× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

ldapproxy Asistance

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 7
Registered: 4 weeks ago
#1 of 13 600
Accepted Solution

ldapproxy Asistance

[ Edited ]

I'm attempting to setup the ldapproxy service but it's not working as hoped. The entire problem might be my lack of knowledge with the product. I've read several blog posts, forums, and the ldapproxy section in the UNIX admin guide but I'm still missing something. I've contacted support but was told this was configuration issue and not a break/fix issue. I don't disagree with that assessment and one person is trying to help. 

 

My scenario. First we have an Isilon sharing out multiprotocol mounts to some Linux Servers. The Linux servers in this case are all Red Hat Enterprise Linux 7.3. We created a Parent Zone called APP with Child Zones for each environment, Dev, QA, and Prod. Each of the servers has a multiprotocol mount for each environment, Dev mount,. QA mount and Prod mount. The mount is connected via NFS in Linux and SMB in Windows. Not all of the users have access to each  environment.  The Centrify users have been added to their own group and that group has rwx permission to the share.  Also, I've done a g+s so every file is created with that gid. The problem is that Centrify users get permission denied in Linux on the multiprotocol mount, (NFS), because the Isilon is unable to translate the UID or GID. 

 

I've installed the ldapproxy on a Red Hat Enterprise Linux 7.3 server. I can get successful searches using the Full account name, Firstname,lastname, but not using sAMAccount name. Is this by design, or am I not using the right switch?  The Isilon is using the Linux account name which is the equivalent of the sAMAccount name. At least thats what I'm being told by the Storage Admin. The fullname works on the Isilon during our tests, but the Isilon sees the shortname. Our Centrify environment was setup with using the "Generated UID from SID"  option. I have no idea if that makes a difference. I think I read somewhere that was one of the better options besides using the UID in AD. I don't think all of our users have that enabled too. One last thing, we did notice that we got a successful query on the shortname if that user was a Centrify user on the ldapproxy server. Am I going to have to add all users to that server? That doesnt make any since.  

 

I'm clueless at this point. I'm probably making this harder than it should be.Any help would be appreciated.

Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#2 of 13 568

Re: ldapproxy Asistance

Hi,

 

Thanks for posting.  

 

To get this to work properly, you need to make sure that the Isilon is using the posixAccount object class.  

 

As a test, run the following ldap query and replace the -b option with your dc (i.e. "dc=centrifylab,dc=org"), uid with your test user and -h with your ldap-proxy (i.e. localhost):

 

/usr/share/centrifydc/bin/ldapsearch -LLL -h ldap-proxy -x -b "dc=example,dc=com" "(&(objectclass=posixAccount)(uid=test-username))" | sort

 

This will return something like the following:

 

#  /usr/share/centrifydc/bin/ldapsearch -LLL -h localhost -x -b "dc=centrify,dc=vms" "(&(objectclass=posixAccount)(uid=dwirth))"
dn: cn=Diana Wirth,ou=IT,ou=Staff,ou=Accounts,dc=centrify,dc=vms
description: dwirth@CENTRIFY.VMS
email: dwirth@centrify.vms
gecos: Diana Wirth
gidNumber: 1040188499
homeDirectory: /home/dwirth
loginShell: /bin/bash
uid: dwirth
uidNumber: 1040188499
userPassword:: XXX
accountExpires: 9223372036854775807
cn: Diana Wirth
displayName: Diana Wirth
lockoutTime: 0
mail: dwirth@centrify.vms
mobile: 9145573802
name: Diana Wirth
objectClass: top
objectClass: posixAccount
primaryGroupID: 513
pwdLastSet: 131359661403648897
sAMAccountName: dwirth
title: Systems Architect
uSNChanged: 1042047
userAccountControl: 66048
userPrincipalName: dwirth@centrify.vms

Notice that by querying the posixAccount class, Centrify returns the results in RFC2307 format which the Isilon supports.  This allows the Isilon to map the AD username to a UNIX name and vice versa as required.

 

Please confirm your Isilon is properly calling the LDAP proxy with the posixAccount class filter or is configured to search in an RFC2307 compatible way, and that should get this working for you.  

 

@Frank_PS from our Services team is also willing to assist you which is great news.  Thanks Frank.

 

Hope this helps,

 

 

 

 

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 7
Registered: 4 weeks ago
#3 of 13 539

Re: ldapproxy Asistance

Thank you for the response. I did hear back from a support rep. I guess i had 2 tickets open, one closed the case and the other is being helpful. Yea! I'm waiting on my Storage Team availability to test. As soon as I know something I'll respond back. 

Participant II
Posts: 7
Registered: 4 weeks ago
#4 of 13 525

Re: ldapproxy Asistance

So we can only get successful queries from the isilon if the user has access to the ldap-proxy server. Does that mean everyone we need to query needs to have access of list acess to the ldap-proxy?  I've attaced the config from the Isilon. Your ldapsearch from the ldap-proxy server gets results when on the user has access to the ldap-proxy server.

 

Isilon:

 User Filter: (objectClass=posixAccount)

 

 

 

Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#5 of 13 514

Re: ldapproxy Asistance

[ Edited ]

Glad that worked for you.

 

Users need at least the listed Role assigned.  This listed role gives them the visibility required from the ldapproxy but it doesn't give them access to the system.  That's what the listed role was desgined to do.  

 

Of course, also make sure the users have a UNIX profile defined as well.  

 

Regards,

 

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 7
Registered: 4 weeks ago
#6 of 13 419

Re: ldapproxy Asistance

Thank you very much for the help. Is there a way to automate this? We have lots of users that we'll need to pass through this thing. :) 

Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#7 of 13 417

Re: ldapproxy Asistance

Yes.  Simply assign an AD group (new or existing) the listed role and manage your AD group with the users that need access to your multi protocol shares.

 

Regards,

 

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 7
Registered: 4 weeks ago
#8 of 13 411

Re: ldapproxy Asistance

[ Edited ]

I added the group to the role assginments with listed but it's not working. Dont they need a Unix profile too? The AD group I'm using has auto provisioning setup in a different parent Zone. 

Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#9 of 13 409

Re: ldapproxy Asistance

Yes.  Users need a UNIX profiles.  Otherwise, Centrify will not present those users as UNIX users.

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 7
Registered: 4 weeks ago
#10 of 13 406

Re: ldapproxy Asistance

[ Edited ]

Back to the automation part. I have to add the users under Unix Data manually then. This particular group is  provisioned to another parent/child zone. I want it to auto populate the Users under the ldapproxy automatically. I know i can do a copy and paste from the other zone users but was look for that last magical piece.