LDAP Authentication for OnCommand Unified Manager running on Linux

I had a recent opportunity to work on a configuration mentioned in the title. The OCUM version was 5.2.1P1 and the OS was RHEL. This is well documented in the NetApp OCUM guide – NetApp_OnCommand_Unified_Manager_Online_Help and NetApp Community Forum

There were a few places where I was caught offguard. I will first details the configuration changes done which contains some changes or additions from the original documentation

An example of a working configuration

host ~]# dfm options list | grep ldap
ldapBaseDN                            OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindDN  CN=svcNetApp,OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindPass                          ********
ldapEnabled                            Yes
ldapGID                                   memberof
ldapMember                           member
ldapUGID                                CN
ldapUID                                   samaccountname
ldapVersion                             3

I tried adding user names instead of the complete path as detailed in AD. In this case, the user name provided earlier was svcNetApp for the ldapBindDN option and from a domain with path group.zeta.plc. The authentication kept failing and we were not able to proceed with the configuration. Once the fully distinguished name was provided for the BindDN, things started to look much better. The other area we faced issues was ldapUID. The earlier configuration was as below.

[host ~]# dfm options list | grep ldap
ldapBaseDN                          OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC
ldapBindDN                          svcNetapp
ldapBindPass                        ********
ldapEnabled                          Yes
ldapGID                                 memberOf
ldapMember                          member
ldapUGID                              CN
ldapUID                                 sAMAcountName (note the case sensitive)
ldapVersion                           3

This was a pattern followed using the documentation. Whilst there is no right and wrong about it, we had issues and the changes highlighted in blue saved the day. Imagine working in an environment running Wireshark for each AD authentication and then realizing that Case Sensitivity would have been a show stopper!!!

The following is the syntax to configure the DFM for LDAP using the dfmcli

LDAP authentication can be configured on the DataFabric Manager server that is installed on a Linux server using the command-line interface. Operations Manager supports authentication of users to an LDAP server without the use of a pluggable authentication module (PAM).

Steps

From the command-line interface, add the domain controllers by entering the following command:
dfm ldap add domain-controller-ip
It is recommended that the LDAP server and the DataFabric Manager server are in the same site or location.

Set the LDAP server type:
dfm ldap template template_type

In integrating with AD, the template to be selected is netscape. This is the default option.

Enable LDAP authentication:
dfm options set ldapEnabled=Yes

Enter the base DN that specifies the directory on the LDAP server that the DataFabric Manager server will search:
dfm option set ldapBaseDN ldap base DN

Example: OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC

Enter the bind DN that the DataFabric Manager server uses to identify itself to the LDAP server:
dfm option set ldapBindDN ldap bind DN

Example: CN=svcNetApp,OU=Service Accounts,DC=Group,DC=ZETA,DC=PLC

Set the bind password that is used to gain access to the bind distinguished name:
dfm options set ldapBindPass password
The bind password authorizes the DataFabric Manager server to access and query the LDAP directory.

Specify a value that assigns the DataFabric Manager server group membership to LDAP users based on an attribute and value specified in their LDAP user objects:
dfm options set ldapGID=memberOf

Specify the attribute name that your LDAP server uses to store the individual members of a group:
dfm options set ldapMember=member

Note: DFM generates a unique identifier for member. This can be changed and will not cause any issues.

If the LDAP users are included as members of a GroupOfUniqueNames object in the LDAP directory, assign the DataFabric Manager server group membership to them based on a specified attribute in that GroupOfUniqueNames object:
dfm options set ldapUGID

Specify the name of the attribute in the LDAP directory that contains user login names to be authenticated by the DataFabric Manager server:
dfm options set ldapUID

Example: dfm options set ldapUID=samaccountname

Specify the LDAP protocol version used by the LDAP server:
dfm options set ldapUID

Verify the configuration changes:
dfm ldap list – (This will list the ldap servers configured)

dfm ldap add <domain controller ipaddress> – ( To add ldap servers to DFM)

Verify the LDAP user authentication by querying for an AD user:
dfm ldap test username password

Verify LDAP User search
dfm ldap find svcNetApp

Optional: Add the users:
dfm user add username

 

Useful links
How to configure OnCommand Unified Manager (Operations Manager) on Linux for authentication with Microsoft Active Directory
OCUM Core Documentation

Leave a Reply