Subscribe

LDAP

We are having a slight problem with group permissions on shared CIFS volumes. We are using LDAP for authenication for our Linux users, but we also use Windows machines and want to allow acces to shared resources eg project directories (qtrees with security style unix on the NetApp)

 

The userid mapping between Linux and Windows works fine, as below

diag secd authentication show-creds -node netapp1 -vserver svm_nas_04 -unix-user-name marg

UNIX UID: marg <> Windows User: AD\marg (Domain User)

 

If we have a qtree, shared as a project directory psa
92305782 drwxrws--- 18 ad67 psa 4096 Aug 14 10:26 psa


The user ad67 should have access to it, along with any member of the psa user group. This all works correctly with Linux, but in Windows the user marg (a member of the psa user group) is denied access

In the secd log :

 

00000011.00459fd7 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.006.633] debug: Searching LDAP for the "uid" attribute(s) within base "ou=People,dc=nisdb,dc=ourdom" (scope: 2) using filter: (&(objectClass=posixAccount)(windowsAccount=ad\5cmarg)) { in searchLdap() at utils/secd_ldap_utils.cpp:280 }

00000011.00459fd8 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.008.445] debug: Could not find IDs for local unix user marg for vserver 7 { in getIdsFromUserName() at authorization/secd_local_unix_authorization.cpp:154 }

 

So NetApp is using the LDAP attibute 'windowsAccount' to authenicate even though the security style is set to unix, whhich is suprising, but explains why authenication fails as our

OpenLDAP schema does not include the windowsAccount attribute

 

On our NetApp it is part of the scema

 

services ldap client schema show -vserver svm_nas_04 -instance -schema OUR-TEMPLATE

Vserver: svm_nas_04
Schema Template: OUR-TEMPLATE
Comment:
<snip>
    RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
   ONTAP Name Mapping windowsAccount Attribute: windowsAccount
    Vserver Owns Schema: false
<snip>

 

So, if we added this attribute to our LDAP schema, and we populate it this should work (I think).

My questions are;


1) Have I missed anything.

2) Can NetApps LDAP query be set to use
(&(objectClass=posixAccount)(uid=marg))
or
(&(objectClass=posixAccount)(uidNumber=10400))
as query strings

3) Where can we get a template definition of the windowsAccount attribute.