I had a recent opportunity to work on a configuration mentioned in the title. The OCUM version was 5.2.1P1 and the OS was RHEL. This is well documented in the NetApp OCUM guide – NetApp_OnCommand_Unified_Manager_Online_Help and NetApp Community Forum
There were a few places where I was caught offguard. I will first details the configuration changes done which contains some changes or additions from the original documentation
An example of a working configuration
host ~]# dfm options list | grep ldap
ldapBaseDN OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindDN CN=svcNetApp,OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindPass ********
ldapEnabled Yes
ldapGID memberof
ldapMember member
ldapUGID CN
ldapUID samaccountname
ldapVersion 3
I tried adding user names instead of the complete path as detailed in AD. In this case, the user name provided earlier was svcNetApp for the ldapBindDN option and from a domain with path group.zeta.plc. The authentication kept failing and we were not able to proceed with the configuration. Once the fully distinguished name was provided for the BindDN, things started to look much better. The other area we faced issues was ldapUID. The earlier configuration was as below.
[host ~]# dfm options list | grep ldap
ldapBaseDN OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindDN svcNetapp
ldapBindPass ********
ldapEnabled Yes
ldapGID memberOf
ldapMember member
ldapUGID CN
ldapUID sAMAcountName (note the case sensitive)
ldapVersion 3
This was a pattern followed using the documentation. Whilst there is no right and wrong about it, we had issues and the changes highlighted in blue saved the day. Imagine working in an environment running Wireshark for each AD authentication and then realizing that Case Sensitivity would have been a show stopper!!!
The following is the syntax to configure the DFM for LDAP using the dfmcli
LDAP authentication can be configured on the DataFabric Manager server that is installed on a Linux server using the command-line interface. Operations Manager supports authentication of users to an LDAP server without the use of a pluggable authentication module (PAM).
Steps
From the command-line interface, add the domain controllers by entering the following command:
dfm ldap add domain-controller-ip
It is recommended that the LDAP server and the DataFabric Manager server are in the same site or location.
Set the LDAP server type:
dfm ldap template template_type
In integrating with AD, the template to be selected is netscape. This is the default option.
Enable LDAP authentication:
dfm options set ldapEnabled=Yes
Enter the base DN that specifies the directory on the LDAP server that the DataFabric Manager server will search:
dfm option set ldapBaseDN ldap base DN
Example: OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
Enter the bind DN that the DataFabric Manager server uses to identify itself to the LDAP server:
dfm option set ldapBindDN ldap bind DN
Example: CN=svcNetApp,OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
Set the bind password that is used to gain access to the bind distinguished name:
dfm options set ldapBindPass password
The bind password authorizes the DataFabric Manager server to access and query the LDAP directory.
Specify a value that assigns the DataFabric Manager server group membership to LDAP users based on an attribute and value specified in their LDAP user objects:
dfm options set ldapGID=memberOf
Specify the attribute name that your LDAP server uses to store the individual members of a group:
dfm options set ldapMember=member
Note: DFM generates a unique identifier for member. This can be changed and will not cause any issues.
If the LDAP users are included as members of a GroupOfUniqueNames object in the LDAP directory, assign the DataFabric Manager server group membership to them based on a specified attribute in that GroupOfUniqueNames object:
dfm options set ldapUGID
Specify the name of the attribute in the LDAP directory that contains user login names to be authenticated by the DataFabric Manager server:
dfm options set ldapUID
Example: dfm options set ldapUID=samaccountname
Specify the LDAP protocol version used by the LDAP server:
dfm options set ldapUID
Verify the configuration changes:
dfm ldap list – (This will list the ldap servers configured)
dfm ldap add <domain controller ipaddress> – ( To add ldap servers to DFM)
Verify the LDAP user authentication by querying for an AD user:
dfm ldap test username password
Verify LDAP User search
dfm ldap find svcNetApp
Optional: Add the users:
dfm user add username
Useful links
How to configure OnCommand Unified Manager (Operations Manager) on Linux for authentication with Microsoft Active Directory
OCUM Core Documentation