Subscribe

OnTap + LDAP (Active Directory) help needed

I am trying to authenticate a FAS6040 with OnTap 8.0 against the LDAP interface of Active Directory (i.e. without CIFS).

So far I can connect to the LDAP server and query records (getXXbyYY) but the records I get back are missing all supplemental groups (memberOf in Active Directory).

What do I have to map to get access to the supplemental groups so I can add the right users to the correct roles?

Any help would be greatly appreciated.

Thanks

Christian

This is my LDAP configuration:

ldap.ADdomain            
ldap.base                    dc=mydomain,dc=local
ldap.base.group              dc=mydomain,dc=local
ldap.base.netgroup                  
ldap.base.passwd             dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)
ldap.enable                  on     
ldap.minimum_bind_level      anonymous
ldap.name                   myLDAPuser
ldap.nssmap.attribute.gecos  cn     
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname memberOf
ldap.nssmap.attribute.homeDirectory unixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn     
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount User   
ldap.nssmap.objectClass.posixGroup Group  
ldap.passwd                  myPassword
ldap.port                    389    
ldap.servers                 my.ldap.server
ldap.servers.preferred              
ldap.ssl.enable              off    
ldap.timeout                 20     
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.base                   
ldap.usermap.enable          on     

Re: OnTap + LDAP (Active Directory) help needed

Hello,

Are you sure this is right ? : ldap.base.passwd       dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

I am no expert on this, but objectCategory=Group ? This is not the : group ldap setting, but the passwd entry. Or is this some trick I do not know about ?

Greetings .. Richard

Re: OnTap + LDAP (Active Directory) help needed

You are correct, that was supposed to go into group, not passwd and I corrected it after posting this.

Alas, it does not make a difference, even when set in ldap.base.group. It works for our Linux hosts, that's why I tried it on the NetApp.

Thanks

Christian

Re: OnTap + LDAP (Active Directory) help needed

Hi,

Can you explain something to me ?

dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

Why do you put : ?sub?&(objectCategory=Group) (gidnumber=*)

behind your scope ? I am having currently some ldap performance issues, and this could help me.

Where did you find this information ?

Greetings .. Richard

OnTap + LDAP (Active Directory) help needed

I don't know if this has been resolved, but just in case you may want to check this post

http://communities.netapp.com/thread/16160

The resolution boils down to

- bug 314631 (see https://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=314631)

- set the following hidden option:

ldap.skip_cn_unescape.enable on

OnTap + LDAP (Active Directory) help needed

Had a similar problem, and it came down to sAMAccountName having title caps for some (but not all) users in AD.  It appears that OnTap searches for secondary groups by using whatever it receives back from "ldap.nssmap.attribute.uid" and looks in the attribute "ldap.nssmap.attribute.memberUid" within group objects. In my AD, this attribute only included all lower case names (so searches with title caps were failing).  I changed "ldap.nssmap.attribute.uid" to msSFU30Name which solved my problem.  However, you may or may not have this attribute depending on how you expanded your schema.  Either way, find an attribute in your user objects that always matches the case of the attribute memberUid in your group objects.