<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 09/05/2012 08:12 PM, Natxo Asenjo wrote: </div> <blockquote cite="mid:CAHBEJzUtHESLLPHZu99eD=tzRUyhKTb=TMzei35J9zetTKXznw@mail.gmail.com" type="cite">hi, the subject says it all, I guess. I know from another thread that with nexanta it is possible using nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. -- Groeten, natxo <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Hi, Yes I use NetApp filers connected to both AD and IPA at the same time. It's easy to get going. These notes are taken from the top of my head, I don't have my documentation in front of me just now. Configure the NetApp's DNS client to point to a set of DNS servers that knows both your AD and your IPA DNS domain. Configure the DNS search path to point at both the IPA domain, and the AD domain (if you have a different DNS domain for your IPA and AD instances) Join the CIFS server to the AD domain. ("cifs setup") Setup the LDAP client ("options ldap" to list, "options ldap.option value" to configure each value). I use authenticated simple binds, I have created an account for the NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose. The LDAP attribute mapping options can be left alone as far as I can remember. You need to specify the compat tree for group, and netgroup lookups. I cannot remember if I pointed users to the compat or accounts tree. I specify each user/group/ng lookup path fully (e.g. I do NOT specify the base DN and request subtree for lookups). Configure the "options ldap.enabled" after configuring all the other options. Leave "ldap.ADdomain" blank. NOTE: I have been unable to get the LDAP SSL client of NetApp to work with IPA as of yet. I have opened a support case with NetApp for this issue. Not really a big issue as users password are not being transmitted. To make of of SSL NetApp's documentation is to upload the CA certificate in PEM format into /etc on the filer and use the keymgr command to import it. After uploading the CA cert SSL is enabled using "options ldap.ssl.enable on". Grant yourself advanced privileges on the filer "priv set advanced", and use the "getXXbyYY" command to verify that the LDAP naming services works as expected for users, groups and netgroups. If the previous test was successful: Configure the NetApp's nsswitch.conf (using the filer webui is the easiest). Specify files before ldap. You should now have a working AD (CIFS) and IPA (NFS) setup. If you syncronize IPA with AD the ntUserDomainId attribute will be set to AD's sAMAccountName. If you do not sync you can script a sync of these attributes manually to allow automatic user mapping in the NetApp filer when Windows CIFS users connect. The username may be the same, but the NetApp's user mapping has been seen to be case sensitive in our environment. Syncing the sAMAccountName from AD into IPA's ntUserDomainId attribute fixed these issue for us. You also need to enable usermap lookup on the NetApp filer (a "option ldap" configuration value). I hope this helps. Regards, Siggi </body> </html>