Linux System Management: security integration between LDAP and NetApp Storage

Source: Internet
Author: User

Many data centers create more advanced file sharing on network file systems. This process requires user account information verification. If you are using a Linux system, you can integrate NetApp storage with LDAP to enhance security.

Most of the stored permission control can be integrated with Microsoft's Active Directory authorization, but it is not easy to configure Lightweight Directory Access Protocol (LDAP) Integration for the Linux system.

Secure File Sharing requires user authorization and verification, as required by High-level data sharing and archiving projects. If a Linux user needs to access these shares, the storage device must first identify these Linux user accounts. In addition to the Active Directory, you can also use LDAP integration, but the configuration of LDAP is complicated. The good news is that NetAPP's storage supports LDAP server verification integration. Next, you can set file access permissions on the storage, just as you do on the local Linux File Server.

Start to configure NetAPP storage and LDAP integration. Use SSH to log on to the command line mode stored in NetAPP. Enter the priv set advanced command, which allows you to set all required security parameters. Then, enter options ldap to view the current settings (you can also perform these operations on the browser webpage ):

 
 
  1. ams5-fas2240-A*> options ldap 
  2. ldap.ADdomain 
  3. ldap.base dc=example,dc=com 
  4. ldap.base.group 
  5. ldap.base.netgroup 
  6. ldap.base.passwd 
  7. ldap.enable on 
  8. ldap.minimum_bind_level anonymous 
  9. ldap.name 
  10. ldap.nssmap.attribute.gecos gecos 
  11. ldap.nssmap.attribute.gidNumber gidNumber 
  12. ldap.nssmap.attribute.groupname cn 
  13. ldap.nssmap.attribute.homeDirectory homeDirectory 
  14. ldap.nssmap.attribute.loginShell loginShell 
  15. ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup 
  16. ldap.nssmap.attribute.memberUid memberUid 
  17. ldap.nssmap.attribute.netgroupname cn 
  18. ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple 
  19. ldap.nssmap.attribute.uid uid 
  20. ldap.nssmap.attribute.uidNumber uidNumber 
  21. ldap.nssmap.attribute.userPassword userPassword 
  22. ldap.nssmap.objectClass.nisNetgroup nisNetgroup 
  23. ldap.nssmap.objectClass.posixAccount posixAccount 
  24. ldap.nssmap.objectClass.posixGroup posixGroup 
  25. ldap.passwd ****** 
  26. ldap.port 389 
  27. ldap.servers ut01.example.local 
  28. ldap.servers.preferred ut01.example.local 
  29. ldap.ssl.enable off 
  30. ldap.timeout 20 
  31. ldap.usermap.attribute.unixaccount unixaccount 
  32. ldap.usermap.attribute.windowsaccount windowsaccount 
  33. ldap.usermap.base 
  34. ldap.usermap.enable off 

If any parameter settings are incorrect, you can use the options ldap. base Command to set the correct search domain:

 
 
  1. ams5-fas2240-A*> options ldap.base dc=commerce-hub,dc=local 

After setting the search domain through the command, you need to obtain information from the LDAP directory service. The getXXbyYY command shows how the system verifies the arnaud account:

 
 
  1. ams5-fas2240-A*> getXXbyYY getpwbyname_r arnaud 
  2. pw_name = arnaud 
  3. pw_passwd = {{******}} 
  4. pw_uid = 1002, pw_gid = 100 
  5. pw_gecos = 
  6. pw_dir = /home/arnaud 
  7. pw_shell = /bin/bash 
  8. ams5-fas2240-A*> getXXbyYY getpwbyname_r linda 
  9. pw_name = linda 
  10. pw_passwd = {{******}} 
  11. pw_uid = 1001, pw_gid = 100 
  12. pw_gecos = 
  13. pw_dir = /home/linda 
  14. pw_shell = /bin/bash 

After the user account information sent from the LDAP server is verified, it will ensure that it works properly at all levels. To modify the configuration information of the nsswitch. conf file, you must have the read and write permissions. Use the file editor to open the/etc/nsswitch. conf file. The file should contain the following lines:

 
 
  1. ams5-fas2240-B> wrfile /etc/nsswitch.conf 
  2. hosts: files dns nis 
  3. passwd: ldap files nis 
  4. netgroup: ldap files nis 
  5. group: ldap files nis 
  6. shadow: files nis 

Now, the storage device can obtain user information through the LDAP server. In this way, after NetApp storage is integrated with the LDAP server user verification, the permission settings shared by the Network File System (NFS) can be normally controlled. You can use the options nfs. v4.acl. enable command to switch the NFSv4 access control list. You can also apply the Linux system acl to the NetApp storage, so that the storage can be more like the Linux File directory, with the corresponding permissions:

 
 
  1. ams5-fas2240-B> options nfs.v4.acl.enable on 

Changes to the nfs. v4.acl. enable option affect all the members in the high availability configuration in occupied mode. Make sure that the modification parameters are consistent with the member permissions in the high-availability pairing.

NetApp storage is now fully integrated with the Linux environment, and administrators can use it as a local Linux File System.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.