Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-12-17 Thread Sigbjorn Lie 



On Fri, September 7, 2012 16:50, Dmitri Pal wrote:
> On 09/07/2012 07:33 AM, Ondrej Valousek wrote:
>
>> That is actually the main benefit of the 'ldap.ADdomain' parameter. It
>> will allow you to simplify configuration and allows easy load 
>> balancing/failover functionality. We
>> are paying for NetApp support, too so if anyone is going to bug NetApp about 
>> this, I am happy to
>> join you.
>>
>> Ondrej
>>
>>
>> On 09/07/2012 10:07 AM, Sigbjorn Lie wrote:
>>
>>> Yes it would be great if NetApp would do that. The  ldap.ADdomain option is 
>>> used to configure
>>> the NetApp LDAP client from AD SRV DNS records. It would be great (and 
>>> should be easy for
>>> NetApp) to
>>> have an option for ldap.IPAdomain. I don't remember exactly why I did not 
>>> use this for IPA, as
>>> far as I remember most things worked, but I stumbeled across some issue.
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> I will.
>
>
> Siggi I will also send you a private email to give you access to the wiki.
>
>


I don't think I ever posted the wiki link for my details around NetApp 
configuration in a mixed
environment... See below.

http://www.freeipa.org/page/NetApp_integration_in_a_mixed_environment



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Natxo Asenjo 
On Fri, Sep 7, 2012 at 1:33 PM, Ondrej Valousek  wrote:

>  That is actually the main benefit of the 'ldap.ADdomain' parameter. It
> will allow you to simplify configuration and allows easy load
> balancing/failover functionality.
> We are paying for NetApp support, too so if anyone is going to bug NetApp
> about this, I am happy to join you.
>

I will open a case in the next weeks, when I am back at the office and get
all the netapp support info (very new customer). We are now migrating the
storage so it is a bit busy, but as soon as I file the case I will post the
number here for you guys to support it.

-- 
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Dmitri Pal 
On 09/07/2012 07:33 AM, Ondrej Valousek wrote:
> That is actually the main benefit of the 'ldap.ADdomain' parameter. It
> will allow you to simplify configuration and allows easy load
> balancing/failover functionality.
> We are paying for NetApp support, too so if anyone is going to bug
> NetApp about this, I am happy to join you.
>
> Ondrej
>
> On 09/07/2012 10:07 AM, Sigbjorn Lie wrote:
>> Yes it would be great if NetApp would do that. The  ldap.ADdomain option is 
>> used to configure the
>> NetApp LDAP client from AD SRV DNS records. It would be great (and should be 
>> easy for NetApp) to
>> have an option for ldap.IPAdomain. I don't remember exactly why I did not 
>> use this for IPA, as far
>> as I remember most things worked, but I stumbeled across some issue.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I will.

Siggi I will also send you a private email to give you access to the wiki.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Ondrej Valousek 
That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load 
balancing/failover functionality.

We are paying for NetApp support, too so if anyone is going to bug NetApp about 
this, I am happy to join you.

Ondrej

On 09/07/2012 10:07 AM, Sigbjorn Lie wrote:

Yes it would be great if NetApp would do that. The  ldap.ADdomain option is 
used to configure the
NetApp LDAP client from AD SRV DNS records. It would be great (and should be 
easy for NetApp) to
have an option for ldap.IPAdomain. I don't remember exactly why I did not use 
this for IPA, as far
as I remember most things worked, but I stumbeled across some issue.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Sigbjorn Lie 



On Fri, September 7, 2012 09:36, Petr Spacek wrote:
> On 09/07/2012 12:10 AM, Natxo Asenjo wrote:
>
>> On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie > > wrote:
>>
>>
>> On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
>>
>>> hi,
>>>
>>> the subject says it all, I guess.
>>>
>>> I know from another thread that with nexanta it is possible using
>>> nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) this 
>>> setup working.
>>>
>>
>> Hi,
>>
>>
>> Yes I use NetApp filers connected to both AD and IPA at the same time.
>> It's easy to get going. These notes are taken from the top of my head, I
>> don't have my documentation in front of me just now.
>>
>>
>> Awesome :-)
>>
>>
>> This stuff really should be documented in the wiki somewhere. This is the
>> stuff businesses need. I know I need it :-). I had already seen your post 
>> with
> Hello,
>
>
> we can create a wiki account at freeipa.org for you, if you are implementing 
> it right now. Best
> articles come from real users! :-)
>

Sure, do that. I'll do my best do write down my integration experiences. :)

I hope they end up in the RHEL documentation on docs.redhat.com. I suppose this 
is where most
businesses will look for IPA integration documentation.



Rgds,
Siggi



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Sigbjorn Lie 



On Fri, September 7, 2012 00:10, Natxo Asenjo wrote:
> On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie  wrote:
>
>
>> On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
>>
>>
>> hi,
>>
>> the subject says it all, I guess.
>>
>> I know from another thread that with nexanta it is possible using
>> nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) this 
>> setup working.
>>
>> --
>> Groeten,
>> natxo
>>
>>
>> ___
>> Freeipa-users mailing
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> Hi,
>>
>>
>> Yes I use NetApp filers connected to both AD and IPA at the same time.
>> It's easy to get going. These notes are taken from the top of my head, I
>> don't have my documentation in front of me just now.
>>
>
> Awesome :-)
>
>
> This stuff really should be documented in the wiki somewhere. This is the
> stuff businesses need. I know I need it :-). I had already seen your post 
> with the info about ipa
> and netapp in 2011 I think, but nowhere could I get the confirmation that 
> both directories could
> be used at the same time. Perhaps we need to bug netapp more to be more 
> explicit on this.
>

Yes it would be great if NetApp would do that. The  ldap.ADdomain option is 
used to configure the
NetApp LDAP client from AD SRV DNS records. It would be great (and should be 
easy for NetApp) to
have an option for ldap.IPAdomain. I don't remember exactly why I did not use 
this for IPA, as far
as I remember most things worked, but I stumbeled across some issue.



>
> Thanks, you made my day.
>

Glad to be able to help. :)


Rgds,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Petr Spacek 

On 09/07/2012 12:10 AM, Natxo Asenjo wrote:

On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie mailto:sigbj...@nixtra.com>> wrote:

On 09/05/2012 08:12 PM, Natxo Asenjo wrote:

hi,

the subject says it all, I guess.

I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had)
this setup working.



Hi,

Yes I use NetApp filers connected to both AD and IPA at the same time.
It's easy to get going. These notes are taken from the top of my head, I
don't have my documentation in front of me just now.


Awesome :-)

This stuff really should be documented in the wiki somewhere. This is the
stuff businesses need. I know I need it :-). I had already seen your post with

Hello,

we can create a wiki account at freeipa.org for you, if you are implementing 
it right now. Best articles come from real users! :-)


Petr^2 Spacek


the info about ipa and netapp in 2011 I think, but nowhere could I get the
confirmation that both directories could be used at the same time. Perhaps we
need to bug netapp more to be more explicit on this.

Thanks, you made my day.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-06 Thread Natxo Asenjo 
On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie  wrote:

>  On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
>
> hi,
>
> the subject says it all, I guess.
>
> I know from another thread that with nexanta it is possible using
> nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) this
> setup working.
>
> --
> Groeten,
> natxo
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hi,
>
> Yes I use NetApp filers connected to both AD and IPA at the same time.
> It's easy to get going. These notes are taken from the top of my head, I
> don't have my documentation in front of me just now.
>

Awesome :-)

This stuff really should be documented in the wiki somewhere. This is the
stuff businesses need. I know I need it :-). I had already seen your post
with the info about ipa and netapp in 2011 I think, but nowhere could I get
the confirmation that both directories could be used at the same time.
Perhaps we need to bug netapp more to be more explicit on this.

Thanks, you made my day.

-- 
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-06 Thread Sigbjorn Lie 

On 09/05/2012 08:12 PM, Natxo Asenjo wrote:

hi,

the subject says it all, I guess.

I know from another thread that with nexanta it is possible using 
nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) 
this setup working.


--
Groeten,
natxo


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Hi,

Yes I use NetApp filers connected to both AD and IPA at the same time. 
It's easy to get going. These notes are taken from the top of my head, I 
don't have my documentation in front of me just now.


Configure the NetApp's DNS client to point to a set of DNS servers that 
knows both your AD and your IPA DNS domain.
Configure the DNS search path to point at both the IPA domain, and the 
AD domain (if you have a different DNS domain for your IPA and AD instances)


Join the CIFS server to the AD domain. ("cifs setup")

Setup the LDAP client ("options ldap" to list, "options ldap.option 
value" to configure each value).
I use authenticated simple binds, I have created an account for the 
NetApp filers under cn=sysaccounts,cn=etc,$BASE for this purpose.
The LDAP attribute mapping options can be left alone as far as I can 
remember.
You need to specify the compat tree for group, and netgroup lookups. I 
cannot remember if I pointed users to the compat or accounts tree. I 
specify each user/group/ng lookup path fully (e.g. I do NOT specify the 
base DN and request subtree for lookups).
Configure the "options ldap.enabled" after configuring all the other 
options.

Leave "ldap.ADdomain" blank.

NOTE: I have been unable to get the LDAP SSL client of NetApp to work 
with IPA as of yet. I have opened a support case with NetApp for this 
issue. Not really a big issue as users password are not being 
transmitted. To make of of SSL NetApp's documentation is to upload the 
CA certificate in PEM format into /etc on the filer and use the keymgr 
command to import it. After uploading the CA cert SSL is enabled using 
"options ldap.ssl.enable on".


Grant yourself advanced privileges on the filer "priv set advanced", and 
use the "getXXbyYY" command to verify that the LDAP naming services 
works as expected for users, groups and netgroups.


If the previous test was successful: Configure the NetApp's 
nsswitch.conf (using the filer webui is the easiest). Specify files 
before ldap.


You should now have a working AD (CIFS) and IPA (NFS) setup.

If you syncronize IPA with AD the ntUserDomainId attribute will be set 
to AD's sAMAccountName. If you do not sync you can script a sync of 
these attributes manually to allow automatic user mapping in the NetApp 
filer when Windows CIFS users connect. The username may be the same, but 
the NetApp's user mapping has been seen to be case sensitive in our 
environment. Syncing the sAMAccountName from AD into IPA's 
ntUserDomainId  attribute fixed these issue for us. You also need to 
enable usermap lookup on the NetApp filer (a "option ldap" configuration 
value).


I hope this helps.



Regards,
Siggi



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] netapp filer AD + ipa: possible?

2012-09-05 Thread Natxo Asenjo 
hi,

the subject says it all, I guess.

I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? )  has (had) this
setup working.

--
Groeten,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users