How To Manage A Network On A Linux Computer (Vnx) On A Windows 7 Computer (Windows) On An Ipod Or Ipod (Windows 7) On Your Ipod Computer (For Windows) On The Network (For Linux)

EMC VNX Series Configuring VNX Naming Services P/N 300-011-855 REV A01 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.emc.com

2 of 80

Contents Introduction..................................................5 System requirements.......................................5 Restrictions...............................................6 User interface choices......................................6 Terminology..............................................7 Related information........................................9 Concepts....................................................10 Local files...............................................10 NIS.....................................................11 DNS....................................................11 LDAP-based directory services..............................12 Active Directory..........................................18 WINS....................................................18 nsswitch.conf file.........................................19 Protocol user authentication................................19 Configuring local files.........................................20 Prerequisites.............................................20 Configure local files on a Data Mover........................22 Configuring NIS..............................................23 Prerequisites.............................................23 Configure a Data Mover as an NIS client......................23 Configuring DNS.............................................24 Prerequisites.............................................24 Configure a Data Mover as a DNS client......................24 Configuring a Data Mover as an LDAP-based directory service client.25 Prerequisites.............................................25 Configure an LDAP-based directory client by using a domain name..................................26 Configure an LDAP-based directory client by using a base distinguished name.........................27 Configuring additional LDAP-based directory options..............28 Specify the use of simple (password) authentication............28 Specify the use of Kerberos authentication....................29 Enable SSL for LDAP-based directories.......................31 Specify the SSL persona...................................32 Specify the SSL cipher suite................................33 Specify an iplanet client configuration profile..................34 Copy the ldap.conf file.....................................35 Specify an NIS domain.....................................37 Configuring the nsswitch.conf file...............................38 Prerequisites.............................................38 Edit the nsswitch.conf file..................................38 Managing local files...........................................40 Managing NIS................................................41 Display the NIS configuration..............................41 Verify the status of the NIS configuration....................42 Delete the NIS configuration...............................42 Managing DNS...............................................43 Verify the DNS configuration...............................43 3 of 80

Delete the DNS configuration...............................43 Set or change the DNS server protocol.......................44 Clear the DNS cache.......................................44 Disable access to the DNS server...........................45 Enable access to the DNS server............................45 Managing an LDAP-based directory.............................46 Verify the status of the LDAP-based directory service.........46 Delete the LDAP-based directory configuration................47 Display information about the LDAP-based directory configuration....................................47 Temporarily disable the LDAP-based directory service.........48 Enable the LDAP-based directory service.....................49 Disable SSL for LDAP-based directories.....................50 Looking up information in the LDAP-based directory server......51 Troubleshooting..............................................55 Where to get help.........................................55 E-Lab Interoperability Navigator.............................55 Check network connectivity by using server_ping..............55 Access naming services from the Control Station..............55 Check communication with DNS.............................56 Check LDAP-based directory operation.......................57 Verify the download of the iplanet client profile................58 Edit OpenLDAP schema for Linux...........................59 Using group membership with distinguished name syntax.......59 CIFS user mapping in a multiprotocol environment.............60 Error messages...........................................61 LDAP error messages.....................................61 Training and Professional Services..........................63 Appendix A: iplanet client profile attributes.......................64 Appendix B: OpenLDAP configuration file........................67 Appendix C: IdMU configuration file template.....................68 Appendix D: SFU 3.5 configuration file template...................69 Appendix E: Examples of configuring a Data Mover as an LDAP-based directory service client.............................70 Connecting to iplanet using anonymous authentication.........70 Connecting to OpenLDAP using simple password authentication 71 Connecting to Active Directory with SFU using simple password authentication............................72 Connecting to Active Directory with IdMU using Kerberos authentication...................................73 Connecting to Active Directory with IdMU using SSL authentication.......................................76 Index.......................................................77 4 of 80

Introduction This document provides information about naming services, which provide a Data Mover with a mechanism for looking up user and system information, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. Configuring each Data Mover with access to one or more naming services is a basic task that you must perform to ensure correct operation of EMC VNX. The Control Station is configured to use naming services, specifically DNS, during system initialization. Configuring and Managing VNX Networking and the Unisphere Control Stations online help topic provide more information. User mapping, the mapping of the security identifiers (SIDs) used by Windows users to the UNIX-style user identifiers (UIDs) and group identifiers (GIDs) used by VNX, can be provided by several of the naming services described in this document, specifically local files, NIS, LDAP-based directory servers including Active Directory with SFU/IdMU, and Active Directory using VNX CIFS Microsoft Management Console snap-ins. Configuring VNX User Mapping describes how VNX uses these methods to map users. This document is part of the VNX documentation set and is intended for the system administrators responsible for configuring and maintaining file storage and network retrieval infrastructure. System requirements Table 1 on page 5 describes the VNX software, hardware, network, and storage configurations. Table 1 Naming services system requirements Software VNX version 7.0. Hardware Network Storage No specific hardware requirements. To use NIS, DNS, LDAP-based directories, or WINS with VNX, there must be at least one NIS, DNS, LDAP-based directory, or WINS server, respectively, on the network accessible to the file server. No specific storage requirements. 5 of 80

Restrictions These restrictions apply: NIS+, which uses a different protocol than standard NIS, is not supported on the VNX. LDAP over SSL does not support start_tls mode, which starts a TLS connection on an existing non-ssl LDAP connection (for example, over port 389). User interface choices VNX offers flexibility in managing networked storage based on your support environment and interface preferences. This document describes how to configure naming services by using the command line interface (CLI). You can also perform many of these tasks by using one of the VNX management applications: EMC Unisphere software Microsoft Management Console (MMC) snap-ins Active Directory Users and Computers (ADUC) extensions The Unisphere online help contains additional information about managing your VNX. The VNX Release Notes contain additional, late-breaking information about VNX management applications. Using Unisphere to configure naming services Unisphere can be used to configure a Data Mover to use the naming services listed in Table 2 on page 6. Table 2 Naming services configured using Unisphere Naming service NIS DNS Unisphere procedure To configure the Data Mover as an NIS client, select System > Network (Network tasks) > Manage NIS Settings. To configure the Data Mover as a DNS client, select System > Network > DNS or select Sharing > CIFS > DNS. Note: You cannot use Unisphere to change the DNS server protocol or clear the DNS cache. WINS To configure the Data Mover as a WINS client, select Sharing > CIFS (CIFS tasks) > Configure CIFS. You cannot use Unisphere to manage local files, including the nsswitch.conf file, or configure a Data Mover as an LDAP-based directory client. Unisphere online help provides more information about configuring naming services. 6 of 80

Note: You can also use the Unisphere configuration wizards to set up the use of NIS, DNS, and WINS. Terminology The VNX Glossary provides a complete list of VNX terminology. Active Directory: Advanced directory service included with Windows operating systems. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP. Certificate Authority (CA): Trusted third party that creates and digitally signs public key certificates. Certificate Authority Certificate: Digitally signed association between an identity (a Certificate Authority) and a public key to be used by the host to verify digital signatures on Public Key Certificates. Common Internet File System (CIFS): File-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. directory server: Server that stores and organizes information about a computer network's users and network resources, and that allows network administrators to manage users' access to the resources. X.500 is the best-known open directory service. Proprietary directory services include Microsoft's Active Directory. domain: Logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are domain members and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server. Domain Name System (DNS): Name resolution software that allows users to locate computers on a UNIX network or TCP/IP network by domain name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts. File Transfer Protocol (FTP): High-level protocol for transferring files from one machine to another. Implemented as an application-level program (based on the OSI model), FTP uses Telnet and TCP protocols. Identity Management for UNIX (IdMU): Microsoft software that provides a UNIX environment on Windows, specifically UNIX identity and security services. Kerberos: Authentication, data integrity, and data privacy encryption mechanism used to encode authentication information. Kerberos coexists with NTLM (Netlogon services) and, using secret-key cryptography, provides authentication for client/server applications. Kerberos Key Distribution Center (KDC): Stores and retrieves information about security principles in the Active Directory database. Each domain controller in Windows 2000 or later is a Kerberos KDC that acts as a trusted intermediary between a client and a server. 7 of 80

LDAP-based directory: Directory servers that support LDAP, including Active Directory with IdMU or SFU, OpenLDAP, or iplanet (also known as Sun Java System Directory Server and Sun ONE Directory Server). Lightweight Directory Access Protocol (LDAP): Industry-standard information access protocol that runs directly over TCP/IP. It is the primary access protocol for Active Directory and LDAP-based directory servers. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251. Microsoft Windows Services for UNIX (SFU): Microsoft software that provides a UNIX environment on Windows. netgroup: Group of computers on a network administered using a single name. Netgroups can be defined using a local text file that provides the list of hosts in a netgroup or using NIS or an LDAP-based directory server. Network File System (NFS): Distributed file system that provides transparent access to remote file systems. NFS allows all network systems to share a single copy of a directory. Network Information Service (NIS): Distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. OpenLDAP: Open source implementation of an LDAP-based directory service. persona: Means of providing an identity for a Data Mover as either a server or a client through a private key and associated public key certificate. Each persona can maintain up to two sets of keys (current and next), to allow for the generation of new keys and certificates prior to the expiration of the current certificate. public key infrastructure (PKI): Means of managing private keys and associated public key certificates for use in Public Key Cryptography. It is a framework which allows the creation of a certificate which is used by SSL. Secure Sockets Layer (SSL): Security protocol that provides encryption and authentication. It encrypts data and provides message and server authentication. It also supports client authentication if required by the server. SFU, see Microsoft Windows Services for UNIX. Sun Java System Directory Server: (Also known as Sun ONE Directory Server and iplanet.) A distributed directory service accessible using LDAP. Transport Layer Security (TLS): Successor protocol to SSL for general communication authentication and encryption over TCP/IP networks. TLS version 1 is nearly identical with SSL version 3. Windows domain: Microsoft Windows domain controlled and managed by a Microsoft Windows Server using the Active Directory to manage all system resources and using the DNS for name resolution. Windows Internet Naming Service (WINS): Microsoft name resolution system that determines the IP address associated with a particular network node. WINS provides the mapping between the machine name and the Internet address, allowing Microsoft networking to function over TCP/IP networks. 8 of 80

Windows NT domain: Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) with a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM. Related information Specific information related to the features and functionality described in this document is included in: VNX Command Reference Manual Online VNX for file man pages VNX Parameters Guide VNX Glossary Configuring and Managing VNX Networking Configuring VNX User Mapping VNX Security Configuration Guide Managing VNXfor a Multiprotocol Environment Configuring and Managing CIFS on VNX RFCs: RFC 2307, An Approach for Using LDAP as a Network Information Service RFC draft (Joslin), A Configuration Profile Schema for LDAP-based Agents EMC VNX documentation on the EMC Online Support website The complete set of EMC VNX series customer publications is available on the EMC Online Support website. To search for technical documentation, go to http://support.emc.com. After logging in to the website, click the VNX Support by product page to locate information for the specific feature required. VNX for File wizards Unisphere software provides wizards for performing setup and configuration tasks. The Unisphere online help provides more details on the wizards. 9 of 80

Concepts Each Data Mover on a VNX for File system needs a mechanism for looking up user and system information, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. The Data Mover obtains this information by making queries to naming services. Naming services are used by several of the protocols supported by VNX for File. You can configure one or more of the following naming services for each Data Mover in your system: Local files (passwd, group, hosts, and netgroup) Network Information Service (NIS) Domain Name System (DNS) Active Directory with Microsoft Windows Services for UNIX (SFU) or Identity Management for UNIX (IdMU) OpenLDAP Sun Java System Directory Server (iplanet) Note: The Sun Java System Directory Server was formerly known as Sun ONE Directory Server and iplanet. Because this product continues to be known as iplanet by many users, the name iplanet is used in this discussion. Active Directory (using VNX CIFS Microsoft Management Console [MMC] snapins) Windows Internet Naming Service (WINS) When naming services are required, the Data Mover first checks its local cache. It then queries all the configured naming services in a predetermined order until the requested entity is found or until all naming services are queried. The search order is determined by the name service switch (nsswitch), which is configured by using the nsswitch.conf file. Local files Local files are text files that reside on a Data Mover. Depending on the type of information these files contain, they are identified as passwd, group, hosts, or netgroup files: The passwd file contains the users who can access the Data Mover. The group file defines the groups to which users belong. The hosts file contains a list of IP addresses with their corresponding hostnames. Note: When deploying CIFS in a Windows environment, DNS is required. 10 of 80

The netgroup file contains a list of network group names with the list of hostnames for hosts belonging to the group. In addition to mapping hosts to network groups, it also maps users to network groups. Local files are the most efficient way of looking up entities because they do not require getting information from another server on the network. However, when you use local files, you must manually update entity information on each Data Mover as the entities on your network change. Local files are not provided on a Data Mover by default. To use local files, you must create and copy these files to the Data Mover. To update the information in an existing file, you must retrieve the file from the Data Mover, modify it, and then copy it back to the Data Mover. These tasks can only be accomplished by using the CLI. "Configuring local files" on page 20 describes how to configure a Data Mover to use local files for naming services. NIS NIS is a distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. Unlike local files that must be maintained on each Data Mover individually, NIS allows you to organize information in a domain structure stored in a central repository and maintained on dedicated NIS servers. When configured, NIS domain information is available on the network. To configure a Data Mover as a client of an NIS server, you must know the NIS domain name and the IP addresses for the NIS servers. If possible, configure multiple NIS servers; the Data Mover tries the alternate servers if the first one is unavailable. You can configure up to 10 NIS servers in a single NIS domain on a Data Mover. Note: If you are accessing NIS servers that support both IPv4 and IPv6, you should configure at least one interface for each address type on each Data Mover in that domain. Note: A Data Mover supports only one NIS domain. Each time you configure an NIS domain and specify the servers, it overwrites the previous configuration. "Configuring NIS" on page 23 describes how to configure a Data Mover to use NIS for naming services. DNS DNS is a name resolution system that allows users to locate computers and services on a UNIX or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts. To configure a Data Mover as a client of a DNS server, you must know the DNS domain name and the IP addresses for the DNS servers. If possible, configure multiple DNS servers; the Data Mover tries the alternate servers if the first one is unavailable. You can configure up to three DNS servers in a single DNS domain on 11 of 80

a Data Mover. Furthermore, you can configure multiple DNS domains for the same Data Mover, each with its own set of DNS servers. Note: DNS is required for Windows 2000 and later domains. The DNS server should support dynamic updates (DDNS). If DDNS is unsupported, you must manually update the DNS server. Also, if you are accessing DNS servers that support both IPv4 and IPv6, you should configure at least one interface for each address type on all CIFS servers on each Data Mover in that domain. Configuring and Managing CIFS on VNX provides more information on DNS and Windows domains. "Configuring DNS" on page 24 describes how to configure a Data Mover to use DNS for naming services. LDAP-based directory services VNX for File supports three LDAP-based directory services: Active Directory with Microsoft Windows Services for UNIX (SFU) or Identity Management for UNIX (IdMU) OpenLDAP iplanet Active Directory with SFU or IdMU, OpenLDAP, and iplanet (also known as Sun Java System Directory Server and Sun ONE Directory Server), hereafter collectively referred to as LDAP-based directories, are distributed directory servers that provide a central repository for storing and managing identity profiles, access privileges, and application and network resource information. In a VNX environment, LDAP-based directories may be used to provide user account information, group information, hosts, and netgroups. While LDAP-based directories provide a repository for the same information as that stored by NIS, unlike NIS where you have to edit database tables and explicitly propagate updated information, LDAP-based directories provide centralized management in real time. To configure a Data Mover as a client of an LDAP-based directory server, you must know the LDAP-based directory domain name or base distinguished name and the IP addresses for the configuration or service servers. If possible, configure multiple LDAP-based directory servers; the Data Mover tries the additional servers if the first one is unavailable. A Data Mover supports only one LDAP-based directory domain. Note: EMC recommends continuing to use DNS to get information about hostnames and their IP addresses. "Configuring a Data Mover as an LDAP-based directory service client" on page 25 describes how to configure a Data Mover to use an LDAP-based directory server for naming services. If you are using OpenLDAP and plan to export NFS file systems, "Edit OpenLDAP schema for Linux" on page 59 provides additional information. LDAP-based directory structure An LDAP-based directory server organizes information in a hierarchical directory structure unique to a particular organization s needs. Each object stored in the 12 of 80

directory is represented by a directory entry. An entry is formed by one or more attributes. Entries are stored in a hierarchical form in the directory tree. Each entry is uniquely defined by its distinguished name (DN) which enumerates the position of this entry in the tree. For example, the distinguished name for the admin group is "cn=admin,ou=group,dc=mycompany,dc=com". Using LDAP, one may query an entry and request all the entries and their attributes below the requested entry. An example of an LDAP-based directory structure is as follows: dc=mycompany,dc=com ou=people ou=group ou=hosts ou=netgroup dc= indicates domain components and ou= indicates organizational units consisting of people, groups, hosts, and netgroups. Typically, the cn attribute is used to indicate the name by which a particular entry is commonly known. The directory structure can be changed. You inform the Data Mover about your organization s directory structure by uploading a custom client configuration profile or configuration file. For example, your organization s user information might be stored in a container called users rather than people, and hosts in a container called computers rather than hosts. You can also define several containers for the same object class. The containers that make up the LDAP-based directory structure use the following object types: iplanet/openldap Containers iplanet/openldap Object Class IdMU Containers IdMU Object Class ou=people posixaccount cn=users User ou=group posixgroup cn=group Group ou=hosts iphost cn=computers Computer ou=netgroup nisnetgroup cn=netgroup nisnetgroup Directory server differences The primary difference between LDAP-based directory servers is how the directory services are configured. You configure and manage them by using the server_ldap command: iplanet makes use of an optional, downloadable client configuration profile containing additional configuration attributes beyond those supplied during the basic configuration. "Appendix A: iplanet client profile attributes" on page 64 provides a description of the LDAP configuration attributes. 13 of 80

When provided, this attribute supersedes server_ldap configuration settings, when connecting to the iplanet service. Specifying a valid client configuration profile immediately impacts the iplanet service; that is, the client configuration profile is retrieved and read. Active Directory with SFU or IdMU and OpenLDAP use a file-based configuration located in the Data Mover s /.etc directory: For OpenLDAP, you can copy the ASCII configuration file, ldap.conf, from any available UNIX/Linux client. The Data Mover ignores the keywords that it does not support. This is the quickest way to set up file-based configuration. The PADL Software website provides additional information. "Appendix B: OpenLDAP configuration file" on page 67 provides an example of the relevant LDAP configuration attributes. For Active Directory with SFU or IdMU, VNX for File provides two different configuration file templates, ldap.conf.idmu_template_v1 and ldap.conf.sfu35_template_v1. These templates provide the relevant LDAP configuration attributes for each schema (the SFU 3.5 LDAP schema requires more remapping directives than the IdMU LDAP schema). Rename the selected template file to ldap.conf. "Appendix C: IdMU configuration file template" on page 68 and "Appendix D: SFU 3.5 configuration file template" on page 69 provide examples of these template files. The IdMU template file provides the correct LDAP settings if the directory server was not configured with a special container for netgroups. Typically, the NIS Data Migration Wizard that is part of the IdMU software creates a default container for netgroups. Netgroups are not supported by the SFU 3.5 schema. If the LDAP-based directory service was previously configured with an ldap.conf file, substituting a different ldap.conf file does not immediately impact the service. If the service is restarted, the ldap.conf file is read and any applicable settings are applied. If the service is not restarted, the configuration is automatically refreshed every 20 minutes, and the ldap.conf file is read at that point. Similarly, if the LDAP-based directory service is configured by using an ldap.conf file, removing the file does not immediately impact the service, unless the service is restarted, or the configuration is refreshed (every 20 minutes). If the LDAP-based directory service was not previously configured with an ldap.conf file, adding an ldap.conf file requires that you clear the previous configuration and reconfigure the Data Mover in order for the new ldap.conf file to be read and applied. ldap.conf file The ldap.conf file contains the following fields: nss_base_passwd nss_base_group nss_base_hosts nss_base_netgroup (OpenLDAP and IdMU only) nss_map_objectclass 14 of 80

nss_map_attribute The first four fields define the containers for users, groups, hosts, and netgroups. Containers are identified by their distinguished name. nss_base_passwd ou=users,dc=mycompany,dc=com nss_base_hosts ou=computers,dc=mycompany,dc=com Containers can point to any directory in the tree. It is also possible to define several containers for the same object class. For example, if your organization s users are divided into several groups such as sales, engineering, and manufacturing, you can define three user containers. nss_base_passwd ou=sales,dc=mycompany,dc=com nss_base_passwd ou=engineering,dc=mycompany,dc=com nss_base_passwd ou=manufacturing,dc=mycompany,dc=com The default search scope is one (that is, a single level). EMC recommends using the default value as this type of search optimizes a lookup request. nss_base_passwd ou=sales,dc=mycompany,dc=com?one You can change the search scope using the following syntax: nss_base_xxx base?scope?filter scope is {base,one,sub} VNX for File does not support the filter field A scope value of sub (for example, nss_base_passwd ou=sales,dc=mycompany,dc=com?sub) results in a search of the entire sub tree for posixaccount objects with the requested uid or username. This type of search can be lengthy when tens of thousands of objects have to be scanned. The field nss_map_objectclass <rfc 2307 class> <class used in the ldap tree> tells the Data Mover to query the customer-specific class instead of the default class defined by RFC 2307. The following definition is required for IdMU. nss_map_objectclass posixaccount User The field nss_map_attribute <rfc 2307 attribute> <attribute used in the ldap object> tells the Data Mover to query the customer-specific attribute instead of the default attribute defined by RFC 2307. nss_map_attribute homedirectory unixhomedirectory Configuration sequence If you specify a client configuration profile when you start an LDAP-based directory service, the Data Mover tries to download the profile. If the profile downloads, iplanet directory services run. If the specified profile does not exist, the configuration fails. If no configuration profile is specified, the Data Mover checks for the /.etc/ldap.conf file. If it exists, it is used to complete the setup. If neither a client configuration profile is specified nor a configuration file exists, the directory service runs by using default parameters. When using SSL, SSL configuration settings specified in the client configuration profile and in the file-based configuration override SSL settings configured with the server_ldap command. 15 of 80

Authentication methods The Data Mover s directory client supports several different authentication methods. The options you choose when configuring LDAP determine which authentication method is used: Anonymous Simple (password) Kerberos SSL: Anonymous Simple (password) SSL-based client authentication (if the LDAP-based directory server is configured to require client certificates) Note: Active Directory with SFU or IdMU requires an authentication method that uses a password, Kerberos, or SSL. Anonymous authentication is not allowed. Anonymous authentication Anonymous authentication means no authentication occurs and the Data Mover uses an anonymous login to access the LDAP-based directory server. Note: Anonymous authentication is only available when using OpenLDAP or iplanet. Simple authentication Simple or proxy authentication means the Data Mover must provide a bind distinguished name and password to access the LDAP-based directory server. The bind DN is the distinguished name of the identity used to bind to the service. Usually, the identity used to bind to the service is the domain manager. Typically, Active Directory assumes a bind distinguished name format of cn=<acctname>,cn=users,dc=<domain component>,dc=<domain component>. However, the Active Directory administrator can create users in other locations within Active Directory, in which case the bind distinguished name path may be different. An OpenLDAP directory server accepts different bind distinguished name formats. Typically, the domain manager is a user located in the default container for users: cn=administrator,ou=people,dc=<domain component>,dc=<domain component>. Kerberos authentication Kerberos authentication means the Data Mover, configured as a CIFS server, uses a KDC to confirm the Data Mover s identity when accessing the Active Directory. After you join a CIFS server to a domain, Kerberos generates a set of encryption and decryption keys that it shares with the domain controller. When the KDC receives an authentication request from a CIFS server, it performs authentication by decrypting the preauthentication data sent by the Data Mover with the decryption keys. If the decryption succeeds and the preauthentication data is accurate, the CIFS server is authenticated. After a CIFS server is authenticated, the KDC 16 of 80

generates an initial ticket called the Ticket-granting Ticket (TGT). The TGT is a special ticket that enables the CIFS server to request services to the KDC. Note: If a Data Mover is using Kerberos authentication, the VNX for File administrator must not delete the associated CIFS server while it is being used for LDAP service. SSL authentication SSL authentication means the Data Mover directory client, using the underlying SSL client, verifies the certificate received from the LDAP-based directory server. The CA certificate (for the CA that signed the directory server's certificate) must have been imported into the Data Mover for the certificate verification to succeed. If SSL-based client authentication is required by the LDAP-based directory server, a private key and a valid certificate must be associated with the specified persona in the Data Mover to authenticate the client. The Data Mover certificate subject must match the distinguished name for an existing user (account) at the directory server for authentication to succeed. (Some directory servers support mapping between the expected client certificate subject and the desired user account.) When negotiating a secure connection with an LDAP-based directory server that requires SSL-based client authentication, the persona provides the private key and certificate to the Data Mover (client). The certificate provides a means for the server to identify and authenticate the client. Because there may be multiple services, each with its own key and certificate, and possibly one or more client connections running on a single Data Mover, the Data Mover application must indicate the persona to use to identify the private key and associated public key certificate. The VNX Security Configuration Guide provides information about SSL and PKI. Authentication configuration rules The following rules determine which authentication method is used: If you do not specify the bind DN option or enable SSL, the anonymous bind is used. If you specify the bind DN and password options, but do not enable SSL, a password-based bind is used. If you specify the bind DN and password options and enable SSL, a passwordbased bind is used, whether or not the sslpersona is configured. If you do not specify the bind DN option and do not configure the sslpersona, but enable SSL, an anonymous bind is used after the SSL connection is established. If you do not specify the bind DN option, but configure the sslpersona and enable SSL, an anonymous bind without SSL is used, unless the LDAP-based directory server is configured to require client certificates. Note: When the sslpersona is configured (whether it is used or not), there must be a key and valid public key certificate associated with the specified persona or the SSL connection attempt fails. You must specify the sslpersona whenever the LDAP-based directory server is configured to require the client certificate, or the SSL connection fails because it is rejected by the LDAP-based directory server. 17 of 80

Cipher suites A cipher suite defines a set of technologies to secure your LDAP communications: Key exchange algorithm (how the secret key used to encrypt the data is communicated from the client to the server). Examples: RSA key or Diffie- Hellman (DH) Authentication method (how hosts can ensure that the identity of remote hosts is correct). Examples: RSA certificate, DSS certificate, or no authentication Encryption cipher (how to encrypt data). Examples: AES (256 or 128 bits), RC4 (128 bits or 56 bits), 3DES (168 bits), DES (56 or 40 bits), or null encryption Hash algorithm (assuring data cannot be altered by unauthorized parties). Examples: SHA-1 or MD5 The supported cipher suites combine all of these items. The VNX Security Configuration Guide provides a list of cipher suites supported by VNX for File. "Configuring additional LDAP-based directory options" on page 28 provides information on how to configure a Data Mover to use secure LDAP-based directory communications. Active Directory Before the introduction of Microsoft software that provides a UNIX environment on Windows (Active Directory with SFU or IdMU), Active Directory was primarily used in Windows 2000 and Windows Server 2003 environments to provide authentication and authorization for Windows users. However, if the Active Directory schema was extended with an EMC proprietary schema to include UNIX attributes for Windows users and groups, you could configure a Data Mover to query the Active Directory to determine if a user and the group of which the user is a member has UNIX attributes assigned. If so, information stored in these attributes could be used for file access authorization. To configure a Data Mover to query the Active Directory for UNIX attributes, you must install the UNIX user management component of the VNX CIFS management MMC snap-ins. You must also set the cifs useadmap parameter. Installing VNX Management Applications, Configuring VNX User Mapping, and the VNX UNIX User Management and VNX UNIX Attribute Migration online help systems provide more information. Note: EMC recommends that you use Active Directory with SFU or IdMU instead of Active Directory with VNX CIFS MMC snap-ins. "LDAP-based directory services" on page 12 provides more information on using Active Directory with SFU or IdMU. WINS WINS is a Microsoft NetBIOS-based name resolution system that determines the IP address associated with a particular network node. WINS is typically used only in Windows NT environments. Starting with Windows 2000, WINS is superseded by DNS. 18 of 80

To configure a Data Mover as a WINS client, you must define one or more WINS servers that all CIFS servers on a Data Mover can access. Configuring and Managing CIFS on VNX provides more information on configuring WINS for CIFS servers in Windows NT environments. nsswitch.conf file The nsswitch.conf file determines which naming services are queried for each entity type and the order in which the naming services are checked. The nsswitch.conf file is a text file that can be edited to arrange the search order that best fits your environment. A template for the file, nsswitch.conf.tmpl, is provided in the Control Station s /nas/sys directory. If you do not provide a nsswitch.conf file, the Data Mover queries naming services for each entity in the following order: For passwd, group, and netgroup entities, the Data Mover queries its local files first, followed by NIS. For hosts entities, the Data Mover queries its local files first, followed by NIS, and then DNS. If an entity is not defined in the nsswitch.conf file, the Data Mover uses the default search. The LDAP-based directory server is only queried if it is added to the nsswitch.conf file as a naming service. For example, to configure the Data Mover to query users from the /.etc/passwd file first, and, if it is not found, to then query the LDAP server, specify passwd: files ldap. If no nsswitch.conf file is provided, the Data Mover uses the default search order that does not include the LDAP-based directory server. "Configuring the nsswitch.conf file" on page 38 provides more information about the nsswitch.conf file. Protocol user authentication Certain protocols, such as FTP, can use LDAP-based directories, NIS, or local files to authenticate user account information for distributed applications. For example, each time you log in to VNX for File's FTP server, FTP binds to the directory server, which then validates the presented credentials and allows you to authenticate with the server you are accessing. VNX for File authenticates the FTP user by reading the hashed password from a directory, hashing the password supplied by the FTP user, and comparing the two. Passwords are hashed using the UNIX CRYPT, MD5, or MD5_CRYPT encryption algorithms. Note: MD5_CRYPT may be required when the directory server is an Active Directory. "Specify the use of simple (password) authentication" on page 28 describes how the LDAP-based directory must be configured if it is used to provide user password authentication for a Data Mover s FTP or PC-NFS services. The FTP man page and FTP on VNX provide information about FTP. 19 of 80

Configuring local files To configure the use of local files by a Data Mover, you must either: Create the appropriate text file on the Control Station, and then copy it to the Data Mover or Retrieve the existing file from the Data Mover, modify it, and then copy it back to the Data Mover "Local files" on page 10 provides information about local files. Prerequisites To create a new local file for a Data Mover, you can copy a passwd, group, hosts, or netgroup file from another UNIX or Linux system to use as a template. When creating or editing local files, these rules apply: All entries (Windows names, usernames, domain names, global group names) must be typed in lowercase ASCII only. Any spaces in Windows domain or group names should be replaced with =20 to become legal in a UNIX-style file. Any non-ascii character (such as vowels with French accents) must be replaced by =xx or ==xxyy, where xx and xxyy are the hexadecimal codes in UTF-8 of the character. If using UNIX user authentication, run the server_user command to generate an encrypted password in the password field, but do not include the domain as part of the username. The passwd, group, hosts, and netgroup files are standard UNIX-based files. You can view the standard description of these files and their format by using the man command. Create or edit a passwd file Each line of the passwd file defines a user and has the format: username:password:uid:gid:gcos username is the user's login name. When querying for Windows users, by default, the system checks for CIFS usernames in the form username.domain (domain being the Windows domain name). Setting the cifs resolver parameter to 1 enables the system to retrieve user and group entries without domain extensions. Configuring VNX User Mapping provides more information. password is an empty field. The encrypted password for the user is in the corresponding entry in the shadow file. uid is the user's unique numerical ID for the system. gid is the unique numerical ID of the group to which the user belongs. 20 of 80

Note: You can use the server_user <movername> -add command to create a new user account on the Data Mover. This command must be executed from the /nas/sbin directory; you must be root user to execute it. Create or edit a group file The group file defines the groups to which users belong. Each line of the group file defines a group and has the format: groupname:gid:user_list groupname is the name of the group. When querying for Windows groups, by default, the system checks for CIFS group names in the form groupname.domain (domain being the Windows domain name). Setting the cifs resolver parameter to 1 enables the system to retrieve user and group entries without domain extensions. Configuring VNX User Mapping provides more information. gid is the numerical group ID. user_list is all the group member usernames, separated by commas. Create or edit a hosts file Each line of the hosts file defines a host and has the format: IP_address hostname aliases IP_address is the host s IP address. hostname is the official name of the host. aliases provides for name changes, alternate spellings, shorter hostnames, or generic hostnames (for example, localhost). Fields are separated by any number of blanks or tab characters or both. Create or edit a netgroup file Each line of the netgroup file defines a group and has the format: groupname member1 member2... Each member is either the name of another group or indicates specific hosts, users, and domains, referred to as a triple, as follows: (hostname,username,domainname) Any of the triple s three fields can be blank, meaning all the values in that field are included. A dash (-) in any of the fields means there are no valid values. For example, the following line defines a group called ouruniverse that consists of all hosts and users in the NIS domain ourdomain. ouruniverse (,,ourdomain) The following lines define a group called ourhosts that includes all of the hosts but none of the users in the domain, and a group called ourusers that includes all users but no hosts. 21 of 80

ourhosts (,-,ourdomain) ourusers (-,,ourdomain) The following line defines a group called ouruniverse that consists of two hosts hostatlanta and hostboston. ouruniverse (hostatlanta,,),(hostboston,,) Note: IP addresses are not allowed. A netgroup file can include as many lines as required; however, each line must be less than 1 KB in length. If necessary, a line can be continued on another line by using the backslash (\) as a continuation character. A triple, however, cannot be split across two lines. Note: If you use a backslash (\) as a continuation character, it must be the last character on the line. It cannot be followed by spaces. Configure local files on a Data Mover Step 1. Copy the local file (passwd, group, hosts, or netgroup) from the Data Mover to the Control Station by using this command syntax: $ server_file <movername> -get <src_file> <dst_file> <movername> = name of the Data Mover <src_file> = source file on the Data Mover <dst_file> = destination file on the Control Station 2. By using a text editor, edit the file on the Control Station to add, delete, or modify entries. 3. Copy the file from the Control Station back to the Data Mover by using this command syntax: $ server_file <movername> -put <src_file> <dst_file> <movername> = name of the Data Mover <src_file> = source file on the Control Station <dst_file> = destination file on the Data Mover 22 of 80

Configuring NIS To configure a Data Mover as an NIS client, you must provide the NIS domain name and one or more NIS servers that host the domain. A Data Mover can support only one NIS domain. "NIS" on page 11 provides information about NIS. Prerequisites If possible, define multiple NIS servers; the Data Mover tries the alternate servers if the first one is unavailable. You can configure up to 10 NIS servers for a single NIS domain on a Data Mover. Each time you run the server_nis command to configure an NIS domain and specify the servers, it overwrites the previous configuration. The server_nis command also starts the NIS service on the Data Mover, if NIS is not running. After the NIS service is configured, it is enabled by default; that is, it automatically restarts after a Data Mover reboot. Configure a Data Mover as an NIS client To configure a Data Mover as an NIS client, use this command syntax: $ server_nis <movername> <domainname> {<ip_addr>,...} <movername> = name of the Data Mover <domainname> = name of the NIS domain <ip_addr> = address of an NIS server for the specified domain Example: To configure the use of two NIS servers on server_2 for the NIS domain nsg by using NIS servers found at IP addresses 172.16.21.10 and 172.16.22.10, type: $ server_nis server_2 nsg 172.16.21.10,172.16.22.10 Output server_2 : done 23 of 80

Configuring DNS To configure a Data Mover as a DNS client, you must provide a DNS domain name and one or more DNS servers that host the domain. "DNS" on page 11 provides information about DNS. Prerequisites If possible, define multiple DNS servers; the Data Mover tries the alternate servers if the first one is unavailable. You can configure up to three DNS servers for a single DNS domain on a Data Mover. Furthermore, you can configure multiple DNS domains for the same Data Mover, each with its own set of DNS servers. To configure multiple DNS domains for the same Data Mover, rerun the server_dns command for the same Data Mover but indicate a different DNS domain name and IP address. The server_dns command also starts the DNS service on the Data Mover, if DNS is not running. After the DNS service is configured, it is enabled by default; that is, it automatically restarts after a Data Mover reboot. Configure a Data Mover as a DNS client To configure a Data Mover as a DNS client, use this command syntax: $ server_dns <movername> <domainname> {<ip_addr>,...} <movername> = name of the Data Mover <domainname> = name of the DNS domain (cannot exceed 155 characters) <ip_addr> = address of a DNS server for the specified domain Example: To configure server_2 to use the DNS domain nasdocs.emc.com on the DNS server found at IP address 128.221.21.10, type: $ server_dns server_2 nasdocs.emc.com 128.221.21.10 Output server_2 : done 24 of 80

Configuring a Data Mover as an LDAP-based directory service client To configure a Data Mover: "Configure an LDAP-based directory client by using a domain name" on page 26 or "Configure an LDAP-based directory client by using a base distinguished name" on page 27 "LDAP-based directory services" on page 12 provides information about LDAPbased directory services. Prerequisites An iplanet LDAP-based directory server support several types of servers configuration, service, preferred, and alternate. If you plan to use a client configuration profile for iplanet, specify the IP address of an iplanet configuration server in the server_ldap command. If you are not using a profile, specify the IP address of a service server. It is usual for the configuration server and a service server to be the same. For OpenLDAP and Active Directory with SFU or IdMU, the Data Mover checks for the /.etc/ldap.conf file. When using the server_ldap command, you can dynamically change binding credentials, specifying the same basedn or domain but specifying a different password without disconnecting from the LDAP-based directory server. Alternatively, you can rerun the command to add user credentials (switch from anonymous to authenticated mode) or remove user credentials (switch from authenticated mode to anonymous mode). In other words, it is not necessary to break the LDAP association to make a change. The association can remain active continuously as long as the Data Mover is running. Note: Be sure the LDAP server is configured with the new password for the binding user's account; otherwise, when the user types a new password, the LDAP-based directory server will reject it and break the connection. Note: Active Directory with SFU or IdMU requires an authentication method that uses a password, Kerberos, or SSL. Anonymous authentication is not allowed. A Data Mover can support only one LDAP-based directory domain at a time. Before configuring a new LDAP-based directory domain, the previous configuration must be deleted. If possible, define multiple servers; the Data Mover tries the additional servers if the first one is unavailable. There is no limit on the number of servers for a single LDAP-based directory domain on a Data Mover. The server_ldap command also starts the LDAP-based directory service on the Data Mover. After the service is configured, it is enabled by default and automatically restarts after a Data Mover reboot. 25 of 80

Note: Active Directory with SFU or IdMU requires that cifs resolver be set so that user and group names are retrieved with a domain extension. Configuring VNX User Mapping describes how to set the cifs resolver parameter. Configure an LDAP-based directory client by using a domain name To configure a Data Mover as an LDAP-based directory client by using a domain name, use this command syntax: $ server_ldap <movername> -set -domain <fqdn> -servers <ip_addr>[:<port>][,<ip_addr>[:<port>]...] <movername> = name of the Data Mover <fqdn> = fully qualified domain name of the specified LDAP-based directory domain <ip_addr> = address of an LDAP-based directory server (configuration or service) for the specified domain <port> = number of the LDAP-based directory server TCP port. If you do not specify the port for each server, the default will be port 389 for LDAP, and port 636 for LDAP with SSL enabled. "Configuring additional LDAP-based directory options" on page 28 provides more information about SSL. Example: To configure server_2 to use the LDAP-based directory domain nasdocs.emc.com on the LDAPbased directory server found at IP address 172.16.21.10 and the default port number 389, type: $ server_ldap server_2 -set -domain nasdocs.emc.com -servers 172.16.21.10 "Managing an LDAP-based directory" on page 46 provides more information about managing the LDAP-based directory service by using server_ldap command options. Output server_2 : done 26 of 80

Configure an LDAP-based directory client by using a base distinguished name EMC recommends configuring an LDAP-based directory client by using the base distinguished name (-basedn option) instead of the domain name (-domain option). The -basedn option specifies the Distinguished Name (DN) of the directory base, an x509 formatted name that uniquely identifies the directory base. The base distinguished name provides the root position for: Searching for iplanet profiles Defining default search containers for users, groups, hosts, and netgroups according to RFC 2307. An iplanet profile and OpenLDAP or Active Directory with SFU or IdMU ldap.conf file are required only for customized setups. Note: In the case in which the distinguished name of the directory base contains dots and the client is configured using the domain name, the default containers may not be set up correctly. For example, if the name is dc=my.company,dc=com and it is specified as domain name my.company.com, VNX for File incorrectly defines the default containers as dc=my,dc=company,dc=com. To configure a Data Mover as an LDAP-based directory client by using a base distinguished name, use this command syntax: $ server_ldap <movername> -set -basedn <attribute_name>=<attribute_value>[, ] -servers <ip_addr>[:<port>][,<ip_addr>[:<port>]...] <movername> = name of the Data Mover <attribute_name> = LDAP attribute name <attribute_value> = LDAP attribute value <ip_addr> = address of an LDAP-based directory server (configuration or service) for the specified domain <port> = number of the LDAP-based directory server TCP port. If you do not specify the port for each server, the default will be port 389 for LDAP, and port 636 for LDAP with SSL enabled. "Configuring additional LDAP-based directory options" on page 28 provides more information about SSL. Note: If a base distinguished name contains space characters, enclose the entire string within double quotation marks and enclose the name with a backslash and double quotation mark. For example, \ cn=abc,cn=def ghi,dc=com\. Example: To configure server_2 to use the base distinguished name dc=nasdocs,dc=emc on the LDAPbased directory server found at IP address 172.16.21.10 and the default port number 389, type: $ server_ldap server_2 -set -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 "Managing an LDAP-based directory" on page 46 provides more information about managing the LDAP-based directory service by using server_ldap command options. Output server_2 : done 27 of 80

Configuring additional LDAP-based directory options You can specify several additional configuration options when you configure a Data Mover as an LDAP-based directory client. You can specify these configuration options at any time, even after the LDAP-based directory service is started. Stop and then restart the LDAP-based directory service when making a configuration change. Configuration changes may take up to 1 minute to take effect. To configure LDAP-based directory options: "Specify the use of simple (password) authentication" on page 28 "Enable SSL for LDAP-based directories" on page 31 "Specify the SSL persona" on page 32 "Specify the SSL cipher suite" on page 33 "Specify an iplanet client configuration profile" on page 34 "Specify an NIS domain" on page 37 "Copy the ldap.conf file" on page 35 Specify the use of simple (password) authentication "Authentication methods" on page 16 provides information about the different authentication methods. To specify that the LDAP-based directory service for a Data Mover uses simple authentication (password), use this command syntax: $ server_ldap <movername> -set -p -basedn <attribute_name>=<attribute_value>[,...] -servers <ip_addr>[:<port>] -binddn <bind_dn> <movername> = name of the Data Mover <attribute_name>=<attribute_value> = specifies the Distinguished Name (DN) of the directory base <ip_addr> = address of an LDAP-based directory server (configuration or service) for the specified domain <port> = number of the LDAP-based directory server TCP port <bind_dn> = distinguished name of the identity used to bind to the service Example: To specify that the LDAP-based directory service on server_2 (which is configured to use Active Directory with IdMU) uses simple authentication (password), type: $ server_ldap server_2 -set -p -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -binddn "cn=admin,cn=users,dc=nasdocs,dc=emc" VNX for File sends the password to the LDAP-based directory server in clear text. The -binddn and -p options must be specified if the LDAP-based directory is used to provide user password authentication for a Data Mover s FTP or PC-NFS services. 28 of 80

Output Enter password: server_2 : done Specify the use of Kerberos authentication Prerequisities A Data Mover that will serve as a LDAP-based directory client must be configured as a CIFS server. The CIFS service does not need to be started for server_ldap to use a CIFS computer name as the Kerberos account with which to authenticate. There is no need to provide a password since the password is managed by the Data Mover. Kerberos authentication must know the hostname of the LDAP server. Since server_ldap passes IP addresses only, the Data Mover needs to be able to resolve these addresses to hostnames. When the LDAP server is an Active Directory the hostname is automatically retrieved. If the LDAP server is OpenLDAP or iplanet, you must: Define the LDAP server hostname in either the local /.etc/hosts file or in the NIS or DNS server. Edit the nsswitch.conf file so that the Data Mover uses the selected naming services, for example the local hosts file, to resolve the LDAP server hostname prior to using LDAP (hosts: files ldap). "Authentication methods" on page 16 provides information about the different authentication methods. 29 of 80

To specify that the LDAP-based directory service for a Data Mover uses Kerberos authentication, use this command syntax: $ server_ldap <movername> -set -basedn <attribute_name>=<attribute_value>[,...] -servers <ip_addr>[:<port>] -kerberos -kaccount <account_name> [-realm <realm_name>] <movername> = name of the Data Mover <attribute_name>=<attribute_value> = specifies the Distinguished Name (DN) of the directory base <ip_addr> = address of an LDAP-based directory server (configuration or service) for the specified domain <port> = number of the LDAP-based directory server TCP port <account_name> = name of the identity used to bind to the service Note: The <account_name> is the CIFS server computer name known to the KDC. It must: - Terminate with a $ symbol - Be global to the Data Mover - A member of the joined domain specified in the -servers option or a member of a trusted domain - Be limited to 15 bytes - Not begin with an @ (at sign) or - (dash) character - Not include spaces, tab characters, or the following symbols: / \ : ;, = * + []? < > " <realm_name> = name of the LDAP domain Example: To specify that the LDAP-based directory service on server_2 (which is configured to use Active Directory with IdMU) uses Kerberos authentication, type: $ server_ldap server_2 -set -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -kerberos -kaccount cifs_compname$ Output server_2 : done 30 of 80

Enable SSL for LDAP-based directories You can configure LDAP-based directory communications over SSL to secure your communications. Enabling SSL results in all subsequent LDAP connections (for the specified domain or base distinguished name) to use SSL without requiring a Data Mover reboot. Prerequisites Prior to configuring SSL for LDAP-based directories, the CA certificate for the CA that signed the directory server's certificate must be imported and, depending on the directory server, a signed certificate must be associated with the persona if the directory server is configured to require a client certificate. When you enable LDAP over SSL, if a port is not specified, port 636 is used by default. To enable SSL, use this command syntax: $ server_ldap <movername> -set -sslenabled y <movername> = name of the Data Mover y = yes. The default is no. Example: To enable SSL on server_2, type: $ server_ldap server_2 -set -sslenabled y Output server_2 : done 31 of 80

Postrequisites To verify that the SSL settings for server_2 are correct, type: $ server_ldap server_2 -info Output server_2 : LDAP domain: nasdocs.emc.com Base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=manager,dc=nasdocs,dc=emc,dc=com DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 636 SSL state: enabled - Persona: none specified Specify the SSL persona You must specify the SSL persona if the LDAP-based directory server is configured for SSL client authentication and the Data Mover needs to provide a key and certificate. Prerequisites Before specifying the SSL persona for a Data Mover, the persona must be configured with keys and certificates. The VNX Security Configuration Guide provides more information about SSL personas. The -sslpersona option does not automatically enable SSL, but the value specified in the option will be configured. The value is persistent and used whenever SSL is enabled. It is possible to enable SSL and specify a persona in one command. To specify the SSL persona, use this command syntax: $ server_ldap <movername> -set -sslpersona {none <persona_name>} <movername> = name of the Data Mover <none> = option to disable a previously configured user of a client key and certificate <persona_name> = name of the persona associated with the Data Mover Example: To specify the persona, default, for server_2, type: $ server_ldap server_2 -set -sslpersona default Output server_2 : done 32 of 80

Postrequisites To verify that the SSL persona settings for server_2 are correct, type: $ server_ldap server_2 -info Output server_2 : LDAP domain: nasdocs.emc.com Base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=manager,dc=nasdocs,dc=emc,dc=com DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 636 SSL state: enabled - Persona: default Specify the SSL cipher suite Prerequisites The -sslcipher option does not automatically enable SSL, but the value specified in the option will be configured. The value is persistent and used whenever SSL is enabled. The -sslcipher option is required only if a nondefault cipher list is required; otherwise, the Data Mover default cipher list is used. It is possible to enable SSL and specify a cipher list in one command. To specify the SSL cipher suite, use this command syntax: $ server_ldap <movername> -set -sslcipher {default <cipher_list>} <movername> = name of the Data Mover <default> = value set in the ssl cipher parameter which, by default, is ALL:!ADH:!SSLv2:@STRENGTH, which means all ciphers supported by VNX for File except the Anonymous Diffie-Hellman, NULL, and the SSLv2 ciphers, sorted by the size of the encryption key <cipher_list> = list of one or more cipher strings separated by colons VNX for File supports the SSL cipher suites listed at the OpenSSL Organization s website. Example: To specify the AES 256 cipher suite for server_2, type: $ server_ldap server_2 -set -sslcipher AES256-SHA Output server_2 : done 33 of 80

Postrequisites To verify that the SSL cipher settings for server_2 are correct, type: $ server_ldap server_2 -info Output server_2 : LDAP domain: nasdocs.emc.com Base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=manager,dc=nasdocs,dc=emc,dc=com DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 636 SSL state: enabled - Persona: none specified SSL cipher list: AES256-SHA LDAP configuration servers: Server address: 172.16.21.10 - port: 389 Domain naming contexts: dc=nasdocs,dc=emc,dc=com Domain supported authentication mechanisms: Default search base: dc=nasdocs,dc=emc,dc=com Domain default search Scope: single-level 'passwd' DN: ou=people,dc=nasdocs,dc=emc,dc=com - search scope singlelevel passwd object class: posixaccount passwd attributes: cn, uid, uidnumber, gidnumber, userpassword, loginshell, gecos, description No 'group' DN No 'hosts' DN No 'netgroup' DN Specify an iplanet client configuration profile The client configuration profile is created and stored on the iplanet server. The -profile option of the server_ldap command allows you to specify the use of an iplanet client profile that includes additional configuration parameters (also referred to as attributes). Some attributes that can be defined include: Preferred and alternate servers Search path Profile time-to-live (TTL) Object class and attribute mapping Authentication method "Appendix A: iplanet client profile attributes" on page 64 provides more information on attributes, and the Sun Java System Directory Server (iplanet) documentation at 34 of 80

Sun Microsystems website provides more information on creating and using client profiles. To specify the use of a special client profile, use this command syntax: $ server_ldap <movername> -set -domain <fqdn> -servers <ip_addr>[:<port>] -profile <profile> <movername> = name of the Data Mover <fqdn> = fully qualified domain name of the iplanet domain <ip_addr> = address of a iplanet configuration server for the specified domain <port> = number of the iplanet server TCP port <profile> = client profile distinguished name or simple client profile name Note: EMC recommends that you have unique profile names in the Directory Information Tree (DIT). The specified profile is searched for by scanning the entire tree and if it is present in multiple locations, the first available profile is used unless the profile distinguished name is specified. For example, -profile cn=vnx_profile,ou=admin,dc=mycompany,dc=com. Example: To specify that the iplanet service on server_2 uses the special client profile, vnx_profile, type: $ server_ldap server_2 -set -domain nasdocs.emc.com -servers 172.16.21.10 -profile vnx_profile Output server_2 : done Copy the ldap.conf file Active Directory with SFU or IDMU and OpenLDAP clients use the ldap.conf file for additional configuration information. "Appendix B: OpenLDAP configuration file" on page 67, "Appendix C: IdMU configuration file template" on page 68, and "Appendix D: SFU 3.5 configuration file 35 of 80

template" on page 69 provide more information about the relevant LDAP configuration attributes for each schema. Step 1. Copy the appropriate configuration file template to /nas/site/ldap.conf.movername on the Control Station. Because the ldap.conf file is specific to each Data Mover, rename the file to ldap.conf.movername while editing the file. To copy the file from the Data Mover to the Control Station, use this command syntax: $ server_file <movername> -get <src_file> <dst_file> <movername> = name of the Data Mover <src_file> = source file on the Data Mover <dst_file> = destination file on the Control Station Example: To copy /nas/site/ldap.conf.server_2 to the Control Station, type: $ server_file server_2 -get ldap.conf /nas/site/ldap.conf.server_2 2. Using a text editor, edit ldap.conf.movername file to modify any entries. For example, if you are using Active Directory, edit the netgroups container. 3. Save ldap.conf.movername. 4. To copy the ldap.conf file from the Control Station to the Data Mover, use this command syntax: $ server_file <movername> -put /nas/site/ldap.conf.movername ldap.conf <movername> = name of the Data Mover Example: To copy /nas/site/ldap.conf.server_2 to the Data Mover, type: $ server_file server_2 -put /nas/site/ldap.conf.server_2 ldap.conf 5. If you previously used a different LDAP-based directory service, you must clear that configuration before reconfiguring the Data Mover. Example: To clear an earlier OpenLDAP configuration on server_2 before configuring an Active Directory with IdMU configuration, type: $ server_ldap server_2 -clear 6. Reconfigure the Data Mover as an LDAP-based directory service client. Example: To configure server_2 to use the LDAP-based directory domain nasdocs.emc.com on the LDAP-based directory server found at IP address 172.16.21.10 and the default port number 389, type: $ server_ldap server_2 -set -domain nasdocs.emc.com -servers 172.16.21.10 36 of 80

Specify an NIS domain An iplanet directory domain can host more than one NIS domain. The -nisdomain option of the server_ldap command allows you to specify the NIS domain of which the Data Mover is a member. Do not specify the NIS domain if the iplanet domain uses the same name. To specify the Data Mover s NIS domain, use this command syntax: $ server_ldap <movername> -set -domain <fqdn> -servers <ip_addr>[:<port>] -nisdomain <nis_domain> <movername> = name of the Data Mover <fqdn> = fully qualified domain name of the specified LDAP-based directory domain <ip_addr> = address of a iplanet server (configuration or service) for the specified domain <port> = number of the iplanet server TCP port <nis_domain> = name of the NIS domain Example: To specify that the iplanet service on server_2 recognizes the Data Mover s NIS domain name, type: $ server_ldap server_2 -set -domain nasdocs.emc.com -servers 172.16.21.10 -nisdomain nsg Output server_2 : done 37 of 80

Configuring the nsswitch.conf file Edit the nsswitch.conf file to arrange the search order for querying naming services for each entity. "nsswitch.conf file" on page 19 provides more information about the nsswitch.conf file. Prerequisites When editing the nsswitch.conf file: Use only lowercase characters. Uppercase and mixed-case characters are invalid. Use spaces between the naming service entries. List at least one naming service database to search. Note: Avoid using NIS and LDAP-based directories simultaneously. If you need to use both NIS and an LDAP-based directory, the NIS domain must be the same in both NIS and the LDAP-based directory. Edit the nsswitch.conf file This procedure describes how to edit the nsswitch.conf file. Step 1. To copy the nsswitch.conf.tmpl file in the /nas/sys directory on the Control Station to the /nas/site directory, use this command syntax: $ cp /nas/sys/nsswitch.conf.tmpl /nas/site/nsswitch.conf.movername movername = name of the Data Mover Because the nsswitch.conf file is specific to each Data Mover, rename the file to nsswitch.conf.movername while editing the file. Example: To copy /nas/sys/nsswitch.conf.tmpl to /nas/site/nsswitch.conf.server_2, type: $ cp /nas/sys/nsswitch.conf.tmpl /nas/site/nsswitch.conf.server_2 38 of 80

Step 2. By using a text editor, edit the /nas/site/nsswitch.conf.movername file to add, delete, or modify entries. The file format includes one entry for each entity type followed by a list of naming services. entity: naming service [name service]... entity = passwd, group, hosts, or netgroup naming service = files, nis, dns, or ldap The following is an example of the nsswitch.conf file. # /.etc/nsswitch.conf: # passwd: files nis group: files nis hosts: dns nis files netgroup: files nis Example: To add an LDAP-based directory server as a Data Mover naming service, modify the /nas/site/nsswitch.conf.movername file as follows: # /.etc/nsswitch.conf: # passwd: files nis ldap group: files nis ldap hosts: files nis dns ldap netgroup: files nis ldap 3. Save /nas/site/nsswitch.conf.movername. 4. To copy the nsswitch.conf file from the Control Station to the Data Mover, use this command syntax: $ server_file <movername> -put /nas/site/nsswitch.conf.movername nsswitch.conf <movername> = name of the Data Mover Example: To copy /nas/site/nsswitch.conf.server_2 to the Data Mover, type: $ server_file server_2 -put /nas/site/nsswitch.conf.server_2 nsswitch.conf The modified nsswitch.conf file is used automatically once it is placed in the Data Mover s root file system. 39 of 80

Managing local files You can verify that the contents of the local files on a Data Mover are correct by copying the files to the Control Station and by using your favorite tool to view their contents (for example, by using view or more). Verify the contents of local files Step 1. Copy the file from the Data Mover to the Control Station by using this command syntax: $ server_file <movername> -get <src_file> <dst_file> <movername> = name of the Data Mover <src_file> = source file on the Data Mover <dst_file> = destination file on the Control Station 2. View the file on the Control Station: $ more filename 40 of 80

Managing NIS To manage a Data Mover s NIS configuration: "Display the NIS configuration" on page 41 "Verify the status of the NIS configuration" on page 42 "Delete the NIS configuration" on page 42 Display the NIS configuration To display the NIS configuration, use this command syntax: $ server_nis <movername> <movername> = name of the Data Mover Example: To display the NIS configuration on server_2, type: $ server_nis server_2 Output server_2 : yp domain=nsg server=172.16.21.10 server=172.16.22.10 Note server_2 is in the nsg NIS domain and uses the NIS servers 172.16.21.10 and 172.16.22.10. NIS was formerly known as Yellow Pages or yp. 41 of 80

Verify the status of the NIS configuration To verify that the status of the NIS configuration is correct, use this command syntax: $ server_nis <movername> -status <movername> = name of the Data Mover Example: To verify that the status of the NIS configuration for server_2 is correct, type: $ server_nis server_2 -status Output server_2 : NIS default domain: nsg NIS server 172.16.21.10 NIS server 172.16.22.10 Note If NIS was not started, the output of this command displays NIS not started. Delete the NIS configuration To delete the NIS configuration for a Data Mover, use this command syntax: $ server_nis <movername> -delete <movername> = name of the Data Mover Example: To delete the NIS configuration for server_2, type: $ server_nis server_2 -delete Output server_2 : done 42 of 80

Managing DNS To manage a Data Mover s DNS configuration: "Verify the DNS configuration" on page 43 "Delete the DNS configuration" on page 43 "Set or change the DNS server protocol" on page 44 "Clear the DNS cache" on page 44 "Disable access to the DNS server" on page 45 "Enable access to the DNS server" on page 45 Verify the DNS configuration To display the DNS configuration, use this command syntax: $ server_dns <movername> Example: To display the DNS configuration for server_2, type: $ server_dns server_2 Output server_2 : dns is running nasdocs.emc.com proto:udp server(s):172.16.21.10 Note In this example, server_2 is in the nasdocs.emc.com DNS domain and uses the DNS server 172.16.21.10. Delete the DNS configuration To avoid deleting all the DNS servers configured for the domain, as required by the -delete option, add a new DNS domain configuration that includes the servers you want to keep. To delete the DNS domain configuration for a Data Mover, use this command syntax: $ server_dns <movername> -delete <domainname> <movername> = name of the Data Mover <domainname> = name of the DNS domain Example: To delete the DNS domain configuration for server_2, type: $ server_dns server_2 -delete nasdocs.emc.com Output server_2 : done 43 of 80

Set or change the DNS server protocol If a protocol is not specified when configuring DNS on the Data Mover, the Data Mover tries to query the DNS server by using UDP. If UDP fails, the Data Mover switches to TCP. To set or change the protocol used to communicate with the DNS servers, use this command syntax: $ server_dns <movername> -protocol {tcp udp} <domainname> {<ip_addr>,...} <movername> = name of the Data Mover <domainname> = name of the DNS domain <ip_addr> = address of a DNS server for the specified domain Example: To set the protocol for communication with the DNS servers to TCP for server_2, type: $ server_dns server_2 -protocol tcp nasdocs.emc.com 172.16.21.10 Output server_2 : done Clear the DNS cache Occasionally, it may help to clear the cache of DNS information saved on a Data Mover. For example, clear the DNS cache when host-to-address mappings change, or are out of date, or to help determine if the Data Mover is communicating with the DNS server. "Check communication with DNS" on page 56 provides more information. To clear the DNS cache on a Data Mover, use this command syntax: $ server_dns <movername> -option flush <movername> = name of the Data Mover Example: To clear the DNS cache for server_2, type: $ server_dns server_2 -option flush Output server_2 : done 44 of 80

Disable access to the DNS server Access to the DNS server can be restarted by using the server_dns -option start command. It is also restarted on the next system reboot. To disable access to the DNS server, use this command syntax: $ server_dns <movername> -option stop <movername> = name of the Data Mover Example: To disable access to the DNS server for server_2, type: $ server_dns server_2 -option stop Output server_2 : done Enable access to the DNS server To restart access to the DNS server after it has been stopped manually, use this command syntax: $ server_dns <movername> -option start <movername> = name of the Data Mover Example: To restart access to the DNS server for server_2, type: $ server_dns server_2 -option start Output server_2 : done 45 of 80

Managing an LDAP-based directory To manage a Data Mover s LDAP-based directory: "Verify the status of the LDAP-based directory service" on page 46 "Delete the LDAP-based directory configuration" on page 47 "Display information about the LDAP-based directory configuration" on page 47 "Temporarily disable the LDAP-based directory service" on page 48 "Enable the LDAP-based directory service" on page 49 "Disable SSL for LDAP-based directories" on page 50 "Looking up information in the LDAP-based directory server" on page 51 Verify the status of the LDAP-based directory service To verify that the status of the LDAP-based directory service is correct, use this command syntax: $ server_ldap <movername> -service -status <movername> = name of the Data Mover Example: To verify that the status of the LDAP-based directory service for server_2 is correct, type: $ server_ldap server_2 -service -status Output server_2 : LDAP service active Note The LDAP-based directory service can be active or inactive. If the Data Mover is not configured to access the LDAP-based directory server, the output displays No LDAP domain configured. 46 of 80

Delete the LDAP-based directory configuration A Data Mover can support only one LDAP-based directory domain at a time. Before configuring a new LDAP-based directory domain, delete the previous configuration. The server_ldap command also permanently stops the LDAP-based directory service. To delete the LDAP-based directory configuration for a Data Mover, use this command syntax: $ server_ldap <movername> -clear <movername> = name of the Data Mover Example: To delete the LDAP-based directory configuration for server_2, type: $ server_ldap server_2 -clear Output server_2 : done Display information about the LDAP-based directory configuration "Check LDAP-based directory operation" on page 57 provides more information about displaying information about the LDAP-based directory configuration. To display information about the LDAP-based directory configuration, use this command syntax: $ server_ldap <movername> -info [ -verbose ] <movername> = name of the Data Mover Example: To display basic information about the LDAP-based directory server for server_2, in the nasdocs.emc.com Active Directory with IdMU and using LDAP server 172.16.21.10, type: $ server_ldap server_2 -info 47 of 80

Output Active Directory (IdMU): server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=administrator,cn=users,dc=nasdocs,dc=emc,dc=com Configuration file - TTL: 1200 seconds Next configuration update in 1196 seconds DIT schema type: MS Connected to LDAP server address: 172.16.21.10 - port 389 SSL enabled/disabled by None, cipher suites configured by default OpenLDAP: server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com No client profile nor config. file provided (using default setup) DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 389 SSL enabled/disabled by Command line, cipher suites configured by default iplanet: server_2 : LDAP domain: nasdocs.emc.com State: Configured - Connected NIS domain: nsg Profile Name: vnx_profile Profile TTL: 3600 seconds Next Profile update in 5 seconds DIT schema type: SUN Connected to LDAP server address: 172.16.21.10 - port 389 Note The Directory Information Tree (DIT) schema type can have one of the following values: MS Microsoft Active Directory OPEN OpenLDAP SUN Sun Java System Directory Server (iplanet/sun ONE) Unknown yet (must succeed to connect) if the Data Mover is not connected Temporarily disable the LDAP-based directory service To have any changes made to the ldap.conf or the iplanet client configuration profile take effect immediately, you must stop and then restart the LDAP-based directory service. Otherwise, changes will take effect within 20 minutes. 48 of 80

You can restart the LDAP-based directory service by using the server_ldap -service -start command. It is also restarted on the next system reboot. To temporarily stop the LDAP-based directory service, use this command syntax: $ server_ldap <movername> -service -stop <movername> = name of the Data Mover Example: To disable the LDAP-based directory service for server_2, type: $ server_ldap server_2 -service -stop Output server_2 : done Enable the LDAP-based directory service To restart the LDAP-based directory service for a Data Mover after it has been manually stopped, use this command syntax: $ server_ldap <movername> -service -start <movername> = name of the Data Mover Example: To restart the LDAP-based directory service for server_2, type: $ server_ldap server_2 -service -start Output server_2 : done 49 of 80

Disable SSL for LDAP-based directories To disable SSL over LDAP on a Data Mover, use this command syntax: $ server_ldap <movername> -set -sslenabled n <movername> = name of the Data Mover n = no (default) Example: To disable SSL on server_2, type: $ server_ldap server_2 -set -sslenabled n Output server_2 : done Postrequisites To verify that SSL on a Data Mover has been disabled, type: $ server_ldap server_2 -info Output server_2 : LDAP domain: nasdocs.emc.com Base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=manager,dc=nasdocs,dc=emc,dc=com DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 389 SSL state: disabled - Persona: none specified Note When you disable SSL over LDAP, the port will change from port 636 to port 389. 50 of 80

Looking up information in the LDAP-based directory server Use the -lookup option to look up information about resources in the LDAP-based directory server. This command assists with troubleshooting because it allows you to verify that the Data Mover can access the LDAP-based directory server and perform a resource lookup. To look up information: "Perform a user lookup by username" on page 51 "Perform a user lookup by UID" on page 52 "Perform a group lookup by group name" on page 52 "Perform a group lookup by GID" on page 53 "Perform a host lookup by hostname" on page 53 "Perform a netgroup lookup" on page 54 Perform a user lookup by username To look up user information in the LDAP-based directory server by username, use this command syntax: $ server_ldap <movername> -lookup -user <username> <movername> = name of the Data Mover <username> = name of the user Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -user user1 Output server_2 : user: user1, uid: 501, gid: 500, gecos:, home dir:, shell: 51 of 80

Perform a user lookup by UID To look up user information in the LDAP-based directory server by UID, use this command syntax: $ server_ldap <movername> -lookup -uid <uid> <movername> = name of the Data Mover <uid> = UID of the specified user Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -uid 501 Output server_2 : user: user1, uid: 501, gid: 500, description: gecos:, home dir:, shell: Note In this example, the relevant information is in the final lines of output. Perform a group lookup by group name To look up group information in the LDAP-based directory server by group name, use this command syntax: $ server_ldap <movername> -lookup -group <groupname> <movername> = name of the Data Mover <groupname> = name of the group Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -group group1 Output server_2 : group name: group1, gid: 2765 group members: 501 group members: 1023 Note In this example, the relevant information is in the final lines of output. 52 of 80

Perform a group lookup by GID To look up group information in the LDAP-based directory server by GID, use this command syntax: $ server_ldap <movername> -lookup -gid <gid> <movername> = name of the Data Mover <gid> = GID of the specified group Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -gid 1 Output server_2 : group name: other, gid: 1 group member: servermanageradmin.servermanageradm in.dvt_a group member: servermanageradmin.dvt_b Note In this example, the relevant information is in the final lines of output. Perform a host lookup by hostname To look up host information in the LDAP-based directory server by hostname, use this command syntax: $ server_ldap <movername> -lookup -hostbyname <hostname> <movername> = name of the Data Mover <hostname> = name of the host Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -hostbyname win901230 Output server_2 : Host name: win901230 IP address: 172.16.21.10 Note In this example, the relevant information is in the final lines of output. 53 of 80

Perform a netgroup lookup To look up network group (netgroup) information in the LDAP-based directory server, use this command syntax: $ server_ldap <movername> -lookup -netgroup <groupname> <movername> = name of the Data Mover <groupname> = name of the netgroup Example: To look up information in the LDAP-based directory server for server_2, type: $ server_ldap server_2 -lookup -netgroup netgroup1 Output server_2 : Netgroup: netgroup1 - triples: "win901230","user1","pagsun1" Note In this example, the relevant information is in the final lines of output. 54 of 80

Troubleshooting As part of an effort to continuously improve and enhance the performance and capabilities of its product lines, EMC periodically releases new versions of its hardware and software. Therefore, some functions described in this document may not be supported by all versions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes. If a product does not function properly or does not function as described in this document, contact your EMC representative. Where to get help Product information For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Online Support website (registration required) at http://support.emc.com. Troubleshooting Go to the EMC Online Support website. After logging in, locate the applicable Support by Product page. Technical support For technical support, go to EMC Customer Service on the EMC Online Support website. After logging in, locate the applicable Support by Product page, and choose either Live Chat or Create a service request. To open a service request through EMC Online Support, you must have a valid support agreement. Contact your EMC Customer Support Representative for details about obtaining a valid support agreement or to answer any questions about your account. Note: Do not request a specific support representative unless one has already been assigned to your particular system problem. E-Lab Interoperability Navigator The EMC E-Lab TM Interoperability Navigator is a searchable, web-based application that provides access to EMC interoperability support matrices. It is available at http://support.emc.com. After logging in to the EMC Online Support website, locate the applicable Support by Product page, find Tools, and click E-Lab Interoperability Navigator. Check network connectivity by using server_ping Name resolution problems can appear as a general degradation in network performance. To troubleshoot name services on a Data Mover, try the following: Run the server_ping command with the IP address of a given name server. Run the server_ping command with a name resolvable by a given name server. Access naming services from the Control Station If your Control Station is connected to the same name servers as a Data Mover, you can use the standard UNIX-based commands in Table 3 on page 56 to test whether 55 of 80

a name server is responding to requests. If the name server responds to manual request from the Control Station, then the problem is most likely with the Data Mover configuration. Note: The Control Station does not support the use of LDAP-based directories as a naming service. Table 3 Tool dig Tools for naming services problem resolution Function Sends domain name query packets to name servers dnsdomainname host ldapsearch nslookup traceroute ypcat ypdomainname ypwhich Shows the DNS domain name Looks up a hostname or IP address in DNS Opens a connection to an LDAP server, binds, and performs a search by using specified parameters Queries name servers interactively Prints the route that packets take to a server Displays part of the NIS database Shows the NIS domain name Shows the NIS server Note: Use the man command to obtain more information about these commands. Check communication with DNS If a DNS server is responding correctly to DNS requests from the Control Station, you can test whether the Data Mover is communicating successfully with the DNS server by flushing the DNS cache on the Data Mover as described in "Clear the DNS cache" on page 44, and then performing a server_ping to the DNS server. If the server_ping succeeds, it is an indication that the Data Mover is communicating with the DNS server. 56 of 80

Check LDAP-based directory operation To display detailed information about a Data Mover s LDAP-based directory configuration, use the -verbose option to the server_ldap <movername> -info command. Note: To interpret the output displayed by the -verbose option, you must have a thorough understanding of the LDAP protocol. Consequently, this command option is typically used to provide EMC Customer Service with information for troubleshooting LDAP-based directory configuration and operation problems. To display detailed information about the LDAP-based directory configuration, use this command syntax: $ server_ldap <movername> -info [ -verbose ] <movername> = name of the Data Mover Examples: To display detailed information about the LDAP-based directory configuration for server_2, type: $ server_ldap server_2 -info -verbose Output server_2 : LDAP domain: nasdocs.emc.com State: Configured - Connected NIS domain: nsg Proxy (Bind) DN: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot Profile Name: vnx_profile_shortttl Profile TTL: 6 seconds Next Profile update in 0 seconds Profile modification timestamp: 20050105161959Z Connected to LDAP server address: 172.16.21.10 - port 389 LDAP configuration servers: Server address: 172.16.21.10 - port: 389 Server state: connected LDAP preferred servers: Server address: 172.16.21.10 - port: 389 Server state: connected LDAP default servers: Server address: 172.16.22.10 - port: 389 Server state: disconnected Server address: 172.16.22.10 - port: 389 Server state: disconnected 57 of 80

Output Domain naming contexts: dc=nasdocs,dc=emc dc=testdom,dc=lab o=netscaperoot Domain supported LDAP controls: 2.16.840.1.113730.3.4.2 2.16.840.1.113730.3.4.3 2.16.840.1.113730.3.4.4 2.16.840.1.113730.3.4.5 1.2.840.113556.1.4.473 2.16.840.1.113730.3.4.9 2.16.840.1.113730.3.4.16 2.16.840.1.113730.3.4.15 2.16.840.1.113730.3.4.17 2.16.840.1.113730.3.4.19 2.16.840.1.113730.3.4.14 1.3.6.1.4.1.1466.29539.12 2.16.840.1.113730.3.4.13 2.16.840.1.113730.3.4.12 2.16.840.1.113730.3.4.18 Domain supported authentication mechanisms: EXTERNAL DIGEST-MD5 Directory Base DN: dc=nasdocs,dc=emc Domain default search Scope: single-level 'passwd' DN: ou=people,dc=nasdocs,dc=emc - search scope single-level ou=people2,dc=nasdocs,dc=emc - search scope single-level 'group' DN: ou=group,dc=nasdocs,dc=emc - search scope single-level ou=nregroup,dc=nasdocs,dc=emc - search scope single-level 'hosts' DN: ou=hosts,dc=nasdocs,dc=emc - search scope single-level ou=morehosts,dc=nasdocs,dc=emc - search scope single-level 'netgroup' DN: ou=netgroup,dc=nasdocs,dc=emc - search scope single-level ou=mynetgr,dc=nasdocs,dc=emc - search scope subtree ou=netgroup2,dc=nasdocs,dc=emc - search scope subtree Verify the download of the iplanet client profile The configuration of a Data Mover as an iplanet client is an asynchronous process. This means the CLI can display the success of a command (based on the Control Station s successful parsing of the command options for syntax correctness) when the connection to the iplanet server and the download of an iplanet client profile have yet to be performed. Consequently, to verify that the connection to the iplanet server and the download of a client profile is successful, check the configuration s status as follows: Run the server_ldap <movername> -info command and verify that the configuration s state is shown as configured and connected. Check the system log file and verify that there are no errors, specifically the error Error 13158449154: LDAP search failed. To double-check, run the server_ldap <movername> -lookup command to perform a resource lookup and determine if the Data Mover can access the iplanet server. 58 of 80

Edit OpenLDAP schema for Linux It may be necessary to change the OpenLDAP schema for Linux when exporting some NFS file systems to netgroups. When downloading OpenLDAP from the OpenLDAP organization, the LDAP server comes with a schema that complies strictly with RFC 2307: ( nisschema.1.14 NAME 'nisnetgrouptriple' DESC 'Netgroup triple' SYNTAX 'nisnetgrouptriplesyntax' ) VNX for File, however, requires the definition from RFC 2307bis: ( 1.3.6.1.1.1.1.14 NAME 'nisnetgrouptriple' DESC 'Netgroup triple' EQUALITY caseignoreia5match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) Because RFC 2307bis is a draft and is not recognized by the OpenLDAP organization, the OpenLDAP schema for Linux has to be changed to be compatible with VNX for File. Therefore, it is necessary to change the OpenLDAP schema for VNX for File as follows. In the file /etc/openldap/schema/nis.schema on your OpenLDAP server, find the following entry: attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisnetgrouptriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) Edit the entry to appear as follows (adding the EQUALITY directive): attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisnetgrouptriple' DESC 'Netgroup triple' EQUALITY caseignoreia5match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) Using group membership with distinguished name syntax NAS code 5.6.49 introduced support for using group members with distinguished name syntax. The use of distinguished name members, unlike memberuid, is not suseptible to the page size limit of Active Directory. This feature also supports mapping to Active Directory's built-in member attribute so that Active Directory's group members can be used and separate UNIX group memberships need not be maintained. To enable support, a mapping must be added to ldap.conf to map the memberuid attribute to the attribute with DN syntax. Examples: Active directory's built in schema uses the member attribute with DN syntax. Therefore, the mapping is: nss_map_attribute memberuid member OpenLDAP schema has the attribute uniquemember with DN Syntax. The mapping with OpenLDAP is: 59 of 80

nss_map_attribute memberuid uniquemember CIFS user mapping in a multiprotocol environment In an Active Directory with SFU or IdMU, NIS, or local file environment, VNX for File uses a proprietary naming convention to associate a UNIX user and CIFS user. For example, if UNIX user John Doe has a CIFS account in the CIFS domain dom1, the NIS base is populated with JohnDoe and JohnDoe.dom1 to map the UIG/GID to the SID account. If the user subtree in the directory is also used for regular Linux/UNIX authentication, where the Linux/UNIX client accesses the same directory subtree, the format user.domain cannot be used. To avoid problems that could arise from duplicate UIDs, import only the UNIX username, JohnDoe. Do not import JohnDoe.dom1. Then set the VNX for File parameter cifs resolver=1 to force the VNX for File to use the username without domain extension to map UID/GID to SID. 60 of 80

Error messages All new event, alert, and status messages provide detailed information and recommended actions to help you troubleshoot the situation. To view message details, use any of these methods: Unisphere software: Right-click an event, alert, or status message and select to view Event Details, Alert Details, or Status Details. VNX CLI: Type nas_message -info <MessageID>, where MessageID is the message identification number. VNX Error Messages Guide: Use this guide to locate information about messages that are in the earlierrelease message format. EMC Online Support: Use the text from the error message s brief description or the message s ID to search the Knowledgebase on the EMC Online Support website. After logging in to EMC Online Support, click either Search or Support by Product. LDAP error messages Table 4 on page 61 lists the LDAP error messages defined by RFC 2251 Lightweight Directory Access Protocol (v3). The Sun Java System Directory Server (iplanet) documentation at Sun Microsystems website provides more information on the error messages exact meaning in the LDAP-based directory implementation. Table 4 LDAP error messages and codes (page 1 of 3) LDAP error code LDAP error message 1 operationserror 2 protocolerror 3 timelimitexceeded 4 sizelimitexceeded 5 comparefalse 6 comparetrue 7 authmethodnotsupported 8 strongauthrequired 61 of 80

Table 4 LDAP error messages and codes (page 2 of 3) LDAP error code LDAP error message 9 reserved 10 referral 11 adminlimitexceeded 12 unavailablecriticalextension 13 confidentialityrequired 14 saslbindinprogress 16 nosuchattribute 17 undefinedattributetype 18 inappropriatematching 19 constraintviolation 20 attributeorvalueexists 21 invalidattributesyntax 22-31 unused 32 nosuchobject 33 aliasproblem 34 invaliddnsyntax 35 reserved for undefined 36 aliasdereferencingproblem 37-47 unused 48 inappropriateauthentication 49 invalidcredentials 50 insufficientaccessrights 51 busy 52 unavailable 53 unwillingtoperform 62 of 80

Table 4 LDAP error messages and codes (page 3 of 3) LDAP error code LDAP error message 54 loopdetect 55-63 unused 64 namingviolation 65 objectclassviolation 66 notallowedonnonleaf 67 notallowedonrdn 68 entryalreadyexists 69 objectclassmodsprohibited 70 reserved for CLDAP 71 affectsmultipledsas 72-79 unused 80 other Training and Professional Services EMC Customer Education courses help you learn how EMC storage products work together within your environment to maximize your entire infrastructure investment. EMC Customer Education features online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training courses are developed and delivered by EMC experts. Go to the EMC Online Support website at http://support.emc.com for course and registration information. EMC Professional Services can help you implement your VNX for File efficiently. Consultants evaluate your business, IT processes, and technology and recommend ways you can leverage your information for the most benefit. From business plan to implementation, you get the experience and expertise you need, without straining your IT staff or hiring and training new personnel. Contact your EMC representative for more information. 63 of 80

Table 5 iplanet client profile attributes (page 1 of 3) Appendix A: iplanet client profile attributes The configuration attributes defined in an iplanet client profile are described in the RFC draft (Joslin), A Configuration Profile Schema for LDAP-based Agents. The VNX for File supports these attributes as described in Table 5 on page 64 unless otherwise noted. The VNX for File ignores attributes in the iplanet client configuration file that are not relevant to the Data Mover. The following terms are used in the attribute descriptions: DIT (Directory Information Tree): The entire information tree of the directory itself. DSA (Directory Server Agent): The X.500 term for a directory server or any LDAP server, represented in the VNX for File environment by the iplanet directory server. DUA (Directory User Agent): The directory client or any LDAP client, represented in the VNX for File environment by the Data Mover. Attribute Description VNX for File support preferredserverlist defaultserverlist defaultsearchbase The preferredserverlist attribute provides a list of server addresses and associated port numbers. List entries are separated by spaces. When the DUA needs to contact a DSA, the DUA must first attempt to contact one of the servers listed in the preferredserverlist attribute. The DUA must contact the DSA specified by the first server address in the list. If that DSA is unavailable, the remaining DSAs must be queried in the order provided until a connection is established with a DSA. Once a connection with a DSA is established, the DUA should not attempt to establish a connection with the remaining DSAs. If the DUA is unable to contact any of the DSAs specified by the preferredserverlist, the defaultserverlist attribute must be examined. The defaultserverlist attribute must only be examined if the preferredserverlist attribute is not provided, or the DUA is unable to establish a connection with one of the DSAs specified by the preferredserverlist. If neither a preferredserverlist nor a defaultserverlist is provided, the DUA contacts the same server that provided the client configuration profile. When a DUA needs to search the directory for information, the defaultsearchbase attribute defines the base for the search. This parameter can be overridden or appended by the servicesearchdescriptor attribute. Yes, IP addresses only Yes, IP addresses only Yes 64 of 80

Table 5 iplanet client profile attributes (page 2 of 3) Attribute Description VNX for File support defaultsearchscope authenticationmethod credentiallevel servicesearch Descriptor servicecredential Level serviceauthentication Method When the DUA needs to search the directory for information, this attribute provides the scope for the search. This attribute can be overridden by the servicesearchdescriptor attribute. Values accepted: one and sub. Where one means one-level search, and sub means search the whole subtree. The default value is one. The authenticationmethod attribute defines an ordered list of LDAP bind methods used when attempting to contact a DSA. The client configuration profile supports tls:simple. None means no ldap bind is performed. The credentiallevel attribute defines what types of credentials the DUA should use when contacting the DSA. The servicesearchdescriptor attribute defines how and where an DUA should search for information for a particular service. The servicesearchdescriptor contains a service ID, followed by one or more base-scope-filter triples. These base-scope-filter triples are used to define searches only for the specified service. Multiple base-scope-filters allow the DUA to search for data in multiple locations of the DIT. The servicecredentiallevel attribute defines what types of credentials the DUA should use when contacting the DSA for a particular service. The serviceauthenticationmethod attribute defines an ordered list of LDAP bind methods to be used when attempting to contact a DSA for a particular service. Yes Yes, none and simple authentication Yes, anonymous and proxy Yes, with the exception of the redefinition of the search filter. VNX for File supports a service ID followed only by base-scope. No No attributemap Maps attributes of similar syntaxes. Yes objectclassmap searchtimelimit bindtimelimit followreferrals Objectclass mapping should be used in conjunction with attribute mapping to map the required schema by the service to an equivalent schema available in the directory. The searchtimelimit attribute defines the maximum time, in seconds, a DUA should allow to perform a search request. The bindtimelimit attribute defines the maximum time, in seconds, a DUA should allow to perform an LDAP bind request against each DSA on the preferredserverlist or defaultserverlist. If set to true, the DUA should follow any referrals if discovered. Yes No No No 65 of 80

Table 5 iplanet client profile attributes (page 3 of 3) Attribute Description VNX for File support dereferencealiases profilettl If set to true, the DUA should enable alias dereferencing. If set to false, the DUA must not enable alias dereferencing. The profilettl attribute defines the time interval before the DUA should reload and reconfigure itself by using the corresponding client configuration profile. If the profilettl value is zero or not defined, the DUA does not reload the configuration profile. N/A Yes 66 of 80

Appendix B: OpenLDAP configuration file OpenLDAP uses the ldap.conf configuration file published by PADL Software. A typical ldap.conf file contains additional attributes, but only the following are relevant to the Data Mover. The VNX for File ignores irrelevant attributes. "ldap.conf file" on page 14 provides a detailed explanation. # RFC2307bis naming contexts # -> nss_base_xxx base?scope?filter # scope is {base,one,sub} nss_base_passwd ou=people,dc=devldapdom1,dc=lcsc?one nss_base_shadow ou=people,dc=devldapdom1,dc=lcsc?one nss_base_group ou=group,dc=devldapdom1,dc=lcsc?one nss_base_hosts ou=hosts,dc=devldapdom1,dc=lcsc?one nss_base_netgroup ou=netgroup,dc=devldapdom1,dc=lcsc?one # attribute/objectclass mapping # -> nss_map_attribute rfc2307attribute mapped_attribute # -> nss_map_objectclass rfc2307objectclass mapped_objectclass # #nss_map_attribute uid username #nss_map_attribute gidnumber gid #nss_map_attribute uidnumber uid #nss_map_objectclass posixgroup aixaccessgroup #nss_map_attribute cn groupname # OpenLDAP SSL mechanism # "ssl start_tls" mechanism uses the normal LDAP port (389), "ssl on" # (ldaps) uses port 636 ssl on TLS_CIPHER_SUITE DHE:RSA:AES256:SHA The ldap.conf file needs to be modified to suit your environment. The last two lines indicate if ssl is used (ssl {on off}) and the cipher suite (TLS_CIPHER_SUITE <cipher suite list>). LDAP over SSL does not support start_tls mode. 67 of 80

Appendix C: IdMU configuration file template "ldap.conf file" on page 14 provides a detailed explanation. # -------------------------------------------------------------------- # This template must be copied to /.etc/ldap.conf when the ldap # server[s] used by the data mover is using MS Active Directory IdMU # schema installed on Windows Server 2003 R2 or newer # (like Windows Server 2008). # *** This file was created by VNX OE for File. PLEASE DO NOT CHANGE THIS FILE. *** # -------------------------------------------------------------------- # - The following setup fits the MS IdMU schema. # Adjustments may be required if a newer schema is used on the AD. # - If several AD servers are declared to "server_ldap -set", they # should all use the same schema. # - Adjustments are required to fit your specific AD configuration. # Please thoroughly review the following lines and adjust them # appropriately. # - Once done, issue the following commands for the datamover to take # this new setup into account immediately: # - server_ldap server_n -clear # - server_ldap server_n -set [...] # -------------------------------------------------------------------- # Containers # Replace "dc=mydomain,dc=com" by your base DN. # If you have a dedicated container for netgroups, replace # "cn=netgroup,cn=mydomain,cn=defaultmigrationcontainer30" by # the right DN. nss_base_passwd cn=users,dc=mydomain,dc=com?one nss_base_group cn=users,dc=mydomain,dc=com?one nss_base_hosts cn=computers,dc=mydomain,dc=com?one nss_base_netgroup cn=netgroup,cn=mydomain, cn=defaultmigrationcontainer30,dc=mycomain,dc=com?one # Objects nss_map_objectclass posixaccount nss_map_objectclass posixgroup nss_map_objectclass iphost User Group Computer # Attributes nss_map_attribute userpassword unixuserpassword nss_map_attribute homedirectory unixhomedirectory # eof Note: Active Directory with IdMU also requires that cifs resolver be set so that user and group names are retrieved with a domain extension. Configuring VNX User Mapping describes how to set the cifs resolver parameter. 68 of 80

Appendix D: SFU 3.5 configuration file template "ldap.conf file" on page 14 provides a detailed explanation. # -------------------------------------------------------------------- # This template must be copied to /.etc/ldap.conf when the ldap # server[s] used by the data mover is using MS Active Directory SFU # schema installed on Windows Server 2003 R1 or newer. # *** This file was created by VNX OE for File. PLEASE DO NOT CHANGE THIS FILE. *** # -------------------------------------------------------------------- # - The following setup fits the MS SFU-3.5 schema. # Adjustments may be required if an older schema is used on the AD. # - Netgroups are not supported with this schema. If netgroups are # required, please update to MS IdMU. # - If several AD servers are declared to "server_ldap -set", they # should all use the same schema. # - Adjustments are required to fit your specific AD configuration. # Please thoroughly review the following lines and adjust them # appropriately. # - Once done, issue the following commands for the datamover to take # this new setup into account immediately: # - server_ldap server_n -clear # - server_ldap server_n -set [...] # -------------------------------------------------------------------- # Containers # Replace "dc=mydomain,dc=com" by your base DN. nss_base_passwd cn=users,dc=mydomain,dc=com?one nss_base_group cn=users,dc=mydomain,dc=com?one nss_base_hosts cn=computers,dc=mydomain,dc=com?one # Objects nss_map_objectclass posixaccount nss_map_objectclass posixgroup nss_map_objectclass iphost User Group Computer # Attributes nss_map_attribute uid mssfu30name nss_map_attribute userpassword mssfu30password nss_map_attribute uidnumber mssfu30uidnumber nss_map_attribute gidnumber mssfu30gidnumber nss_map_attribute gecos mssfu30gecos nss_map_attribute homedirectory mssfu30homedirectory nss_map_attribute loginshell mssfu30loginshell # nss_map_attribute memberuid mssfu30memberuid nss_map_attribute iphostnumber mssfu30iphostnumber # eof Note: Active Directory with SFU also requires that cifs resolver be set so that user and group names are retrieved with a domain extension. Configuring VNX User Mapping describes how to set the cifs resolver parameter. 69 of 80

Appendix E: Examples of configuring a Data Mover as an LDAP-based directory service client Connecting to iplanet using anonymous authentication Step 1. Configure the Data Mover to connect to iplanet. To specify that the iplanet service on server_2 uses the special client profile, vnx_profile, type: $ server_ldap server_2 -set -domain nasdocs.emc.com -servers 172.16.21.10 -profile vnx_profile 2. Verify the configuration, including that the state is connected. $ server_ldap server_2 -set -info -verbose server_2 : LDAP domain: nasdocs.emc.com State: Configured - Connected NIS domain: nsg Profile Name: vnx_profile Profile TTL: 3600 seconds Next Profile update in 5 seconds DIT schema type: SUN Connected to LDAP server address: 172.16.21.10 - port 389 70 of 80

Connecting to OpenLDAP using simple password authentication Step 1. Copy the appropriate configuration file template: $ server_file server_2 -get ldap.conf /nas/site/ldap.conf 2. Customize the ldap.conf file. Using a text editor, edit ldap.conf.movername file to modify any entries: $ vi ldap.conf 3. Save and then put the customized configuration file in the Data Mover s /.etc directory: $ server_file server_2 -put /nas/site/ldap.conf ldap.conf 4. Clear the Data Mover s current LDAP configuration: $ server_ldap server_2 -clear 5. Configure the Data Mover to connect to the Active Directory: $ server_ldap server_2 -set -p -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -binddn "cn=admin,cn=users,dc=nasdocs,dc=emc -sslenabled y server_2: Enter password: ****** done 6. Verify the configuration, including that the state is connected: $ server_ldap server_2 -set -info -verbose server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com No client profile nor config. file provided (using default setup) DIT schema type: OPEN Connected to LDAP server address: 172.16.21.10 - port 389 SSL enabled/disabled by Command line, cipher suites configured by default 71 of 80

Connecting to Active Directory with SFU using simple password authentication Step 1. Copy the appropriate configuration file template: $ server_file server_2 -get ldap.conf.sfu35_template_v1 /nas/site/ldap.conf 2. Customize the ldap.conf file. Using a text editor, edit ldap.conf.movername file to modify any entries. For example, if you are using Active Directory, edit the netgroups container: $ vi ldap.conf 3. Save and then put the customized configuration file in the Data Mover s /.etc directory: $ server_file server_2 -put /nas/site/ldap.conf ldap.conf 4. Clear the Data Mover s current LDAP configuration: $ server_ldap server_2 -clear 5. Configure the Data Mover to connect to the Active Directory: $ server_ldap server_2 -set -p -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -binddn "cn=admin,cn=users,dc=nasdocs,dc=emc -sslenabled y server_2: Enter password: ****** done 6. Verify the configuration, including that the state is connected: $ server_ldap server_2 -set -info -verbose server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=administrator,cn=users,dc=nasdocs,dc=emc,dc=com Configuration file - TTL: 1200 seconds Next configuration update in 1196 seconds DIT schema type: MS Connected to LDAP server address: 172.16.21.10 - port 389 SSL not enabled, Persona: none specified, Cipher Suite List: none specified 7. Look up various information to verify operation: $ server_ldap server_2 -lookup -netgroup ntg_name1 server_2: Unable to get information for Netgroup ntg_name1 Since netgroups are only supported by IdMU this is the expected response. 72 of 80

Connecting to Active Directory with IdMU using Kerberos authentication Step 1. Copy the appropriate configuration file template: $ server_file server_2 -get ldap.conf.idmu_template_v1 /nas/site/ldap.conf 2. Customize the ldap.conf file. Using a text editor, edit ldap.conf.movername file to modify any entries. For example, if you are using Active Directory, edit the netgroups container: $ vi ldap.conf 3. Save and then put the customized configuration file in the Data Mover s /.etc directory: $ server_file server_2 -put /nas/site/ldap.conf ldap.conf 4. Clear the Data Mover s current LDAP configuration: $ server_ldap server_2 -clear 5. Configure the Data Mover as a CIFS server by using the server_cifs command: Configuring and Managing CIFS on VNX describes this procedure. 6. Configure the Data Mover to connect to the Active Directory: $ server_ldap server_2 -set -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -kerberos -kaccount cifs_compname$ server_2: done 73 of 80

Step 7. Verify the configuration, including that the state is connected: $ server_ldap server_2 -set -info -verbose server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected Configuration file - TTL: 1200 seconds Next configuration update in 1194 seconds DIT schema type: MS LDAP configuration servers: Server 172.16.21.10 port 389 : Active, connected SSL not enabled, Persona: none specified, Cipher Suite List: default Kerberos enabled: kaccount cifs_compname$, realm nasdocs.emc.com, ldap server w2k3sfujlr Domain naming contexts: DC=nasdocs,DC=emc,DC=com CN=Configuration,DC=nasdocs,DC=emc,DC=com CN=Schema,CN=Configuration,DC=nasdocs,DC=emc,DC=com DC=DomainDnsZones,DC=nasdocs,DC=emc,DC=com DC=ForestDnsZones,DC=nasdocs,DC=emc,DC=com Domain supported LDAP controls: 1.2.840.113556.1.4.319 1.2.840.113556.1.4.801 1.2.840.113556.1.4.473 1.2.840.113556.1.4.528 1.2.840.113556.1.4.417 1.2.840.113556.1.4.619 1.2.840.113556.1.4.841 1.2.840.113556.1.4.529 1.2.840.113556.1.4.805 1.2.840.113556.1.4.521 1.2.840.113556.1.4.970 1.2.840.113556.1.4.1338 1.2.840.113556.1.4.474 1.2.840.113556.1.4.1339 1.2.840.113556.1.4.1340 1.2.840.113556.1.4.1413 2.16.840.1.113730.3.4.9 2.16.840.1.113730.3.4.10 1.2.840.113556.1.4.1504 1.2.840.113556.1.4.1852 1.2.840.113556.1.4.802 1.2.840.113556.1.4.1907 1.2.840.113556.1.4.1948 Domain supported authentication mechanisms: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 Default search base: dc=nasdocs,dc=emc,dc=com 74 of 80

Step Domain default search scope: ONE passwd base DN: cn=users,dc=nasdocs,dc=emc,dc=com - search scope ONE passwd object class: User passwd attributes: cn, uid, uidnumber, gidnumber, unixuserpassword, loginshell, gecos, description group base DN: cn=users,dc=nasdocs,dc=emc,dc=com - search scope ONE group object class: Group group attributes: cn, gidnumber, unixuserpassword, memberuid, description hosts base DN: cn=computers,dc=nasdocs,dc=emc,dc=com - search scope ONE host object class: Computer host attributes: cn, iphostnumber, description netgroup base DN: cn=netgroup,cn=nasdocs.emc.com,cn=defaultmigrationcontainer30,dc= nasdocs,dc=emc,dc=com - search scope ONE netgroup object class: nisnetgroup netgroup attributes: cn, nisnetgrouptriple, membernisnetgroup description 75 of 80

Connecting to Active Directory with IdMU using SSL authentication Step 1. Copy the appropriate configuration file template: $ server_file server_2 -get ldap.conf.idmu_template_v1 /nas/site/ldap.conf 2. Customize the ldap.conf file. Using a text editor, edit ldap.conf.movername file to modify any entries. For example, if you are using Active Directory, edit the netgroups container: $ vi ldap.conf 3. Save and then put the customized configuration file in the Data Mover s /.etc directory: $ server_file server_2 -put /nas/site/ldap.conf ldap.conf 4. Clear the Data Mover s current LDAP configuration: $ server_ldap server_2 -clear 5. Configure the Data Mover to connect to the Active Directory: $ server_ldap server_2 -set -p -basedn dc=nasdocs,dc=emc -servers 172.16.21.10 -binddn "cn=admin,cn=users,dc=nasdocs,dc=emc -sslenabled y server_2: Enter password: ****** done 6. Verify the configuration, including that the state is connected: $ server_ldap server_2 -set -info -verbose server_2 : LDAP domain: nasdocs.emc.com base DN: dc=nasdocs,dc=emc,dc=com State: Configured - Connected NIS domain: nasdocs.emc.com Proxy (Bind) DN: cn=administrator,cn=users,dc=nasdocs,dc=emc,dc=com Configuration file - TTL: 1200 seconds Next configuration update in 1196 seconds DIT schema type: MS Connected to LDAP server address: 172.16.21.10 - port 636 SSL enabled, Persona: none specified, Cipher Suite List: none specified 76 of 80

Index A Active Directory IdMU 14 ldap.conf file 68, 69 SFU 14 Windows only 18 with UNIX environment 12 authentication anonymous 16 Kerberos 16 configuring 29 rules 17 simple (password) 16 configuring 28 C CA definition 7 Celerra Manager, using 6 Certificate Authority definition 7 Certificate Authority Certificate definition 7 certificate verification 17 CIFS definition 7 client configuration profile, iplanet 13 client profile, using in iplanet 64 Common Internet File System definition 7 configuration settings taking affect immediately 48 D directory server definition 7 DNS clearing the DNS cache 44 configuring 24 definition 7, 8 deleting server entries for 43 deleting the configuration 43 disabling service 45 overview of 11 setting protocol used with 44 verifying configuration 43 Windows domains and 12 domain definition 7 Windows, and DNS 12 Domain Name System definition 7 F File Transfer Protocol definition 7 FTP definition 7 G group file format 21 overview of 11 H hosts file format 21 overview of 11 I Identity management for UNIX. See IdMu IdMU configuration example using Kerberos authentication 73 using SSL authentication 76 configuration file template 68 definition 7 iplanet 12 authentication 16 client configuration profile 13 client profile attributes 64 configuration example 70 configuring client profile 34 definition of 8 K Kerberos authentication 16 configuring 29 L LDAP definition 8 ldap.conf file 14, 67, 68, 69 LDAP-based directories authentication 16 anonymous 16 Kerberos 16 simple (password) 16 SSL 17 configuring 25 Kerberos authentication 29 NIS domain 37 simple (password) authentication 28 definition 8 deleting configuration 47 disabling service 48 displaying configuration information 47 looking up information 77 of 80

by GID 53 by groupname 52 by hostname 53 by netgroup 54 by UID 52 by user 51 overview of 12 structure 13 troubleshooting using -info -verbose 57 verifying configuration status 46 local files configuring 20 overview of 11 verifying contents 40 M Microsoft Windows Services for UNIX. See SFU N netgroups file definition 8 format 21 overview of 11 Network File System definition 8 Network Information Service definition 8 NFS definition 8 NFS file systems exporting to netgroups required schema file changes 59 NIS configuring 23 definition 8 deleting configuration 42 displaying the configuration 41 overview of 11 verifying configuration status 42 NIS+ 6 nsswitch.conf file, using 19, 38 Public Key Infrastructure definition 8 S schema file changes NFS file system export to netgroups 59 search order, on Data Movers 10 Secure Socket Layer definition 8 server_file command, use of 20 SFU configuration example 72 configuration file template 69 definition 8 SSL authentication 17 ciphers, specifying 33 definition 8 persona, specifying 32 Sun Java System Directory Server definition of 8 Sun Java System Directory Server. See iplanet T TLS definition 8 Transport Layer Security definition 8 W Windows 2000 or Windows Server 2003 domain definition 8 Windows Internet Naming Service definition 8 Windows NT domain definition 9 WINS configuring, for CIFS servers 18 definition 8 O OpenLDAP 12 authentication 16 configuration example 71 definition 8 ldap.conf file 67 P passwd file format 20 overview of 11 persona definition 8 PKI definition 8 78 of 80

Notes 79 of 80

About this document As part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC periodically releases new versions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all versions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support Representative for a hardware upgrade or software update. Comments and suggestions about documentation Your suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to techpubcomments@emc.com with your opinions of this document. Copyright 1998-2011 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. 80 of 80