[Freeipa-users] netapp filer AD + ipa: possible?

Sigbjorn Lie sigbjorn at nixtra.com
Thu Sep 6 20:31:30 UTC 2012 

On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
> hi,
>
> the subject says it all, I guess.
>
> I know from another thread that with nexanta it is possible using 
> nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) 
> this setup working.
>
> --
> Groeten,
> natxo
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Hi,

Yes I use NetApp filers connected to both AD and IPA at the same time. 
It's easy to get going. These notes are taken from the top of my head, I 
don't have my documentation in front of me just now.

Configure the NetApp's DNS client to point to a set of DNS servers that 
knows both your AD and your IPA DNS domain.
Configure the DNS search path to point at both the IPA domain, and the 
AD domain (if you have a different DNS domain for your IPA and AD instances)

Join the CIFS server to the AD domain. ("cifs setup")

Setup the LDAP client ("options ldap" to list, "options ldap.option 
value" to configure each value).
I use authenticated simple binds, I have created an account for the 
NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose.
The LDAP attribute mapping options can be left alone as far as I can 
remember.
You need to specify the compat tree for group, and netgroup lookups. I 
cannot remember if I pointed users to the compat or accounts tree. I 
specify each user/group/ng lookup path fully (e.g. I do NOT specify the 
base DN and request subtree for lookups).
Configure the "options ldap.enabled" after configuring all the other 
options.
Leave "ldap.ADdomain" blank.

NOTE: I have been unable to get the LDAP SSL client of NetApp to work 
with IPA as of yet. I have opened a support case with NetApp for this 
issue. Not really a big issue as users password are not being 
transmitted. To make of of SSL NetApp's documentation is to upload the 
CA certificate in PEM format into /etc on the filer and use the keymgr 
command to import it. After uploading the CA cert SSL is enabled using 
"options ldap.ssl.enable on".

Grant yourself advanced privileges on the filer "priv set advanced", and 
use the "getXXbyYY" command to verify that the LDAP naming services 
works as expected for users, groups and netgroups.

If the previous test was successful: Configure the NetApp's 
nsswitch.conf (using the filer webui is the easiest). Specify files 
before ldap.

You should now have a working AD (CIFS) and IPA (NFS) setup.

If you syncronize IPA with AD the ntUserDomainId attribute will be set 
to AD's sAMAccountName. If you do not sync you can script a sync of 
these attributes manually to allow automatic user mapping in the NetApp 
filer when Windows CIFS users connect. The username may be the same, but 
the NetApp's user mapping has been seen to be case sensitive in our 
environment. Syncing the sAMAccountName from AD into IPA's 
ntUserDomainId  attribute fixed these issue for us. You also need to 
enable usermap lookup on the NetApp filer (a "option ldap" configuration 
value).

I hope this helps.



Regards,
Siggi



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120906/d0beefd7/attachment.htm>

More information about the Freeipa-users mailing list