topic Re: LDAP Configuration Problem in Network and Storage Protocols

LDAP Configuration Problem

JOSHBAIRD — Thu, 05 Jun 2025 06:14:51 GMT

Hi,

I'm attempting to configure LDAP on v8.0.1P4. This Filer is already joined to a domain using "cifssetup," but I need to configure LDAP to read from our Active Directory for NFS purposes. Here is my LDAP config:

ldap.ADdomain na.domain.lan

ldap.base dc=na,dc=domain,dc=lan

ldap.base.group dc=na,dc=domain,dc=lan

ldap.base.netgroup

ldap.base.passwd dc=na,dc=domain,dc=lan

ldap.enable on

ldap.minimum_bind_level simple

ldap.name CN=NetAppServiceAccount,OU=CRP,OU=Administration,DC=na,DC=domain,DC=lan

ldap.nssmap.attribute.gecos name

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable off

I have verified using "wcc -u domainusername" that the LDAP connection is not working. I also tried to use getXXbyYY:

filer*> wcc -u jbaird

no passwd entry for jbaird

filer*> getXXbyYY getpwbyname_r jbaird

Could not get passwd entry for name = jbaird

My nsswitch.conf contains "files ldap" for passwd and for groups.

I don't see anything interesting in /etc/messages. What is the next step to debug this problem?

Thanks!

Re: LDAP Configuration Problem

JOSHBAIRD — Mon, 26 Nov 2012 20:37:17 GMT

Ok, after taking packet captures, I believe the Filer is constructing the LDAP query incorrectly. This is how it is attempting to filter the LDAP results:

Filter: (&(objectClass=sAMAccountName)(uid=jbaird))

It should be using a filter like this:

(&(objectClass=user)(sAMAccountName=jbaird))

But, I cannot figure out how to change this filter from the ldap options/commands that are available. Can anyone help?

Thanks.

Re: LDAP Configuration Problem

JOSHBAIRD — Mon, 26 Nov 2012 20:47:53 GMT

Ok, I figured this out:

ldap.nssmap.attribute.uid user

ldap.nssmap.objectClass.posixAccount sAMAccountName

According to the newest packet capture after making these changes, the LDAP server is returning a successful query result! The user is found, but the Filer is still saying "no passwd entry for jbaird":

filer*> wcc -u jbaird

no passwd entry for jbaird

Re: LDAP Configuration Problem

aborzenkov — Tue, 27 Nov 2012 06:06:15 GMT

You have to explicitly maintain plain text passwords for users in AD. There is no way to reconstruct it from native AD data. IIRC there were utilities to do it.

Is using Kerberos an option? This would eliminate need to use and maintain plain text passwords.

Re: LDAP Configuration Problem

JOSHBAIRD — Tue, 27 Nov 2012 13:29:19 GMT

Where is this documented? The documentation and other posts on the forum lead me to believe that this is not the case. The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read. What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?

Re: LDAP Configuration Problem

aborzenkov — Wed, 28 Nov 2012 14:10:33 GMT

The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read.

Your filer does find user in LDAP, does not it?

What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?

User information does not magically appear in LDAP all by itself. Someone has to enter it there. Windows AD is never using plain text passwords so it is never entered in AD.

Re: LDAP Configuration Problem

JOSHBAIRD — Wed, 28 Nov 2012 14:32:13 GMT

No, I cannot get the Filer to enumerate any data from AD, even though when I look at a packet capture during a "wcc -u username," I see a successful LDAP query and response. Support has lead me to this doc:

https://kb.netapp.com/support/index?page=content&id=1010909&actp=search&viewlocale=en_US&searchid=1354073465185

However, this is exactly how I already had it configured. "wcc -u username" still returns "no passwd entry for username."