in last Ontap's (6.5 and sq) you can use an ldap for authentication with support for encryption passwdord (kerberosv5) you have to set up a KMD (kerberos) server either using the AD windowz server or a Unix-like based one
but you have to note the following : if your Filer is in workgroup, there is good chance to be unable to encrypt passwd as far as i know, netapp always use cleartext password when authentificating on a workgroup
in a way, you can understand this : a hashed passwd is not so hard to crack : you can run an engine generating hash's that will stop when the hashed match and deduce the password from this this is why real security solution not only include encryption but also authentication in order to be sure who is who this is only possible in a domain (unix or windows) with an authoritative server in using either unix or windows kdc domain, you would be able to authenticate windows client (they could have to mount the filer w/ a utility like pcnfs)
ref : link to nfs kerberos security (KDC server) : http://now.netapp.com/AskNOW/highlight_html.jsp?url=http%3A%2F%2Fnow.netapp....
hth
Jerry wrote:
Hashed passwords can be stored in ldap, however, I'm not sure if the filer can handle it (I assume it can). Also, I've seen some instances where unix machines got their passwords from kerberos via AD, again not sure if the filer supports it.
In my opinion, Unix is lagging in this area (and unix-like OSs). I find it incredibly annoying that Windows has done a better job using AD with multi-master (rw) directories and well developed replication procedures and ldap has lagged behind. Ever try setting up ldap over ssl? Good luck, annoying. Now try authenticating your Unixes to it. geez.
Many people have the problem you are describing IMHO, let me know if you find a good solution
--- Matt Bailey mbailey@gridapp.com wrote:
We have a 760 and are using an OpenLDAP database for authentication of CIFS clients. It only seems to work when the passwords are stored as clear text. This is an unacceptable security risk. It is disturbing enough to pass clear text passwords over the network. The /etc/passwd file should store DES hashed passwords so I was hoping that hashed passwords could be stored in LDAP. We are running in a workgroup with some Windows XP Home Edition so NT Domain and AD authentication are no good to us. Anyone else have this problem?
__________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/