Greetings,
We have been able to follow TR-4835 to get our ONTAP cluster to successfully connect to FreeIPA LDAP using a simple bind in order to allow ldap users administer the cluster via ssh, and http. However using simple bind in production real world is not a feasible solution in regards to security of user passwords, so we must use SASL and or Kerberos bind to protect the user passwords and comply with IT security.
We have setup our FreeIPA IdM to support kerberos, and verified that we can connect to the LDAP server using Apache Directory Studio with the Authentication set to Kerberos GSSAPI, providing the kerberos Realm, and KDC host / port.
Using the same principle name in the ONTAP client configuration we are getting an invalid credentials error, but I suspect that isn't from the kerberos auth because we haven't specified a realm, kdc server or port.
So next we tried to create a kerberos realm in ONTAP however there does not seem to be possible because the vserver is a cluster and not a data vserver
Do we need a data vserver to achieve our goal, even if NFS is not something we need just yet?