<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/05/2012 08:12 PM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzUtHESLLPHZu99eD=tzRUyhKTb=TMzei35J9zetTKXznw@mail.gmail.com"
type="cite">hi,<br>
<br>
the subject says it all, I guess.<br>
<br>
I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has
(had) this setup working.<br>
<br>
--<br>
Groeten,<br>
natxo<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Hi,<br>
<br>
Yes I use NetApp filers connected to both AD and IPA at the same
time. It's easy to get going. These notes are taken from the top of
my head, I don't have my documentation in front of me just now.<br>
<br>
Configure the NetApp's DNS client to point to a set of DNS servers
that knows both your AD and your IPA DNS domain.<br>
Configure the DNS search path to point at both the IPA domain, and
the AD domain (if you have a different DNS domain for your IPA and
AD instances)<br>
<br>
Join the CIFS server to the AD domain. ("cifs setup")<br>
<br>
Setup the LDAP client ("options ldap" to list, "options ldap.option
value" to configure each value). <br>
I use authenticated simple binds, I have created an account for the
NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose. <br>
The LDAP attribute mapping options can be left alone as far as I can
remember.<br>
You need to specify the compat tree for group, and netgroup lookups.
I cannot remember if I pointed users to the compat or accounts tree.
I specify each user/group/ng lookup path fully (e.g. I do NOT
specify the base DN and request subtree for lookups).<br>
Configure the "options ldap.enabled" after configuring all the other
options.<br>
Leave "ldap.ADdomain" blank.<br>
<br>
NOTE: I have been unable to get the LDAP SSL client of NetApp to
work with IPA as of yet. I have opened a support case with NetApp
for this issue. Not really a big issue as users password are not
being transmitted. To make of of SSL NetApp's documentation is to
upload the CA certificate in PEM format into /etc on the filer and
use the keymgr command to import it. After uploading the CA cert SSL
is enabled using "options ldap.ssl.enable on".<br>
<br>
Grant yourself advanced privileges on the filer "priv set advanced",
and use the "getXXbyYY" command to verify that the LDAP naming
services works as expected for users, groups and netgroups. <br>
<br>
If the previous test was successful: Configure the NetApp's
nsswitch.conf (using the filer webui is the easiest). Specify files
before ldap.<br>
<br>
You should now have a working AD (CIFS) and IPA (NFS) setup.<br>
<br>
If you syncronize IPA with AD the ntUserDomainId attribute will be
set to AD's sAMAccountName. If you do not sync you can script a sync
of these attributes manually to allow automatic user mapping in the
NetApp filer when Windows CIFS users connect. The username may be
the same, but the NetApp's user mapping has been seen to be case
sensitive in our environment. Syncing the sAMAccountName from AD
into IPA's ntUserDomainId attribute fixed these issue for us. You
also need to enable usermap lookup on the NetApp filer (a "option
ldap" configuration value).<br>
<br>
I hope this helps.<br>
<br>
<br>
<br>
Regards,<br>
Siggi<br>
<br>
<br>
<br>
</body>
</html>