Active IQ Unified Manager Discussions

OCUM 6.0RC1 Authentication problem

TINGWEI_LIM
7,163 Views

Hi all,

I have downloaded the OVF and implemented the OCUM6.0RC1 to try it with our new Ontap 8.2 cluster mode. However, I am facing issue with the authentication setup and the information is quite limited. I filed a case to Netapp and it took so long to reply and it was been 5 days since the last reply.

We are trying to configure the authentication using "Others" option.


So far, "Bind Distinguished Name" , "Bind Password" , "Base Distinguished Name" , "Protocol version" have been identified. Windows admin and I are uncertain of the rest info needed :

1. "User Name Attribute"

2. "Group Membership Attribute"

3. "UGID"

4. "Member"


Any idea for the 4 column that I need to fill in? It would be great if you have any sample for me as reference. I am using LDS authentication.

Thank you

1 ACCEPTED SOLUTION

kryan
7,163 Views

Hello,

The authentication services that are qualified (and supported) in UM 6.0 are Active Directory and Open LDAP.

Secure LDAP and Lightweight Directory Services are not qualified nor supported.

The UM Admin Guide states this:

https://library.netapp.com/ecm/ecm_download_file/ECMP1141205

Enabling remote authentication

You can enable remote authentication (LDAP, Active Directory) to enable the management server to

communicate with your authentication servers and to enable users of the authentication servers to use

Unified Manager and manage the storage objects and data.

Thanks,

Kevin

View solution in original post

8 REPLIES 8

kryan
7,164 Views

Hello,

Does "LDS" mean secure LDAP?  If so, UM 6.0 does not support secure LDAP.

Or does it refer to Active Directory Lightweight Directory Services?

Thanks,

Kevin

rshiva
7,164 Views

Adding to Kevin's response, I’ve tried the following settings with an AD server and it seems to work fine. I was also able to add an AD user and login using the same.

Thanks and regards

Shiva Raja

rshiva
7,164 Views

Besides, Can you please type out your complete "Base distinguished name" and "Bind distinguished name"?

Thanks and regards

Shiva Raja

TINGWEI_LIM
7,164 Views

Hi guys,

LDS is the Microsoft Lightweight Directory Services. We are trying to use LDS instead of normal LDAP.

Here is the entry that I have. I have substitute my company domain with mycomp.

Bind distinguished name : CN=oncommand-ldap,OU=Service Accounts,DC=compDev,DC=Corp,DC=mycomp,DC=COM

Base distinguished name : OU=Oncommand,OU=compAuth,OU=Web Internal,OU=Applications,DC=compDev,DC=Corp,DC=mycomp,DC=COM

Thank you so much guys, you guys are responding much faster than the Germany support.

TINGWEI_LIM
7,163 Views

It looks like I have no luck with LDS authentication in OCUM6.0RC1 , our Windows admin(Thanks Gabor, I know you are reading my comment ) just Identified the root cause. below is the comment from him:

Query from OCUM

(|(&(objectClass=user)(sAMAccountName=SomeWindowsAdmin))(&(objectClass=group)(CN=SomeWindowsAdmin)))

OCUM is searching for objectclass=user

BUT

lds the objectclass is userproxyfull

We might want to think of how to create group user access in LDAP or perhaps Netapp OCUM team could have an LDS option in RC2?

rshiva
7,164 Views

Exactly.

The bind distinguished name I used was "CN=administrator,CN=users,DC=air,DC=com". (Base distinguished name: DC=air,DC=com)

Looks like you're trying to add some kind of a service account, can you try adding a regular user and see if that works?

Something like this: ...

bind distinguished name: CN=<user_name>,CN=users,DC=compdev,DC=Corp,DC=mycomp,DC=com

base distinguished name: DC=compdev,DC=Corp,DC=mycomp,DC=com

Thanks and regards

Shiva Raja

kryan
7,164 Views

Hello,

The authentication services that are qualified (and supported) in UM 6.0 are Active Directory and Open LDAP.

Secure LDAP and Lightweight Directory Services are not qualified nor supported.

The UM Admin Guide states this:

https://library.netapp.com/ecm/ecm_download_file/ECMP1141205

Enabling remote authentication

You can enable remote authentication (LDAP, Active Directory) to enable the management server to

communicate with your authentication servers and to enable users of the authentication servers to use

Unified Manager and manage the storage objects and data.

Thanks,

Kevin

TINGWEI_LIM
7,164 Views

Thanks Kevin & Shiva, I was able to login using "Active Directory". 

LDS is our priority but I guess we will just wait until OCUM support LDS.

Public