Unsolved
This post is more than 5 years old
157 Posts
0
547
connecting to AD with SFU using SSL
Trying to understand if to use a CIFS server account to connect to AD using the -kaccount and only -basedn precludes the use of -sslenabled "y". I doubt it does but I don't see anywhere in the Naming Services doc as far as how to set the LDAP connection so that the server talks over 636 instead of 389.
Here is the command.
server_ldap server_2 -set -basedn dc=our,dc=domain,dc=com -sslenabled y -servers ourdcs -kerberos -kaccount ourcifsbox$
This command completes but cannot get connected. I've imported our certs using the server_certificate command but it makes no difference. If I connect with ssl disabled, it connects just fine.
Does ldap.conf need to be configured specifically for SSL? Or, does server_certificate all those imported certs to be used for LDAPS /NFSv4 -securenfs?
thanks!
SAMEERK1
296 Posts
0
March 7th, 2012 02:00
please check this primus article from powerlink : emc231825
hope this helps
Sameer Kulkarni
downhill2
157 Posts
0
March 7th, 2012 05:00
Nope, NTP is working everywhere. It has been suggested to me that "sslenabled y" is not necessary when using kaccount (kerberos) since kerberos by it's nature is encrypted auth. But, I cannot seem to find any documentation which specifically calls this out with regards to how this works with Celerra. It just seems odd to me that the process of connecting to AD using an "LDAP" command clearly uses port 389 according to the tcpdump, works fine, but when forcing it to use 636 fails.
To be clear, the only reason we are using the kerberos option is to be able to export shares using "sec=krbp5", of which there is very minimal documentation around what the real requirements are to do such a thing.
thanks for the tip though.