Data ONTAP Discussions

Unix-to-Windows usermapping with LDAP to Active Directory

Hi everybody

I try to map Unix useraccounts to Windows useraccounts, both in the same Active Directory.

Filer: Ontap 8.1P2

Active Directory: Windows 2008 R2


MY-DOMAIN\testuser == testuser

MY-DOMAIN\* == *


hosts: files       dns nis

passwd: files   ldap nis

netgroup: files    ldap nis

group: files       ldap         nis

shadow: files      nis

options ldap:

  • ldap.ADdomain
  • ldap.base                    dc=my-domain,dc=local
  •              dc=my-domain,dc=local
  • ldap.base.netgroup
  • ldap.base.passwd             dc=my-domain,dc=local
  • ldap.enable                  on
  • ldap.minimum_bind_level      simple
  •                    CN=Administrator,CN=Users,DC=my-domain,DC=local
  • ldap.nssmap.attribute.gecos  name
  • ldap.nssmap.attribute.gidNumber gidNumber
  • ldap.nssmap.attribute.groupname cn
  • ldap.nssmap.attribute.homeDirectory homeDirectory
  • ldap.nssmap.attribute.loginShell loginShell
  • ldap.nssmap.attribute.memberNisNetgroup gidNumber
  • ldap.nssmap.attribute.memberUid uid
  • ldap.nssmap.attribute.netgroupname cn
  • ldap.nssmap.attribute.nisNetgroupTriple uid
  • ldap.nssmap.attribute.uid    msSFU30Name
  • ldap.nssmap.attribute.uidNumber uidNumber
  • ldap.nssmap.attribute.userPassword userPassword
  • ldap.nssmap.objectClass.nisNetgroup nisNetgroup
  • ldap.nssmap.objectClass.posixAccount User
  • ldap.nssmap.objectClass.posixGroup Group
  • ldap.passwd                  ******
  • ldap.port                    389
  • ldap.rfc2307bis.enable       on
  • ldap.servers       
  • ldap.servers.preferred
  • ldap.skip_cn_unescape.enable on
  • ldap.ssl.enable              off
  • ldap.timeout                 20
  • ldap.usermap.attribute.unixaccount sAMAccountName
  • ldap.usermap.attribute.windowsaccount sAMAccountName
  • ldap.usermap.base            dc=my-domain,dc=local
  • ldap.usermap.enable          on
  • user

options wafl:

  • wafl.default_nt_user
  • wafl.default_unix_user       pcuser
  • wafl.nt_admin_priv_map_to_root on
  • wafl.root_only_chown         on

wcc -s testuser

(NT - UNIX) account name(s):  (MY-DOMAIN\testuser - pcuser)


        UNIX uid = 65534

        NT membership


                MY-DOMAIN\Domain Users


        User is also a member of Everyone, Network Users,

        Authenticated Users


wcc -u testuser

no passwd entry for testuser

getXXbyYY getpwbyname_r testuser

Could not get passwd entry for name = testuser

Has anyone an idea what could be wrong?


Re: Unix-to-Windows usermapping with LDAP to Active Directory

I could solve the problem.

After installing the Unix Services role on one of the domain controllers, there is a new tab "UNIX Attributes" in the "Active Directory Users and Computers" tool. There I had to fill out all fields like NIS Domain, UID, Login Shell, Home Directory and GID. It's not enough to set the corresponding fields in the "Attribute Editor".

Re: Unix-to-Windows usermapping with LDAP to Active Directory

Be aware that installing SFU also extends your schema. The RFC2307 objects and attributes are already in Windows 2003R2 or later, the only thing SFU gives you is an easy way to edit those attributes.

In addition you probably want to change the following

  • ldap.nssmap.attribute.homeDirectory homeDirectory
  • ldap.nssmap.attribute.userPassword userPassword


  • ldap.nssmap.attribute.homeDirectory unixHomeDirectory
  • ldap.nssmap.attribute.userPassword unixUserPassword

Finally if you have multiple domains you want to connect on the Global Catalog port (3268 or 3269 with SSL) and to make sure the attributes in your NSS maps are replicated to GCs.