11 April,19 at 11:50 AM
The Problem:
Customers with NetApp filers are looking to provide consistent level of access across CIFS and NFS shares. To do this, the filers need to obtain Active Directory users and the UNIX identity of those users to provide the unified level of access required. Customers with Centrify deployed can very easily accomplish this.
The Solution:
Centrify Server Suite allows customers to integrate their non-Windows systems to Active Directory and provide a common UNIX namespace to these systems along with access control, privilege management, MFA and other features. Having Windows, UNIX/Linux systems and filers look to AD for identity infromation provides the consistent level of access to shares customers require.
Howto:
The NY Centrify team of @erikdove and @Fel along with our NetApp counterparts led by Paul Chilton worked to integrate NetApp ONTAP with Centrify at a customer site recently.
For the benefit of the community, Paul Chilton from NetApp and us at Centrify are sharing a step by step guide to quickly integrate NetApp ONTAP with Centrify. This integration should work for CDOT 8.2.x,8.3.x and 9.0 and any version of Centrify. To integrate Netapp ONTAP with Centrify, the Centrify LDAP Proxy was used.
1. Install the LDAP Proxy. The system running the LDAP proxy in this example is RHEL 6, therefore, if running the LDAP proxy on a different OS platform, replace the rpm and service commands accordingly. To simplify the integration and to allow for quick testing, LDAP proxy security was turned off. In Production, we recommend turning ON security.
a) Install the LDAP Proxy - rpm -ivh centrifydc-ldapproxy-5.3.1-rhel4-x86_64.rpm b) Allow Remote Connections - echo "STARTUP_OPTS="-h ldap://" >> /etc/sysconfig/centrify-ldapproxy c) Turn Off security - echo "ldapproxy.require.authc: false" >> /etc/centrifydc/centrifydc.conf d) Restart Centrify - service centrifydc restart e) Start the LDAP Proxy - service centrify-ldapproxy start
2. Once you install, configure and start the service, make sure its running:
$ ps -ef | grep slapd$ root 15598 1 0 18:09 ? 00:00:00 /usr/share/centrifydc/libexec/slapd
3. Test the LDAP proxy to make sure its working properly and can retrieve UNIX Posix Account (UNIX data) with the following query and replace "carmen.santiago" with a valid AD user in the environment. The UNIX data for the user should be returned as shown below.
# /usr/share/centrifydc/bin/ldapsearch -LLL -h engcen6 -x -p 389 "(&(objectclass=posixAccount)(uid=carmen.santiago))" uid uidNumber gidNumber dn: cn=Carmen Santiago,ou=Other,ou=Staff,dc=centrify,dc=vms gidNumber: 1040191499 uid: carmen.santiago uidNumber: 1040191499 sAMAccountName: carmen.santiago
For the following steps, the Active Directory domain is “ad_domain”. There is no need to setup a user name or password since the connection to the Centrify LDAP Proxy is being done using anonymous binding. Optionally you can use the SSL protocol between the filer the LDAP proxy if you want to use secure transaction.
4. Setup an LDAP Client on the cDoT 9 SVM
ldap client create –client-config LDAP –servers -schema RFC-2307 –port 389 –query-timeout 3 –min-bind-level anonymous –base-dn “dc=,dc=com” –base-scope subtree –use-start-tls false –session-security none –vserver –bind-dn
The ldap.base information should be the default naming context of the Active Directory domain (in this example we assume the default naming context is DC=ad_domain,DC=com).
The ldap.servers option is the fully qualified domain name of the LDAP Proxy (you can define more than one for redundancy by separating names by comma or space).
5. Enable the LDAP Client on the cDoT 9 SVM
ldap create –vserver -client-config LDAP –client-enabled true
6. Configure nsswitch on the cDoT 9 SVM to use LDAP for user lookups.
name-service ns-switch modify –vserver -database passwd –sources ldap,files name-service ns-switch modify –vserver -database group –sources ldap,files name-service ns-switch modify –vserver -database netgroup –sources ldap,files name-service ns-switch modify –vserver -database namemap –sources ldap,files
7. Test user lookups in LDAP database using cDot commands
set diag secd authentication show-creds –node -vserver -unix-user-name secd authentication show-creds –node -vserver -win-name Vserver: Client Configuration Name: LDAP LDAP Server List: 172.16.xxx.xxx Active Directory Domain: - Preferred Active Directory Servers: - Bind Using the Vserver's CIFS Credentials: false Schema Template: RFC-2307 LDAP Server Port: 389 Query Timeout (sec): 3 Minimum Bind Authentication Level: anonymous Bind DN (User): - Base DN: dc=,dc=com Base Search Scope: subtree Vserver Owns Configuration: true Use start-tls Over LDAP Connections: false Client Session Security: none
There you have it; unified identity management for your NetApp ONTAP filers to deliver consistent access across multi-protocol shares. We hope you find this post useful.
Regards,
Felderi Santiago
Technical Director - NA East/LATAM