LDAP and NetApp storage Security Integration approach

Source: Internet
Author: User
Tags file system ldap require requires


Many data centers create more advanced file sharing on the network file system, which requires user account information validation. If you are using a Linux system, you can integrate NetApp storage with LDAP to enhance security.



Most of the storage's rights control can be integrated with Microsoft's Active Directory authorization, but it is not easy to configure Lightweight directory Access Protocol (LDAP) integration for Linux systems.



Secure file sharing requires user authorization verification, just as those high level data sharing and archiving projects require. If Linux users need access to these shares, the storage device must first identify these Linux user accounts. In addition to the Active Directory, LDAP integration can also be used, but the configuration of LDAP is more complex. The good news is that NetApp's storage supports LDAP server Authentication integration. Next, you can set file access on the store, as you would on a local Linux file server.



Start configuring NetApp storage with LDAP integration. Use SSH to log on to the command line mode of NetApp storage. Enter the Priv set advanced command, which allows you to set all the necessary security parameters. Next, enter the options LDAP to view the current settings (you can also do this through the browser Web page):



Ams5-fas2240-a*> Options LDAP



Ldap. ADDomain



Ldap.base dc=example,dc=com



Ldap.base.group



Ldap.base.netgroup



ldap.base.passwd



Ldap.enable on



Ldap.minimum_bind_level Anonymous



Ldap.name



Ldap.nssmap.attribute.gecos Gecos



Ldap.nssmap.attribute.gidNumber Gidnumber



Ldap.nssmap.attribute.groupname cn



Ldap.nssmap.attribute.homeDirectory homedirectory



Ldap.nssmap.attribute.loginShell Loginshell



Ldap.nssmap.attribute.memberNisNetgroup Membernisnetgroup



Ldap.nssmap.attribute.memberUid Memberuid



Ldap.nssmap.attribute.netgroupname cn



Ldap.nssmap.attribute.nisNetgroupTriple Nisnetgrouptriple



Ldap.nssmap.attribute.uid UID



Ldap.nssmap.attribute.uidNumber Uidnumber



Ldap.nssmap.attribute.userPassword UserPassword



Ldap.nssmap.objectClass.nisNetgroup Nisnetgroup



Ldap.nssmap.objectClass.posixAccount Posixaccount



Ldap.nssmap.objectClass.posixGroup Posixgroup



LDAP.PASSWD Hu Jintao



Ldap.port 389



Ldap.servers ut01.example.local



Ldap.servers.preferred ut01.example.local



Ldap.ssl.enable off



Ldap.timeout 20



Ldap.usermap.attribute.unixaccount Unixaccount



Ldap.usermap.attribute.windowsaccount Windowsaccount



Ldap.usermap.base



Ldap.usermap.enable off



If you have any parameter setup errors, you can use the options ldap.base command to set the correct search domain:



ams5-fas2240-a*> Options Ldap.base dc=commerce-hub,dc=local



After you set up the search domain by command, you need to from the LDAP directory service. The GETXXBYYY command can show how the system is validated against the Arnaud account:



Ams5-fas2240-a*> getxxbyyy getpwbyname_r Arnaud



Pw_name = Arnaud



pw_passwd = {{hu}}}



Pw_uid = 1002, Pw_gid = 100



Pw_gecos =



Pw_dir =/home/arnaud



Pw_shell =/bin/bash



Ams5-fas2240-a*> getxxbyyy Getpwbyname_r Linda



Pw_name = Linda



pw_passwd = {{hu}}}



Pw_uid = 1001, Pw_gid = 100



Pw_gecos =



Pw_dir =/home/linda



Pw_shell =/bin/bash



The user account information that is stored on the LDAP server has been validated and then ensured that it is working properly at all levels. Modify the configuration information for the nsswitch.conf file, require read and write access, and use the file editor to open the/etc/nsswitch.conf file. The file should contain the following lines:



Ams5-fas2240-b> wrfile/etc/nsswitch.conf



Hosts:files DNS NIS



PASSWD:LDAP files NIS



NETGROUP:LDAP files NIS



GROUP:LDAP files NIS



Shadow:files NIS



The storage device now has access to user information through the LDAP server. As such, NetApp storage and LDAP server user authentication are integrated to properly control permissions settings for Network File system (NFS) sharing. You can use the options nfs.v4.acl.enable command to toggle the NFSV4 access Control list. You can also apply the ACLs on the Linux system to NetApp storage, which makes the storage more like the Linux file directory, with the appropriate permissions:



Ams5-fas2240-b> Options Nfs.v4.acl.enable on



Changes to the Nfs.v4.acl.enable option affect all members of the high-availability configuration in usage mode. You need to make sure that the change parameters are consistent with the member permissions in the highly available pairing.



NetApp storage is now fully integrated with the Linux environment, and administrators can use it as a local Linux file system


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.