[Freeipa-users] netapp filer AD + ipa: possible?
Sigbjorn Lie
sigbjorn at nixtra.com
Thu Sep 6 20:31:30 UTC 2012
On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
> hi,
>
> the subject says it all, I guess.
>
> I know from another thread that with nexanta it is possible using
> nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had)
> this setup working.
>
> --
> Groeten,
> natxo
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Hi,
Yes I use NetApp filers connected to both AD and IPA at the same time.
It's easy to get going. These notes are taken from the top of my head, I
don't have my documentation in front of me just now.
Configure the NetApp's DNS client to point to a set of DNS servers that
knows both your AD and your IPA DNS domain.
Configure the DNS search path to point at both the IPA domain, and the
AD domain (if you have a different DNS domain for your IPA and AD instances)
Join the CIFS server to the AD domain. ("cifs setup")
Setup the LDAP client ("options ldap" to list, "options ldap.option
value" to configure each value).
I use authenticated simple binds, I have created an account for the
NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose.
The LDAP attribute mapping options can be left alone as far as I can
remember.
You need to specify the compat tree for group, and netgroup lookups. I
cannot remember if I pointed users to the compat or accounts tree. I
specify each user/group/ng lookup path fully (e.g. I do NOT specify the
base DN and request subtree for lookups).
Configure the "options ldap.enabled" after configuring all the other
options.
Leave "ldap.ADdomain" blank.
NOTE: I have been unable to get the LDAP SSL client of NetApp to work
with IPA as of yet. I have opened a support case with NetApp for this
issue. Not really a big issue as users password are not being
transmitted. To make of of SSL NetApp's documentation is to upload the
CA certificate in PEM format into /etc on the filer and use the keymgr
command to import it. After uploading the CA cert SSL is enabled using
"options ldap.ssl.enable on".
Grant yourself advanced privileges on the filer "priv set advanced", and
use the "getXXbyYY" command to verify that the LDAP naming services
works as expected for users, groups and netgroups.
If the previous test was successful: Configure the NetApp's
nsswitch.conf (using the filer webui is the easiest). Specify files
before ldap.
You should now have a working AD (CIFS) and IPA (NFS) setup.
If you syncronize IPA with AD the ntUserDomainId attribute will be set
to AD's sAMAccountName. If you do not sync you can script a sync of
these attributes manually to allow automatic user mapping in the NetApp
filer when Windows CIFS users connect. The username may be the same, but
the NetApp's user mapping has been seen to be case sensitive in our
environment. Syncing the sAMAccountName from AD into IPA's
ntUserDomainId attribute fixed these issue for us. You also need to
enable usermap lookup on the NetApp filer (a "option ldap" configuration
value).
I hope this helps.
Regards,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120906/d0beefd7/attachment.htm>
More information about the Freeipa-users
mailing list