LDAP Best Practices

The Nasuni Edge Appliance supports Directory Services using either Active Directory or LDAP (Lightweight Directory Access Protocol) with Kerberos for authentication. You can specify the LDAP servers and the Kerberos Key Distribution Center (KDC) servers for the Nasuni Edge Appliance to connect to.

This document outlines the general procedure for adding a Nasuni Edge Appliance to an LDAP domain.

Note: There are several utilities and services for performing some of these steps. The ones that we present are only examples. Your utilities and services are similar to the ones that we present.

Specifying multiple protocol access

For single protocol access, Nasuni supports Kerberos and NTLMv2 over SMB protocol for appliances bound to Microsoft Windows Active Directory. Nasuni also supports Kerberos over NFSv4 for appliances bound to a supported LDAP Directory, including FreeIPA, Oracle Directory Services, and Apple Open Directory.

For multiple protocol access using both NFSv4 and SMB protocol to access the same data, the SMB protocol is authenticated using Kerberos or NTLMv2 by Active Directory; however, Nasuni multiprotocol access with NFSv4 only supports NFS basic authentication (AUTH_SYS). AUTH_SYS does not use tokens or passwords for authentication or access control, relying on the client to provide an ID validated on the server side to limit and control access.

In multiprotocol use cases, Nasuni recommends using network segmentation, and using the Allowed Hosts list to specify NFS client IP addresses, in order to restrict the endpoints that can access NFS exports.

Preliminary Step

Before performing configuration on the Nasuni Edge Appliance, ensure that LDAP Support is enabled on your account license.

Procedures for Oracle Enterprise Directory Server (Oracle DS)

This section describes the procedures for adding the Nasuni Edge Appliance information on the Oracle Enterprise Directory Server (Oracle DS) LDAP server.

Note: These procedures assume that you are running Oracle DS with MIT Kerberos and BIND (named). Neither of these are strictly required for Oracle DS, but are used to complete the configuration of the Nasuni Edge Appliance.

Important: If the name of the Nasuni Edge Appliance has a period (“.”) in it, the hostname to add to the Nasuni Edge Appliance is whatever is to the left of the first period (“.”). For example, a Nasuni Edge Appliance with the name “gpr-8.0.3” looks for “gpr-8” as the hostname in the keytab file.

Configuring for Kerberos

This section describes the procedure for configuring for Kerberos.

1. Using the kadmin.local interactive prompt, establish the Kerberos service principals that the Nasuni Edge Appliance uses, by performing the following steps:

   1. Enter kadmin.local.

   2. At the kadmin.local prompt, enter the following commands to create four service principals for the Nasuni Edge Appliance with hostname <edgeapp-fqdn>:

addprinc -randkey host/<edgeapp-fqdn>

addprinc -randkey cifs/<edgeapp-fqdn>

addprinc -randkey nfs/<edgeapp-fqdn>

addprinc -randkey HTTP/<edgeapp-fqdn>

where <edgeapp-fqdn> is the Fully Qualified Domain Name of the Nasuni Edge Appliance, using lower-case letters.

2. Export this information to a keytab file, by entering the following commands at the kadmin.local prompt:

ktadd -k /tmp/myedgeapp.keytab host/<edgeapp-fqdn>

ktadd -k /tmp/myedgeapp.keytab cifs/<edgeapp-fqdn>

ktadd -k /tmp/myedgeapp.keytab nfs/<edgeapp-fqdn>

ktadd -k /tmp/myedgeapp.keytab HTTP/<edgeapp-fqdn>

where <edgeapp-fqdn> is the Fully Qualified Domain Name of the Nasuni Edge Appliance, using lower-case letters.

3. (Optional.) Confirm the contents of the keytab file by entering ktutil and then entering these commands at the ktutil: prompt:

read_kt /tmp/myedgeapp.keytab

list

4. Make the keytab file available to the person or system that is to configure the Nasuni Edge Appliance.

Configuring for DNS

Because you are generally accessing the Nasuni Edge Appliance using the fully-qualified domain name (FQDN), it is often convenient to actually make the Nasuni Edge Appliance accessible by that name in DNS. The alternative is to modify the /etc/hosts file on all the clients that you plan on using with the Nasuni Edge Appliance.

To configure for DNS, follow these steps:

1. Edit the zone file /var/named/<domain-name>, where <domain-name> is the name of the LDAP domain that the Nasuni Edge Appliance is going to join, using a command such as:

vi /var/named/<domain-name>

2. In this zone file, add a new "A" record for your Nasuni Edge Appliance. For example, if the name of the Nasuni Edge Appliance were “odsedgeapp1” and its IP address was “10.1.3.79”, then add a line to the zone file like this:

odsedgeapp1   IN   A   10.1.3.79

3. Save the zone file.

4. After the zone file is saved, reload the bind configuration, using this command:

service named reload

Exporting certificates with Oracle DS

To export certificates with Oracle DS, follow these steps:

1. For Oracle DS, run a command like this:

/var/oracle/dsee7/bin/dsadm    export-cert    -o
/tmp/temp.cert    /var/oracle/instance/dsInst/    defaultCert

This command prompts you for a password that is applied to the output file.

2. Run a command like this:

openssl pkcs12 -in /tmp/temp.cert -out
/tmp/oracle.pem -nokeys -clcerts

This command prompts you for the password that you entered for the previous command.

3. You can now provide the file named "oracle.pem" to a user who can upload it to the Nasuni Edge Appliance.

Procedures for Apple Open Directory

This section describes the procedures for adding the Nasuni Edge Appliance information on the Apple Open Directory LDAP server.

Adding Edge Appliances

To make Edge Appliances connected to Apple Open Directory available to clients, each Edge Appliance needs a keytab that is generated by the Open Directory server. To acquire the keytab, you need to make the directory service aware of the Edge Appliance and then export a keytab file:

1. Creates entries within the directory service for the Edge Appliance by running a command such as:

dscl -u <diradmin> -p /LDAPv3/127.0.0.1
    -create /Computers/<edgeapp-fqdn>
    IPAddress <edgeapp-ip>

where <diradmin> is the name of the directory service administrator for the directory;
<edgeapp-fqdn> is the Fully Qualified Domain Name of the Nasuni Edge Appliance, using lower-case letters;
<edgeapp-ip> is the IP address of the Nasuni Edge Appliance.

This creates entries within the directory service for the Edge Appliance.

2. Delete any existing temporary keytabs by running a command such as:

rm -f /tmp/out.kt

3. Run a command such as:

sudo kadmin -l

4. At the prompt, type:

ext_keytab -k /tmp/out.kt host/<edgeapp-fqdn>
    cifs/<edgeapp-fqdn> ftp/<edgeapp-fqdn>
    nfs/<edgeapp-fqdn>

where <edgeapp-fqdn> is the Fully Qualified Domain Name of the Nasuni Edge Appliance, using lower-case letters.

5. (Optional.) Confirm the contents of the keytab file by entering ktutil and then entering these commands at the ktutil: prompt:

read_kt /tmp/out.kt

list

6. Make the out.kt keytab file available to the person or system that is to configure the Nasuni Edge Appliance.

Exporting certificates

To safely connect to LDAP services, the Edge Appliance uses SSL/TLS certificates to secure the connection. The Edge Appliance must have a local copy of the self-signed certificate or CA certificate used by the LDAP servers.

To export the CA certificate from an Apple Open Directory server, follow these steps:

1. Use Spotlight to start "Keychain Access".

2. Under Keychains, select "System".

3. Under category, select "Certificates".

4. From the list, select the "<name > Certificate Authority" certificate, where <name> is a name given to the Open Directory system when it was first set up.

5. Use File 🡪 Export Items
   Alternatively, right-click the certificate and select Export.

6. Name the certificate, choose an output location, and leave the default of .p12 format.

7. Provide a password for the exported file.

8. Provide the username and password of the directory administrator.

9. Run a command such as:

openssl pkcs12 -in <old_cert_name>.p12
    -out <new_cert_name>.pem -clcerts -nokeys

where <old_cert_name> is the name of the original .p12 certificate;
and <new_cert_name> is the name of a new .pem certificate.

This generates a new .pem formatted certificate that can be uploaded to the Edge Appliance.

Procedures for FreeIPA

FreeIPA is an identity management system used for LDAP authentication. FreeIPA can be used as an alternative to the Oracle DS procedure above.

Important: You must have an LDAP domain to use FreeIPA.

To use FreeIPA for LDAP authentication, follow these steps:

1. In a Web browser, visit the Web site:

http://<LDAP-fqdn>

where LDAP-fqdn is the fully-qualified domain name of the LDAP domain controller.

The FreeIPA Identity Management site appears.

2. If the Nasuni Edge Appliance is not yet listed as a host, click Identity, then select Hosts, then click +Add. The Add Host dialog box appears. Enter the following information:
   - Host Name: the host name of the Nasuni Edge Appliance.

   - IP Address: the IP address of the Nasuni Edge Appliance.

   - DNS Zone: from the drop-down list, select the DNS Zone.

3. Click Add. The Nasuni Edge Appliance is added to the list of Hosts.

4. If the CIFS service of the Nasuni Edge Appliance is not yet listed as a service, click Identity, then select Services, then click +Add. The Add Service dialog box appears. Enter the following information:
   - Service: from the drop-down list, select cifs.

   - Host Name: from the drop-down list, select the host name of the Nasuni Edge Appliance. You can search for the host name by typing part of the host name in the Search text box and pressing Enter.

5. Click Add. The CIFS service of the Nasuni Edge Appliance is added to the list of Services.

6. Download the SSL certificate from the FreeIPA server. Save the certificate file in a location that the Nasuni Edge Appliance can access.

7. Upload the SSL certificate to the Nasuni Edge Appliance.

At this point, you can continue joining an LDAP domain, using FreeIPA.

Exporting certificates with FreeIPA

To safely connect to LDAP services, the Edge Appliance uses SSL/TLS certificates to secure the connection. The Edge Appliance must have a local copy of the self-signed certificate or CA certificate used by the LDAP servers.

To export the CA certificate from FreeIPA, use curl to download from a URL on the Directory Server:

1. Run a command like this:

curl -v -O http://<LDAP-fqdn>/ipa/config/ca.crt

where <LDAP-fqdn> is the fully-qualified domain name of the LDAP domain controller.

2. You can now provide the file named " ca.crt" to a user who can upload it to the Nasuni Edge Appliance.

Configuring the Nasuni Edge Appliance

This section describes configuring the Nasuni Edge Appliance with the LDAP information.

Uploading the certificate

To upload the certificate from the LDAP server to the Nasuni Edge Appliance, follow these steps:

1. On the Nasuni Edge Appliance, click Configuration, then select SSL Certificates from the list. The SSL Certificates page appears.

2. Click Upload Client Certificate. The Add Client Certificate Files page appears.

3. In the Certificate Name text box, enter the name that you use to refer to this certificate.

4. Click Choose File next to Certificate File, then navigate to the SSL certificate file that was created above.
   Caution: The maximum length of a file name is 255 bytes.
   In addition, the length of a path, including the file name, must be less than 4,000 bytes.
   Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
   If a particular client has other limits, the smaller of the two limits applies.

5. Select Default Authentication certificate, which selects this certificate as the default for authenticating with the primary LDAP server.

6. Click Save Certificate. The certificate is installed and becomes available in the list of certificates on the SSL Certificates page.

Joining the LDAP domain

This section describes the procedure for joining the Nasuni Edge Appliance to the LDAP domain.

Important: You cannot enable both Active Directory and LDAP Directory Services for a Nasuni Edge Appliance.

Tip: LDAP Directory Services must be enabled in the client license before joining an LDAP domain.

To configure the Nasuni Edge Appliance to join the LDAP domain, follow these steps:

1. On the Nasuni Edge Appliance, click Configuration, then select Directory Services from the list. The Directory Services page appears.

2. In the Domain text box, enter the fully qualified LDAP Directory Services domain name (such as oracleds1.engdom.nasuni.net) that you want the Nasuni Edge Appliance to join. The Nasuni Edge Appliance joins this domain to authenticate users from the LDAP Directory Services server.

3. Turn Auto Detect off.

4. From the Directory Service Type drop-down list, select LDAP Directory Services.

5. From the Directory Services Provider drop-down list, select Generic LDAP/Kerberos, or the provider that matches your LDAP and Kerberos servers.

   Note: Some of the following fields are optional, depending on the choice of Directory Services Provider.

6. In the LDAP Servers text box, enter a list of the domain names (or IP addresses) of the LDAP servers for the Nasuni Edge Appliance to connect to, separated by commas.

7. In the Kerberos KDC Servers text box, enter a list of the IP addresses or hostnames of the Kerberos Key Distribution Center (KDC) servers for the Nasuni Edge Appliance to connect to, separated by commas.

8. (Optional.) From the LDAP ID Schema drop-down list, select RFC2307 as the LDAP ID schema used by your LDAP infrastructure, or the LDAP ID schema used by your LDAP infrastructure.

9. (Optional.) In the LDAP User Search Base text box, enter an LDAP DN (distinguished name) that indicates a subtree that contains users. For example, for oracleds1.engdom.nasuni.net you might use (dc=oracleds1,dc=engdom,dc=nasuni,dc=net).

10. (Optional.) In the LDAP Group Search Base text box, enter an LDAP DN (distinguished name) that indicates a subtree that contains groups. For example, for oracleds1.engdom.nasuni.net you might use (dc=oracleds1,dc=engdom,dc=nasuni,dc=net).

11. (Optional.) Leave the LDAP User Name Attribute text box blank, or enter the LDAP user name attribute.

12. (Optional.) Leave the LDAP Group Name Attribute text box blank, or enter the LDAP group name attribute.

13. (Optional.) Leave the LDAP Netgroup Search Base text box blank, or enter an LDAP DN (distinguished name) that indicates a subtree that contains netgroups.

14. (Optional.) In the LDAP Bind DN text box, enter an LDAP DN (distinguished name) to use instead of an anonymous bind. For example, you might use (cn=Directory Manager).

15. (Optional.) In the LDAP Bind Password text box, enter a password to use to bind with the LDAP Bind DN.

16. (Optional.) In the Minimum Supported ID text box, enter 1000, or the minimum user or group ID to map to the Nasuni Edge Appliance. This is needed for the case where you want the Nasuni Edge Appliance to use IDs outside of the ranges that are allowed to be automatically chosen by the Nasuni Edge Appliance.

17. (Optional.) In the Maximum Supported ID text box, enter 4294967294 , or the maximum user or group ID to map to the Nasuni Edge Appliance. This is needed for the case where you want the Nasuni Edge Appliance to use IDs outside of the ranges that are allowed to be automatically chosen by the Nasuni Edge Appliance.

18. Click Continue.

19. If the Confirm/Authenticate Directory Service dialog box appears, and if necessary, enter the user name and password of a directory user who is authorized to join this Nasuni Edge Appliance to the specified domain. Click Submit.

20. The wizard checks the provided information before proceeding to the Keytab step. If the wizard is successful in checking the LDAP domain and other information, the wizard highlights the Keytab step.

21. From the Keytab Source drop-down list, select the source of the Kerberos keytab for the Nasuni Edge Appliance from the following choices:

• FreeIPA Server (only available on a FreeIPA system): If you select a FreeIPA server, enter the Username, Password, and Repeat Password, then click Continue.

• Keytab file upload: If you select to upload a keytab file, click Browse to navigate to the file, then click Continue.
  

  Caution: The maximum length of a file name is 255 bytes.
  In addition, the length of a path, including the file name, must be less than 4,000 bytes.
  Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
  If a particular client has other limits, the smaller of the two limits applies.
  

The wizard checks the provided keytab information before proceeding to the Volume Selection step. If the wizard is successful in obtaining the Kerberos keytab information, and if volumes have been created, the wizard highlights the Volume Selection step.

22. For each volume in the list, select Enable Domain-Based Authentication to specify using authentication that is based on LDAP Directory Services for that volume, then click Continue.
    The wizard attempts to establish the specified authentication for the specified volumes. If successful, the Domain Configuration tab is selected.

23. If any other Nasuni Edge Appliances on your account are already configured for access to the specified domain, they appear in a list. Select one of those Nasuni Edge Appliances from the Configuration Source drop-down list to duplicate its user and group mappings. This helps to ensure consistent user authentication and ID mapping across Nasuni Edge Appliances accessing the same volumes.
    Alternatively, if there are no other Nasuni Edge Appliances already configured for access to the specified domain, or if you prefer to configure domains and trusts manually, select Local Settings from the Configuration Source drop-down list.
    If Local Settings is selected, also select Allow Unique Settings to allow this Nasuni Edge Appliance to have domain settings unique to this appliance and not common across your account.

24. Click Continue.
    The wizard attempts to configure for the specified domain. If successful, the Enable Domains tab is selected.

25. A list of available domains appears. From this list, select the domains that you want the Nasuni Edge Appliance to access.

26. Click Continue.
    The wizard attempts to enable the selected domains. If successful, the “Complete the Configuration” tab is selected.

27. Verify the configuration values, then click Finish.
    The wizard attempts to complete the configuration. If successful, the Directory Services page appears.
    The newly joined domain appears in the Domain Settings list.

Changing hostname of a Nasuni Edge Appliance connected to LDAP

If you must change the hostname of a Nasuni Edge Appliance that is connected to LDAP, you must ensure that the LDAP Connection Status stays in a Healthy state.

To change the hostname of a Nasuni Edge Appliance that is connected to LDAP, follow these steps:

1. Using the procedure in the “Configuring for Kerberos” section above, create a new keytab file. This new keytab file should include both the current hostname of the Nasuni Edge Appliance and the new hostname of the Nasuni Edge Appliance.
   The hostname is 15 characters or less, and can include ASCII lowercase letters a through z, digits 0 (zero) through 9, and hyphens.

2. On the Nasuni Edge Appliance, click Configuration, then select Directory Services from the list. The Directory Services page appears.

3. From the Keytab Source drop-down list, select “Keytab file upload”.

4. For Keytab File, click “Choose File”, then navigate to the new keytab file and click OK.

   Caution: The maximum length of a file name is 255 bytes.
   In addition, the length of a path, including the file name, must be less than 4,000 bytes.
   Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary.
   If a particular client has other limits, the smaller of the two limits applies.
   

5. On the Nasuni Edge Appliance, click Configuration, then select Network Configuration from the list. The Network Configuration page appears.

6. Enter the new hostname, then click Save Network Configuration. The Confirm Network Changes page appears.

7. Enter a Username (case-sensitive) and Password (case-sensitive) that has permission to perform this operation, then click Submit. Your changes are saved.

8. Any clients must have their share connections changed to use the new hostname.

Contacting Technical Support

Online self-help resources and Technical Support are available at www.nasuni.com/support.