Linux admins: Securely integrate a NetApp filer with LDAP

Linux administrators can share files in a storage network with a NetApp filer, thanks to LDAP integration. But it can be tricky.

Many data centers are creating advanced file shares on network file systems, a process that requires user account information. If you're using Linux, you'll need your NetApp filer and some LDAP integration to make it all work.

Most storage filers work well with Microsoft Active Directory for authentication, but configuring Lightweight Directory Access Protocol (LDAP) integration for Linux systems isn't as easy.

User authentication is required for secure file shares, like those that occur in high-volume data-sharing and archiving projects. If Linux users will need access to these shares, the filer must recognize Linux user accounts. Without Active Directory, rely on LDAP integration, despite the difficult configuration process. A good approach is to have a NetApp Inc. filer authenticate on an LDAP server. Then, you can apply permissions to files on the filer as you would on a local Linux file system.

Start with console access to integrate a NetApp filer with LDAP. Log in to the SSH command line on the NetApp filer. Type the priv set advanced command, which allows you to set all the necessary security parameters. Next, enter options ldap for an overview of current settings (you can set these from the browser-based interface):

ams5-fas2240-A*> options ldap
ldap.base dc=example,dc=com
ldap.enable on
ldap.minimum_bind_level anonymous
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount posixAccount
ldap.nssmap.objectClass.posixGroup posixGroup
ldap.passwd ******
ldap.port 389
ldap.servers ut01.example.local
ldap.servers.preferred ut01.example.local
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.enable off

If any of the parameters are incorrect, use the options ldap.base command to set the proper search base:

ams5-fas2240-A*> options ldap.base dc=commerce-hub,dc=local

With the search base set up, request information from the LDAP directory service. The getXXbyYY command shows how to request the properties for user account arnaud:

ams5-fas2240-A*> getXXbyYY getpwbyname_r arnaud
pw_name = arnaud
pw_passwd = {{******}}
pw_uid = 1002, pw_gid = 100
pw_gecos =
pw_dir = /home/arnaud
pw_shell = /bin/bash
ams5-fas2240-A*> getXXbyYY getpwbyname_r linda
pw_name = linda
pw_passwd = {{******}}
pw_uid = 1001, pw_gid = 100
pw_gecos =
pw_dir = /home/linda
pw_shell = /bin/bash

Your filer has verified access to user account information from the LDAP server; now ensure that it works at all levels. Change the contents of the nsswitch.conf file by opening the /etc/nsswitch.conf file via wrfile editor. It should contain these lines:

ams5-fas2240-B> wrfile /etc/nsswitch.conf
hosts: files dns nis
passwd: ldap files nis
netgroup: ldap files nis
group: ldap files nis
shadow: files nis

At this point, your filer can retrieve user information from the LDAP server. Therefore, it can handle permissions for network file system (NFS) shares on the NetApp filer for the LDAP server's users. Switch on NFSv4 access control lists (ACL) support using the options nfs.v4.acl.enable option. You can apply Linux ACLs on the NetApp filer, allowing it to behave like any Linux directory with regard to permissions:

ams5-fas2240-B> options nfs.v4.acl.enable on

This changes option nfs.v4.acl.enable, which applies to both members of a high-availability configuration in takeover mode. Make sure that the value is the same on both members of the high-availability pair.

Your NetApp filer is now completely integrated with the Linux environment. Administer it as you would a local Linux file system.

About the author:

Sander van Vugt is an independent trainer and consultant based in the Netherlands. He is an expert in Linux high availability, virtualization and performance. He has authored many books on Linux topics, including Beginning the Linux Command LineBeginning Ubuntu LTS Server Administration and Pro Ubuntu Server Administration.

[email protected]

Dig Deeper on Linux servers