authentication and consult the other service when needed.  One of the problems that I could foresee with joining a filer to an AD domain and also specifying a second LDAP directory service would be conflicts with permissions.  Users with accounts in each of the different directories that have conflicting permissions could cause a security issue (not to mention, there's no mechanism that I'm aware of for the filer to decide which is authoritative).  If a single sign on service isn't an option, then I'd suggest what Radek said above and look at vFilers for this.  You can have one vFiler joined to one domain/LDAP and others joined to different ones and present no issues.  Hope this helps.

Matt

boomer123
6,635 Views

Sorry for the late response, I'm not very often on NOW.

Yes it definitly can.

I have a Metro Cluster and some standalone boxes and all are AD integrated for CIFS and LDAP (openldap on Linux) integrated for NFS. And there is even a facility to map AD users to LDAP users (e.g. [email protected] <=> sysadmin (uid=1234, gid=4321)) for multi-protocol volumes.

Boomer

1jimpross
6,635 Views

Boomer,

I too have a need for having both AD integration for CIFS and LDAP integration for NFS.

Could you share on how you got the netapp to use both or can you point me to documentation you used?

The CIFS part is easy since cifs setup you tell it to joing AD domain.  However, my question comes in how you tell the NFS side to authenticate with openldap.

Thanks Jim

aborzenkov
6,635 Views

See http://media.netapp.com/documents/tr-3458.pdf for detailed description.

Public