ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Start a New Post

About LDAP schema MS-AD-BIS for CIFS and NFS

Tas
‎2019-11-13 12:10 PM

I was reading that the schema MS-AD-BIS allows for nexted grouping.  However, the only place I can find the text 'ms-ad-bis' is on the NetApp site, and only referring to the schema.  There is nothing I can find at Microsoft, or indeed via a general search about how to implement it in Windows, which versions it is supported by and so on.

Has any a clue where to find more information?

Hint:  The ONTAP developers must know something about it, since they have included it in the LDAP client schema list.

TasP

0 Kudos
View By:
1 ACCEPTED SOLUTION

Ontapforrum
‎2019-12-05 01:58 PM

Hi,

 

Got curious to find out what is 'MS-AD-BIS', Looks like it is refering to RFC2307bis.

 

ONTAP 9.0 introduced a new built-in schema template for RFC-2307bis environments, specifically with
Active Directory in mind. This schema is called MS-AD-BIS and should be used with Microsoft Active
Directory LDAP servers whenever possible.

 

Found some some reference below:

This is a new schema (AD-MS-BIS) template available in ONTAP 9 for use with RFC-2307bis schemas, please refer to links below:

 

How to configure RFC 2307bis for Windows: (ldap_schema = rfc2307bis)

https://kb.netapp.com/app/answers/answer_view/a_id/1031211/loc/en_US
https://kb.netapp.com/app/answers/answer_view/a_id/1074006/loc/en_US
https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-nfs%2FGUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html
https://www.netapp.com/us/media/tr-3458.pdf
https://whyistheinternetbroken.wordpress.com/2018/08/16/securing-nfs-mounts-in-a-docker-container/
https://blogs.msdn.microsoft.com/sfu/2010/06/21/proof-of-concept-nfs-attributes-editor/


Secure Unified Authentication (MS-AD-BIS) : This PDF looks useful.
https://www.netapp.com/us/media/tr-4073.pdf (Page:122)
https://tools.ietf.org/html/draft-howard-rfc2307bis-02


Thanks!

View solution in original post

0 Kudos
5 REPLIES 5

Ontapforrum
‎2019-12-05 01:58 PM

Hi,

 

Got curious to find out what is 'MS-AD-BIS', Looks like it is refering to RFC2307bis.

 

ONTAP 9.0 introduced a new built-in schema template for RFC-2307bis environments, specifically with
Active Directory in mind. This schema is called MS-AD-BIS and should be used with Microsoft Active
Directory LDAP servers whenever possible.

 

Found some some reference below:

This is a new schema (AD-MS-BIS) template available in ONTAP 9 for use with RFC-2307bis schemas, please refer to links below:

 

How to configure RFC 2307bis for Windows: (ldap_schema = rfc2307bis)

https://kb.netapp.com/app/answers/answer_view/a_id/1031211/loc/en_US
https://kb.netapp.com/app/answers/answer_view/a_id/1074006/loc/en_US
https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-nfs%2FGUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html
https://www.netapp.com/us/media/tr-3458.pdf
https://whyistheinternetbroken.wordpress.com/2018/08/16/securing-nfs-mounts-in-a-docker-container/
https://blogs.msdn.microsoft.com/sfu/2010/06/21/proof-of-concept-nfs-attributes-editor/


Secure Unified Authentication (MS-AD-BIS) : This PDF looks useful.
https://www.netapp.com/us/media/tr-4073.pdf (Page:122)
https://tools.ietf.org/html/draft-howard-rfc2307bis-02


Thanks!

View solution in original post

0 Kudos

Tas
‎2019-12-06 06:47 AM
In response to Ontapforrum

Thank you Ontapforrum:

 

It looks like I have a little reading to do.  We have several flavors of LDS, including, believe it or not, Adam still running;  unfortunately we don't have an ID SME, so I'm trying to figure out how to go forward.

Our aim is to manage permissions from one platform, but have them apply to both SMB and NFS (non-kerb).

 

Justin Parisi recommended using SMB/NTFS as the driving protocol, but I need to document the implementation, management and operation of permissions for all groups involved, i.e. Windows, AD, Help Desk, Storage, ;).  Being able to next groups in LDAP will make things alot easier.

 

I will read, and flag this as an answer in a few days.  Hope you don't mind waiting...

TasP

tahmad
NetApp
‎2020-06-04 02:31 AM
In response to Tas

I hope the link below provides all the information you need:

File sharing between NFS and CIFS 

0 Kudos

abhit
NetApp
‎2020-07-21 05:48 AM
In response to Tas

Hi Tasp:

 

Just wanted to know if you were able to achieve what you wanted.

We have a similar requirement to map every NFS or CIFs access to a user in Active Directory.

The solution proposed seems to be the one, but have not tried it yet.

 

Regards

Abhi

0 Kudos

Tas
‎2020-07-28 06:50 AM
In response to abhit

Abhit:

 

Sorry for the late reply.  I've tried using BIS, and for some reason I lose LDAP access from AD when I use it.  That doesn't mean I have done something wrong, or perhaps it is because of an option in our AD.  Unfortunately we don't have AD Identity Management SME's on site, and I don't have a lab nor the time to play with.  If you do try it and are successful, would you kindly let me know?

 

Tas

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public