Aravindh Sampathkumar via FreeIPA-users wrote:
Hello all.
I'm a new user having recently deployed a FreeIPA server to supply
authentication for a small scale cluster. One of the first things I did
was to make our storage system (Isilon cluster running OneFS) use
FreeIPA as a authentication provider via LDAP.
Though straightforward, I wish this information was available directly
on the wiki and showed up on Google search for "How to configure
Isilon/OneFS to use FreeIPA".
I'd be happy to add this information into a wiki entry if someone could
give me access to it.
I just need your Fedora Account System (FAS) account name. If you don't
have one you can create one at
https://admin.fedoraproject.org/accounts/user/new
I need that to grant write access to the wiki (we had terrible spam
problems). Feel free to send it privately.
I'm not sure I'd recommend using the admin user though. It might be
better to create a specific account and grant just those needed
permissions (I'm not sure what Isilon/OneFS needs).
Also, if you use the IP address in the ldaps address it _should_ fail
because IPA does not provide IPAddr SAN so SSL subject validation should
not work.
rob
>
> Login to FreeIPA server over SSH, and run the command:
>
> [root@freeipa1 ~]# ldapsearch -x uid=admin | grep dn:
> dn: uid=admin,cn=users,cn=compat,dc=nghpc,dc=dk
> dn: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk
>
> Note down uid=admin, cn=accounts,dc=nghpc,dc=dk
> and head to Isilon OneFS, where you may configure LDAP using one of the
> two methods:
>
> (1) Using the web UI:
> Access --> Authentication Providers --> LDAP
> + Add an LDAP provider
> Enter an LDAP provider name of choice that is easy to understand.
> Server URI: ldaps://<ip address or fqdn of FreeIPA server>
> Note: If you are using the fqdn, make sure the DNS settings
> resolve the fqdn from the command line using nslookup <fqdn>
> Base Distinguished Name: dc=nghpc,dc=dk (Enter the details as
> obtained from the search command earlier)
> Bind to: uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk (Enter
> the details as obtained from the search command earlier)
> Enter the password for Admin user and you would have successfully
> connected Isilon to FreeIPa via LDAP.
>
> (2) Using the commandline:
> Get the status of auth providers before beginning the configuration:
> isi auth status
> Create a new LDAP provider using the command,
> isi auth ldap create test-ldap \
> --base-dn="dc=nghpc,dc=dk" \
> --bind-dn="uid=admin,cn=users,cn=accounts,dc=nghpc,dc=dk" \
> --bind-password="mypasswd" \
> --server-uris="ldaps://<ip address or fqdn of FreeIPA
server>" \
> --groupnet=<groupnet name>
>
> Run the ldap search from the Isilon node to test whether the LDAP
> connection works fine:
> ldapsearch -x uid=admin
>
> You can use the troubleshooting guide from EMC
> : https://www.emc.com/collateral/TechnicalDocument/docu63147.pdf