Sun Storage 7000 Unified Storage System: How To Configure Secure LDAP Over SSL

Asset ID:	1-71-1399906.1
Update Date:	2017-12-06
Keywords:

Solution Type Technical Instruction Sure

Solution 1399906.1 : Sun Storage 7000 Unified Storage System: How To Configure Secure LDAP Over SSL

Applies to:

Sun ZFS Storage 7120 - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Sun Storage 7110 Unified Storage System - Version All Versions and later
Sun Storage 7210 Unified Storage System - Version All Versions and later
Sun Storage 7310 Unified Storage System - Version All Versions and later
7000 Appliance OS (Fishworks)

Goal

This document describes how to configure unified storage to use secure LDAP over SSL.

Solution

Introduction

LDAP can be used by the ZFS Unified Storage appliance for user directory lookups for NFS and CIFS. It can also provide authentication services for ftp, http and webdav services.
Follow the steps below to configure the appliance to communicate to LDAP over SSL, making the communication secure. .

Configuration on the LDAP Server

1. Make sure LDAP Server is running on port 636.
2. Since the appliance uses a self signed certificate, the LDAP server must be configured to trust the appliance CA by importing the appliance certificate /etc/svc/ssl/akd.pem as a trusted CA.

The appliance certificate CA can be extracted by using the openssl command. Note that openssl must be installed to run the command. Refer to the openssl document for the syntax.

The following is an example to extract the certificate from openssl into the appliance.pem file which can be imported on the LDAP server as a trusted CA. Contact the LDAP server administrator for additional information on how to trust this certificate and set up the server.

openssl s_client -connect appliance-host:215 -showcerts -cert appliance.pem

Refer to the appropriate LDAP server documentation on how to configure SSL on the server side.

Configuration on the Appliance Side

Assume a proxy_dn is used to authenticate to the LDAP service for directory lookups.
The following is an example of how to configure the appliance, substitute the correct values for base_dn, proxy_dn, proxy_password, and LDAP server host that would apply to your configuration.

1. Set the following properties for the LDAP service.

CLI
system:> configuration service ldap
system:configuration services ldap> set base_dn=dc=oracle,dc=com
system:configuration services ldap> set search_scope=sub
system:configuration services ldap> set cred_level=proxy
system:configuration services ldap> set auth_method=simple
system:configuration services ldap> set use_tls=true
system:configuration services ldap> set proxy_dn=<uid of proxy_user>,dc=oracle,dc=com
system:configuration services ldap> set proxy_password=<passwd>

2. Create the LDAPS host server details.

CLI
system: configuration services ldap> create
system: configuration services ldap server (uncommitted)> set host=server1
set port=636
set source=server
commit

3. Enable the service.

CLI
system: configuration services ldap>enable

4. Check the status.

CLI
system: configuration services ldap> show

Note Known Bugs
6939638 DSEE 6.3 refuses self-signed client SSL certs

BUG 24450729 - AKD restart required for ldap user authentication for BUI / admin user

For additional information refer to the appropriate ZFS Unified Storage Administration Guide.

References

<NOTE:1540106.1> - Sun Storage 7000 Unified Storage System: LDAP configuration for Active Directory not working

Attachments

This solution has no attachment