× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[Howto] - Centrify and NetApp ONTAP Integration

[Howto] - Centrify and NetApp ONTAP Integration

By Centrify Guru I ‎12-19-2016 09:00 AM

The Problem:

 

Customers with NetApp filers are looking to provide consistent level of access across CIFS and NFS shares.  To do this, the filers need to obtain Active Directory users and the UNIX identity of those users to provide the unified level of access required.  Customers with Centrify deployed can very easily accomplish this.  

 

The Solution:

 

Centrify Server Suite allows customers to integrate their non-Windows systems to Active Directory and provide a common UNIX namespace to these systems along with access control, privilege management, MFA and other features.  Having Windows, UNIX/Linux systems and filers look to AD for identity infromation provides the consistent level of access to shares customers require.

 

Howto: 

 

The NY Centrify team of @erikdove and @Fel along with our NetApp counterparts led by Paul Chilton worked to integrate NetApp ONTAP with Centrify at a customer site recently.  

 

For the benefit of the community, Paul Chilton from NetApp and us at Centrify are sharing a step by step guide to quickly integrate NetApp ONTAP with Centrify.  This integration should work for CDOT 8.2.x,8.3.x and 9.0 and any version of Centrify.  To integrate Netapp ONTAP with Centrify, the Centrify LDAP Proxy was used.

 

1. Install the LDAP Proxy.  The system running the LDAP proxy in this example is RHEL 6, therefore, if running the LDAP proxy on a different OS platform, replace the rpm and service commands accordingly.  To simplify the integration and to allow for quick testing, LDAP proxy security was turned off.  In Production, we recommend turning ON security.

 

a)    Install the LDAP Proxy   - rpm -ivh centrifydc-ldapproxy-5.3.1-rhel4-x86_64.rpm
b)    Allow Remote Connections - echo "STARTUP_OPTS="-h ldap://" >> /etc/sysconfig/centrify-ldapproxy
c)    Turn Off security        - echo "ldapproxy.require.authc: false" >> /etc/centrifydc/centrifydc.conf
d)    Restart Centrify         - service centrifydc restart
e)    Start the LDAP Proxy     - service centrify-ldapproxy start

 

2. Once you install, configure and start the service, make sure its running:

 

$ ps -ef | grep slapd$
root      15598      1  0 18:09 ?        00:00:00 /usr/share/centrifydc/libexec/slapd

 

3. Test the LDAP proxy to make sure its working properly and can retrieve UNIX Posix Account (UNIX data) with the following query and replace "carmen.santiago" with a valid AD user in the environment.  The UNIX data for the user should be returned as shown below. 

 

 

# /usr/share/centrifydc/bin/ldapsearch -LLL -h engcen6 -x -p 389 "(&(objectclass=posixAccount)(uid=carmen.santiago))" uid uidNumber gidNumber
 
dn: cn=Carmen Santiago,ou=Other,ou=Staff,dc=centrify,dc=vms
gidNumber: 1040191499
uid: carmen.santiago
uidNumber: 1040191499
sAMAccountName: carmen.santiago

 

For the following steps, the Active Directory domain is “ad_domain”.  There is no need to setup a user name or password since the connection to the Centrify LDAP Proxy is being done using anonymous binding. Optionally you can use the SSL protocol between the filer the LDAP proxy if you want to use secure transaction. 

 

4. Setup an LDAP Client on the cDoT 9 SVM

 

‌‌ldap client create –client-config LDAP –servers <centrify server> -schema RFC-2307 –port 389 –query-timeout 3 –min-bind-level anonymous –base-dn “dc=<AD Domain>,dc=com” –base-scope subtree –use-start-tls false –session-security none –vserver <svm> –bind-dn

 

The ldap.base information should be the default naming context of the Active Directory domain (in this example we assume the default naming context is DC=ad_domain,DC=com).

 

The ldap.servers option is the fully qualified domain name of the  LDAP Proxy (you can define more than one for redundancy by separating names by comma or space). 

 

5. Enable the LDAP Client on the cDoT 9 SVM

 

‌ldap create –vserver <svm> -client-config LDAP –client-enabled true

 

6. Configure nsswitch on the cDoT 9 SVM to use LDAP for user lookups.

 

name-service ns-switch modify –vserver <svm> -database passwd –sources ldap,files
name-service ns-switch modify –vserver <svm> -database group –sources ldap,files
name-service ns-switch modify –vserver <svm> -database netgroup –sources ldap,files
name-service ns-switch modify –vserver <svm> -database namemap –sources ldap,files

 

7. Test user lookups in LDAP database using cDot commands

 

set diag
secd authentication show-creds –node <node> -vserver <svm> -unix-user-name <unix user>
secd authentication show-creds –node <node> -vserver <svm> -win-name <win user>
 
Vserver: <svm>
Client Configuration Name: LDAP
LDAP Server List: 172.16.xxx.xxx
Active Directory Domain: -
Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
Schema Template: RFC-2307
LDAP Server Port: 389
Query Timeout (sec): 3
Minimum Bind Authentication Level: anonymous
Bind DN (User): -
      Base DN: dc=<ad_domain>,dc=com
      Base Search Scope: subtree
      Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
      Client Session Security: none

 

 

There you have it; unified identity management for your NetApp ONTAP filers to deliver consistent access across multi-protocol shares.  We hope you find this post useful.

 

Regards,

 

Felderi Santiago

Technical Director -  NA East/LATAM

 

Comments
By Demond_BBT
on ‎12-19-2016 11:19 AM

This is awesome and exactly what I needed! I'll get setup and tested in our test environment!  Thanks.

By Centrify Guru I
on ‎12-19-2016 11:51 AM

Thanks @Demond_BBT!  We're looking forward to your feedback.  We receive this question from several customers and want to make sure we have a solid blog we can reference them to.

 

By Demond_BBT
on ‎12-19-2016 11:59 AM
I'll definitely provide feedback. We are currently in a production year-end freeze that includes our test environment. The freeze will be lifted early next year and then I can test a configuration.
By Demond_BBT
on ‎12-19-2016 11:59 AM
I'll definitely provide feedback. We are currently in a production year-end freeze that includes our test environment. The freeze will be lifted early next year and then I can test a configuration.
By wchandler
on ‎12-29-2016 12:33 PM

Is it possible to do this without the LDAP proxy?

By Centrify Guru I
on ‎12-29-2016 12:45 PM

It is possible, however you will be losing the flexibilities facilitated by Centrify using Identity Management via zones.

You could have UNIX identity (POSIX/RFC2307 account data with the actual AD object) by using RFC2307 or SFU schema and leverage the native NetApp integration.

However you must have a pristine UNIX namespace (everyone and every group is cleanly defined) across all domains and forests

At that point you lose the ability to have identity overrides or to re-use AD groups as UNIX groups in different contexts.

This topic is covered here:  http://community.centrify.com/t5/TechBlog/Basics-Centrify-Zone-schemas-UNIX-identity-data-sourcing-a...

 

Finally, the LDAP proxy is not only for filer integration.  There are use cases like legacy apps, Hadoop, and others that benefit from presenting a complex AD forest using a single (typically DNS round-robin load-balanced) bank of LDAP proxies.

By wchandler
on ‎12-29-2016 01:25 PM

[quote]"You could have UNIX identity (POSIX/RFC2307 account data with the actual AD object) by using RFC2307 or SFU schema and leverage the native NetApp integration."[/quote]

 

That's kind of my initial approach.  Map certain AD attributes using a custom schema on the NetApp.

 

[quote]"However you must have a pristine UNIX namespace (everyone and every group is cleanly defined) across all domains and forests"[/quote]

 

Should be good on this front.

 

[quote]At that point you lose the ability to have identity overrides or to re-use AD groups as UNIX groups in different contexts.[/quote]

 

Are you primarily thinking of group permissions on files?

 

[quote]Finally, the LDAP proxy is not only for filer integration.  There are use cases like legacy apps, Hadoop, and others that benefit from presenting a complex AD forest using a single (typically DNS round-robin load-balanced) bank of LDAP proxies[/quote]

 

From our org's perspective, the AD team would have to adopt these LDAP proxies and maintain them, which would be an additional, unnecessary expense if the NetApp can be configured to do so (as was pitched by their sales team a year ago).

By Centrify Guru I
on ‎12-29-2016 02:29 PM

Sounds like you can go ahead on your own (using NetApp's approach). 

 

Now you must re-design your zone structure to store PosixAccount info with the AD object rather than with the zone.

 

The article I linked to above contains the info about the different schemas and where data is stored.

 

Good luck!!!

By user50062
on ‎03-29-2017 05:53 PM

Hi Guys, 

 

was following the doc and found there is a database parameter in netapp configuration with netgroup. In my environment we are creating ad groups in place of nis netgroup. Without netgroup or centrify nismap is there any way I can configure host based access control with ad group and computer objects?

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel