Subscribe
Accepted Solution

active directory/ldap user mapping problem

Hi,

I have a windows 2008 R2 server with UNIX user role feature installed. I have configured my netapp running OS 7.3.5 to use it as the LDAP backend.

I have joined the Netapp to the domain. I was able to find the users from NetApp using getXXbyYY getpwbyname_r and getXXbyYY getpwbyuid_r.

If I run wcc -u username, it gets back the correct NT - UNIX pair.

If I run wcc -s username, it fails to get back the correct account pairs, and returns the UNIX uid =0 as the matching user.

Here is my ldap options, what can be wrong? Where shall I future debug?

ldap.ADdomain                company.com

ldap.base                    dc=company,dc=com

ldap.base.group              dc=company,dc=com

ldap.base.netgroup                     

ldap.base.passwd             dc=company,dc=com

ldap.enable                  on        

ldap.minimum_bind_level      simple    

ldap.name                    CN=ldapuserxxx,CN=Users,DC=company,DC=com

ldap.nssmap.attribute.gecos  name      

ldap.nssmap.attribute.gidNumber gidNumber 

ldap.nssmap.attribute.groupname cn        

ldap.nssmap.attribute.homeDirectory unixHomeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid 

ldap.nssmap.attribute.netgroupname name      

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid    msSFU30Name

ldap.nssmap.attribute.uidNumber uidNumber 

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount User      

ldap.nssmap.objectClass.posixGroup Group     

ldap.passwd                  ******    

ldap.port                    636       

ldap.rfc2307bis.enable       off       

ldap.security.level          0         

ldap.servers                 controller2.company.com

ldap.servers.preferred                 

ldap.ssl.enable              on        

ldap.timeout                 20        

ldap.usermap.attribute.unixaccount gecos     

ldap.usermap.attribute.windowsaccount msSFU30Gecos

ldap.usermap.base            dc=company,dc=com

ldap.usermap.enable          on        

ldap.usermap.symmetriclookup no        

ldap.usermap.windows-to-unix.attribute sAMAccountName

ldap.usermap.windows-to-unix.objectClass User      

Re: active directory/ldap user mapping problem

Hi,

You may check your usermap file to find out the mapping of unix user to windows user  and vice versa.

>rdfile /etc/usermap.cfg

also you can check the values of the following options:

wafl.nt_admin_priv_map_to_root

wafl.default_unix_user

Thanks,

Pragya

Re: active directory/ldap user mapping problem

I was hoping that I do not have to use the usermap.cfg file. Is there a way to "debug" why it could convert unix->windows, but failed windows->unix?

netapp1*> rdfile /etc/usermap.cfg

#

# These are some sample "defensive" entries you may wish to use.

# They can be uncommented and placed as needed. See the System

# Administrator's Guide for a full description of this file.

#

# *\root => nobody        # Map all NT users named "root" to have no

#                         # UNIX perms. They can still log in though.

#

# guest <= administrator  # Map UNIX user "administrator" to NT guest.

# guest <= root           # Map UNIX root user to guest. This should be

#                         # placed after any real "root" mappings.

#

# The next two mappings can be used to defeat the default mapping of

# the user names. That way only entries that are mapped previously in

# this file will be allowed.

#

# *\* => ""               # Map all other NT requests to fail.

# "" <= *                 # Map all other UNIX requests to fail.

#

# The pound sign "#" is used as a comment character in map entries. The

# next three mappings show how to handle an NT user name which includes

# a pound sign. The name must be quoted. If the user account contains

# both domain and name, the username must be quoted separately.

#

# "#jdoe" => joed             # Map NT user #jdoe to UNIX user joed.

# NTDOM\"#jdoe" <= joed       # Map UNIX user joed to NT user NTDOM\#jdoe.

# "nt-domain\#jdoe" <= joed   # BAD, won't work.

#

netapp1*> options wafl.nt_admin_priv_map_to_root

wafl.nt_admin_priv_map_to_root on        

netapp1*> options wafl.default_unix_user

wafl.default_unix_user       pcuser    

netapp1*>

Re: active directory/ldap user mapping problem

I have manually added entry pairs like

*\username => username

to the usermap.cfg file but still can not mapping an Windows users to UNIX.

Re: active directory/ldap user mapping problem

It was

wafl.nt_admin_priv_map_to_root