topic active directory/ldap user mapping problem in ONTAP Discussions

active directory/ldap user mapping problem

wyyang2007 — Thu, 05 Jun 2025 06:40:07 GMT

Hi,

I have a windows 2008 R2 server with UNIX user role feature installed. I have configured my netapp running OS 7.3.5 to use it as the LDAP backend.

I have joined the Netapp to the domain. I was able to find the users from NetApp using getXXbyYY getpwbyname_r and getXXbyYY getpwbyuid_r.

If I run wcc -u username, it gets back the correct NT - UNIX pair.

If I run wcc -s username, it fails to get back the correct account pairs, and returns the UNIX uid =0 as the matching user.

Here is my ldap options, what can be wrong? Where shall I future debug?

ldap.ADdomain company.com

ldap.base dc=company,dc=com

ldap.base.group dc=company,dc=com

ldap.base.netgroup

ldap.base.passwd dc=company,dc=com

ldap.enable on

ldap.minimum_bind_level simple

ldap.name CN=ldapuserxxx,CN=Users,DC=company,DC=com

ldap.nssmap.attribute.gecos name

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory unixHomeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname name

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid msSFU30Name

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount User

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd ******

ldap.port 636

ldap.rfc2307bis.enable off

ldap.security.level 0

ldap.servers controller2.company.com

ldap.servers.preferred

ldap.ssl.enable on

ldap.timeout 20

ldap.usermap.attribute.unixaccount gecos

ldap.usermap.attribute.windowsaccount msSFU30Gecos

ldap.usermap.base dc=company,dc=com

ldap.usermap.enable on

ldap.usermap.symmetriclookup no

ldap.usermap.windows-to-unix.attribute sAMAccountName

ldap.usermap.windows-to-unix.objectClass User

Re: active directory/ldap user mapping problem

pagrawal — Wed, 07 Dec 2011 08:17:27 GMT

Hi,

You may check your usermap file to find out the mapping of unix user to windows user and vice versa.

>rdfile /etc/usermap.cfg

also you can check the values of the following options:

wafl.nt_admin_priv_map_to_root

wafl.default_unix_user

Thanks,

Pragya

Re: active directory/ldap user mapping problem

wyyang2007 — Wed, 07 Dec 2011 14:36:29 GMT

I was hoping that I do not have to use the usermap.cfg file. Is there a way to "debug" why it could convert unix->windows, but failed windows->unix?

netapp1*> rdfile /etc/usermap.cfg

# These are some sample "defensive" entries you may wish to use.

# They can be uncommented and placed as needed. See the System

# Administrator's Guide for a full description of this file.

# *\root => nobody # Map all NT users named "root" to have no

# # UNIX perms. They can still log in though.

# guest <= administrator # Map UNIX user "administrator" to NT guest.

# guest <= root # Map UNIX root user to guest. This should be

# # placed after any real "root" mappings.

# The next two mappings can be used to defeat the default mapping of

# the user names. That way only entries that are mapped previously in

# this file will be allowed.

# *\* => "" # Map all other NT requests to fail.

# "" <= * # Map all other UNIX requests to fail.

# The pound sign "#" is used as a comment character in map entries. The

# next three mappings show how to handle an NT user name which includes

# a pound sign. The name must be quoted. If the user account contains

# both domain and name, the username must be quoted separately.

# "#jdoe" => joed # Map NT user #jdoe to UNIX user joed.

# NTDOM\"#jdoe" <= joed # Map UNIX user joed to NT user NTDOM\#jdoe.

# "nt-domain\#jdoe" <= joed # BAD, won't work.

netapp1*> options wafl.nt_admin_priv_map_to_root

wafl.nt_admin_priv_map_to_root on

netapp1*> options wafl.default_unix_user

wafl.default_unix_user pcuser

netapp1*>

Re: active directory/ldap user mapping problem

wyyang2007 — Wed, 07 Dec 2011 19:58:34 GMT

I have manually added entry pairs like

*\username => username

to the usermap.cfg file but still can not mapping an Windows users to UNIX.

Re: active directory/ldap user mapping problem

wyyang2007 — Wed, 07 Dec 2011 22:57:42 GMT

It was

wafl.nt_admin_priv_map_to_root