Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[Howto] - Centrify and NetApp ONTAP Integration

11 April,19 at 11:50 AM

The Problem:

 

Customers with NetApp filers are looking to provide consistent level of access across CIFS and NFS shares.  To do this, the filers need to obtain Active Directory users and the UNIX identity of those users to provide the unified level of access required.  Customers with Centrify deployed can very easily accomplish this.  

 

The Solution:

 

Centrify Server Suite allows customers to integrate their non-Windows systems to Active Directory and provide a common UNIX namespace to these systems along with access control, privilege management, MFA and other features.  Having Windows, UNIX/Linux systems and filers look to AD for identity infromation provides the consistent level of access to shares customers require.

 

Howto: 

 

The NY Centrify team of @erikdove and @Fel along with our NetApp counterparts led by Paul Chilton worked to integrate NetApp ONTAP with Centrify at a customer site recently.  

 

For the benefit of the community, Paul Chilton from NetApp and us at Centrify are sharing a step by step guide to quickly integrate NetApp ONTAP with Centrify.  This integration should work for CDOT 8.2.x,8.3.x and 9.0 and any version of Centrify.  To integrate Netapp ONTAP with Centrify, the Centrify LDAP Proxy was used.

 

1. Install the LDAP Proxy.  The system running the LDAP proxy in this example is RHEL 6, therefore, if running the LDAP proxy on a different OS platform, replace the rpm and service commands accordingly.  To simplify the integration and to allow for quick testing, LDAP proxy security was turned off.  In Production, we recommend turning ON security.

 

a)    Install the LDAP Proxy   - rpm -ivh centrifydc-ldapproxy-5.3.1-rhel4-x86_64.rpm
b)    Allow Remote Connections - echo "STARTUP_OPTS="-h ldap://" >> /etc/sysconfig/centrify-ldapproxy
c)    Turn Off security        - echo "ldapproxy.require.authc: false" >> /etc/centrifydc/centrifydc.conf
d)    Restart Centrify         - service centrifydc restart
e)    Start the LDAP Proxy     - service centrify-ldapproxy start

 

2. Once you install, configure and start the service, make sure its running:

 

$ ps -ef | grep slapd$
root      15598      1  0 18:09 ?        00:00:00 /usr/share/centrifydc/libexec/slapd

 

3. Test the LDAP proxy to make sure its working properly and can retrieve UNIX Posix Account (UNIX data) with the following query and replace "carmen.santiago" with a valid AD user in the environment.  The UNIX data for the user should be returned as shown below. 

 

 

# /usr/share/centrifydc/bin/ldapsearch -LLL -h engcen6 -x -p 389 "(&(objectclass=posixAccount)(uid=carmen.santiago))" uid uidNumber gidNumber
 
dn: cn=Carmen Santiago,ou=Other,ou=Staff,dc=centrify,dc=vms
gidNumber: 1040191499
uid: carmen.santiago
uidNumber: 1040191499
sAMAccountName: carmen.santiago

 

For the following steps, the Active Directory domain is “ad_domain”.  There is no need to setup a user name or password since the connection to the Centrify LDAP Proxy is being done using anonymous binding. Optionally you can use the SSL protocol between the filer the LDAP proxy if you want to use secure transaction. 

 

4. Setup an LDAP Client on the cDoT 9 SVM

 

‌‌ldap client create –client-config LDAP –servers  -schema RFC-2307 –port 389 –query-timeout 3 –min-bind-level anonymous –base-dn “dc=,dc=com” –base-scope subtree –use-start-tls false –session-security none –vserver  –bind-dn

 

The ldap.base information should be the default naming context of the Active Directory domain (in this example we assume the default naming context is DC=ad_domain,DC=com).

 

The ldap.servers option is the fully qualified domain name of the  LDAP Proxy (you can define more than one for redundancy by separating names by comma or space). 

 

5. Enable the LDAP Client on the cDoT 9 SVM

 

‌ldap create –vserver  -client-config LDAP –client-enabled true

 

6. Configure nsswitch on the cDoT 9 SVM to use LDAP for user lookups.

 

name-service ns-switch modify –vserver  -database passwd –sources ldap,files
name-service ns-switch modify –vserver  -database group –sources ldap,files
name-service ns-switch modify –vserver  -database netgroup –sources ldap,files
name-service ns-switch modify –vserver  -database namemap –sources ldap,files

 

7. Test user lookups in LDAP database using cDot commands

 

set diag
secd authentication show-creds –node  -vserver  -unix-user-name 
secd authentication show-creds –node  -vserver  -win-name 
 
Vserver: 
Client Configuration Name: LDAP
LDAP Server List: 172.16.xxx.xxx
Active Directory Domain: -
Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): -
      Base DN: dc=,dc=com
      Base Search Scope: subtree
      Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
      Client Session Security: none

 

 

There you have it; unified identity management for your NetApp ONTAP filers to deliver consistent access across multi-protocol shares.  We hope you find this post useful.

 

Regards,

 

Felderi Santiago

Technical Director -  NA East/LATAM

 

Related Articles

 No related Articles