LDAP and NetApp storage Security Integration approach

Many data centers create more advanced file sharing on the network file system, which requires user account information validation. If you are using a Linux system, you can integrate NetApp storage with LDAP to enhance security.

Most of the storage's rights control can be integrated with Microsoft's Active Directory authorization, but it is not easy to configure Lightweight directory Access Protocol (LDAP) integration for Linux systems.

Secure file sharing requires user authorization verification, just as those high level data sharing and archiving projects require. If Linux users need access to these shares, the storage device must first identify these Linux user accounts. In addition to the Active Directory, LDAP integration can also be used, but the configuration of LDAP is more complex. The good news is that NetApp's storage supports LDAP server Authentication integration. Next, you can set file access on the store, as you would on a local Linux file server.

Start configuring NetApp storage with LDAP integration. Use SSH to log on to the command line mode of NetApp storage. Enter the Priv set advanced command, which allows you to set all the necessary security parameters. Next, enter the options LDAP to view the current settings (you can also do this through the browser Web page):

Ams5-fas2240-a*> Options LDAP

Ldap. ADDomain

Ldap.base dc=example,dc=com

Ldap.base.group

Ldap.base.netgroup

ldap.base.passwd

Ldap.enable on

Ldap.minimum_bind_level Anonymous

Ldap.name

Ldap.nssmap.attribute.gecos Gecos

Ldap.nssmap.attribute.gidNumber Gidnumber

Ldap.nssmap.attribute.groupname cn

Ldap.nssmap.attribute.homeDirectory homedirectory

Ldap.nssmap.attribute.loginShell Loginshell

Ldap.nssmap.attribute.memberNisNetgroup Membernisnetgroup

Ldap.nssmap.attribute.memberUid Memberuid

Ldap.nssmap.attribute.netgroupname cn

Ldap.nssmap.attribute.nisNetgroupTriple Nisnetgrouptriple

Ldap.nssmap.attribute.uid UID

Ldap.nssmap.attribute.uidNumber Uidnumber

Ldap.nssmap.attribute.userPassword UserPassword

Ldap.nssmap.objectClass.nisNetgroup Nisnetgroup

Ldap.nssmap.objectClass.posixAccount Posixaccount

Ldap.nssmap.objectClass.posixGroup Posixgroup

LDAP.PASSWD Hu Jintao

Ldap.port 389

Ldap.servers ut01.example.local

Ldap.servers.preferred ut01.example.local

Ldap.ssl.enable off

Ldap.timeout 20

Ldap.usermap.attribute.unixaccount Unixaccount

Ldap.usermap.attribute.windowsaccount Windowsaccount

Ldap.usermap.base

Ldap.usermap.enable off

If you have any parameter setup errors, you can use the options ldap.base command to set the correct search domain:

ams5-fas2240-a*> Options Ldap.base dc=commerce-hub,dc=local

After you set up the search domain by command, you need to from the LDAP directory service. The GETXXBYYY command can show how the system is validated against the Arnaud account:

Ams5-fas2240-a*> getxxbyyy getpwbyname_r Arnaud

Pw_name = Arnaud

pw_passwd = {{hu}}}

Pw_uid = 1002, Pw_gid = 100

Pw_gecos =

Pw_dir =/home/arnaud

Pw_shell =/bin/bash

Ams5-fas2240-a*> getxxbyyy Getpwbyname_r Linda

Pw_name = Linda

pw_passwd = {{hu}}}

Pw_uid = 1001, Pw_gid = 100

Pw_gecos =

Pw_dir =/home/linda

Pw_shell =/bin/bash

The user account information that is stored on the LDAP server has been validated and then ensured that it is working properly at all levels. Modify the configuration information for the nsswitch.conf file, require read and write access, and use the file editor to open the/etc/nsswitch.conf file. The file should contain the following lines:

Ams5-fas2240-b> wrfile/etc/nsswitch.conf

Hosts:files DNS NIS

PASSWD:LDAP files NIS

NETGROUP:LDAP files NIS

GROUP:LDAP files NIS

Shadow:files NIS

The storage device now has access to user information through the LDAP server. As such, NetApp storage and LDAP server user authentication are integrated to properly control permissions settings for Network File system (NFS) sharing. You can use the options nfs.v4.acl.enable command to toggle the NFSV4 access Control list. You can also apply the ACLs on the Linux system to NetApp storage, which makes the storage more like the Linux file directory, with the appropriate permissions:

Ams5-fas2240-b> Options Nfs.v4.acl.enable on

Changes to the Nfs.v4.acl.enable option affect all members of the high-availability configuration in usage mode. You need to make sure that the change parameters are consistent with the member permissions in the highly available pairing.

NetApp storage is now fully integrated with the Linux environment, and administrators can use it as a local Linux file system