Ldap – How to configure a NetApp Filer to use LDAP for username/password/uid

ldapnetappsamba

We have a NetApp Filer, and want to access it via Samba/CIFS, and have it use the username/password/uid available in our OpenLDAP server. We already do this successfully with Samba 3 against OpenLDAP, so we have all the appropriate posix attributes as well as NT/LanManager password attributes.

The goal is that a user can mount their directory in Windows with the same username/password as their Linux login, and files created there will have the correct uid so it just works when they go back to Linux.

Again, we have all this working with Samba/OpenLDAP/Linux, so the question is not about that configuration. It's about configuring a NetApp against such a system.

Best Answer

I believe this is what you want:

options ldap.base dc=example,dc=com
options ldap.servers ldap.example.com
options ldap.enable on
edit nsswitch.conf

Edit /etc/nsswitch.conf

hosts: files dns
passwd: ldap files
netgroup: ldap files
group: ldap files
shadow: files nis

This now link requires a valid login

As always its worth testing things on the simulator first :)

Related Solutions

active-directory – How to Keep AD Group Synced in OpenLDAP with POSIX Account Augmentation

Ldap Synchronization Connector (LSC) can be used to set up a continuous synchronization from AD to an OpenLDAP server, while adding extra attributes generated however you like.

However, this won't directly allow use of the AD's credentials, unless you set up OpenLDAP to forward BIND requests to the AD servers... but then you depend on the AD infrastructure being available.

Relying on the credentials in AD is tough, because you either need to have the credentials in clear text elsewhere, or depend on using AD for binds, or set up password synchronization. Check out Active Directory password synchronization options.

One option not described on that page is exporting the list of hashed passwords from an AD server, but that is a one-shot operation, not continuous sync.

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Best Answer

Related Solutions

active-directory – How to Keep AD Group Synced in OpenLDAP with POSIX Account Augmentation

Ldap – Securing userPassword access with OpenLDAP in RHEL

Related Topic