Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1579345.1
Update Date:2018-05-10
Keywords:
Solution Type  Technical Instruction Sure

Solution  1579345.1 :   Oracle ZFS Storage Appliance: How to configure the LDAP service to authenticate users via an Active Directory server with the IDMU extensions installed  

Related Items 
    

  • Sun ZFS Storage 7320
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-BA
    •  
  • Oracle ZFS Storage ZS5-4
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7420
    •  
  • Oracle ZFS Storage ZS5-2
    •  
  • Oracle ZFS Storage ZS4-4
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: ZS
    •  




Using an Active Directory Server for LDAP authentication.

In this Document
Goal
Solution

Applies to:

Sun Storage 7310 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7210 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7110 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7410 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)

Goal

Authenticate users via the LDAP to an Active Directory Server.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance

Solution

The minimum requirements for configuring the LDAP service on the ZFSSA to authenticate users via an Active Directory Server using IDMU. 

The IDMU extensions provide the RFC 2307bis attributes required and were originally added to support authentication via the Windows NIS service.

Authentication will work for Active Directory users that have the unix attributes populated in Active Directory. 

The following article covers installing the extensions on the Active Directory Server:

http://technet.microsoft.com/en-us/library/cc737796(v=ws.10).aspx

 

Information required to configure the LDAP service on the appliance. 

nas:configuration services ldap show
Properties:
                      <status> = online
               default_servers = 192.168.1.11:389
                      proxy_dn = cn=joe.jones,cn=users,dc=example,dc=com
                proxy_password = *********
                       base_dn = dc=example,dc=com
                  search_scope = sub
                    cred_level = proxy
                   auth_method = simple
                       use_tls = false
                  user_mapattr = homeDirectory=UnixHomeDirectory
              user_mapobjclass = posixAccount=user,shadowAccount=person
                   user_search = cn=Users,dc=example,dc=com
                 group_mapattr =
             group_mapobjclass = posixGroup=group
                  group_search = cn=Users,dc=example,dc=com

 

 
  1.  proxy_dn = the distinguished name  for a user that can bind to Active Directory Server
  2.  proxy_password = The proxy user's password.
  3.  base_dn = top level of the domain
  4.  search_scope = sub - provides for recursion through the directory structure
  5.  cred_level = proxy 
  6.  auth_method = simple
  7.  use_tls = false
  8.  user_mapattr = homeDirectory=UnixHomeDirectory - required if homeDirectory isn't populated.
  9.  user_mapobjclass = posixAccount=user,shadowAccount=person - both are required
 10.  user_search = cn=Users,dc=example,dc=com - must be above all OU's that may contain user entries.
 11.  group_mapattr = 
 12.  group_mapobjclass = posixGroup=group
 13.  group_search = cn=Users,dc=example,dc=com
 
Select a server and specify connection to the standard port 389.
 
To enter user_mapobjclass from the cli quote both object mappings:  set user_mapobjclass="posixAccount=user","shadowAccount=person"

This satisfies the requirements for the simplest form of Active Directory schema and modification is required to match most installations.

Additional mappings can be added as well.

Example:

To get the given name from Active Directory to replace gecos, add another user_mappattr, user_mapattr=gecos=displayName

The effect of this mapping can be seen in the Name field for ZFSSA directory type admin users under Configuration Users:

nas:configuration users> show 
Users: 
 
NAME                     USERNAME                 UID        TYPE 
George Washington        george.washington        172912     Dir 
Jerry L. Lewis           jlewis                   172910     Dir 
John Adams               john.adams               172911     Dir 
Oracle Agent             oracle_agent             2000000001 Loc 
Without the gecos mapping the Name field will contain the value of the gecos attribute which is blank by default.
To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance Community



Check for relevancy - 10-May-2018


Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback