Enable administrative access through LDAP

SJOERDHOOFT · ‎2011-05-11

Hey everyone,

I'm a little bit stuck trying to enable our LDAP users with administrative access to the filer.

I got LDAP queries working, and both the user and the group are available:

netappfiler01*> getXXbyYY getpwbyname_r sjoerd
pw_name = sjoerd
pw_passwd = {{******}}
pw_uid = 10000, pw_gid = 10000
pw_gecos = Sjoerd Hooft
pw_dir = /home/nibshf
pw_shell = /bin/bash

netappfiler01*> getXXbyYY getgrlist sjoerd
pw_name = sjoerd
Groups: 10000 10001 10003

netappfiler01*> getXXbyYY getgrbyname INFRA
name = INFRA
gid = 10001

I've also setup the security options:

netappfiler01*> options security.admin.nsswitchgroup
security.admin.nsswitchgroup INFRA
netappfiler01*> options security.admin.authentication
security.admin.authentication nsswitch,internal

And changed the nsswitch.conf file:

/etc/nsswitch.conf
hosts: files       nis     dns
passwd: ldap       nis     files
netgroup: ldap     nis     files
group: ldap        nis     files
shadow: files      nis

But I'm not allowed to log on using that account. I tried changing the nsswitchgroup to the gid, and also to the primary gid but that didn't help.

I tried on FilerView:

[netappfiler01: HTTPPool04:warning]: HTTP Authentication from 10.10.10.10 to realm Administration failed

I tried also on SSH:

netappfiler01: sshd_1:info]: Failed password for sjoerd from 10.10.10.10 port 64287ssh2

ONTAP version is 7.3.4.

Can somebody help me? Thanx

mjschneider · ‎2012-11-26

Hi, i know this is an old thread but did you happen to get this to work?

I can ssh using 'DOMAIN\username'@netappfiler with just cifs setup and adding domain users to the local admin group. Trying to get this to work with just username@netapp though.

Oddly, with just cifs setup, i can add the option "options ldap.ADdomain <domainname>" and successfully use "getXXbyYY getpwbyname_r username" WITHOUT adding ldap.name, ldap.servers or ldap.base.

pevansverio · ‎2013-02-20

I've been trying to get the same thing working, using a 7.3 filer and Identity Services for Unix on a 2K8R2 DC, and as far as I can see the problem is that the filer expects there to be a hashed password in the LDAP search result, and there isn't. Hence the "pw_passwd = {{******}}" in the getpwbyname_r result - the ****** doesn't seem to mean it's hidden, rather that it's missing. I've used Wireshark on the DC to verify the results.

Doesn't matter whether I map options ldap.nssmap.attribute.userPassword to userPassword, unixUserPassword or msSFU30Password, if the field isn't populated or present in the AD schema it will fail. TR-3458 doesn't seem to go that far, and the equivalent TR for authenticating against a Unix LDAP server assumes a password field will be populated.

All quite vexing.

SMALLPAUL · ‎2013-07-25

This took a bit of poking and prodding, but I managed to get it working. Your webpage showed me that I was on the right track, so thanks for that.

It looks like you're not logging in with an account with enough privileges to get the hashed password back from the LDAP server. Before I added an account with root access, I'd get a result like you did above with the password concealed.

pw_passwd = {{******}}

In the packet trace I'd clearly see the filer requesting 7 fields, and the LDAP server only returning 6. After I added an account with privs, I'd see 7 out, 7 back, and could see my hashed password.

filer9> options ldap.name cn=root,dc=company,dc=co,dc=nz
filer9> options ldap.passwd [password]

filer9*> getXXbyYY getpwbyname_r gunn
pw_name = gunn
pw_passwd = saltsaltABCDEF
pw_uid = 1000, pw_gid = 1000
pw_gecos = Paul gunn
pw_dir = /home/gunn
pw_shell = /bin/bash

I already had the /etc/nsswitch.conf changes in place, and an LDAP server serving out a SYSADMIN group, so surely all I have to do is make the security changes. Or so I thought.

This works on an 8.0.4 and 7.3.6 filer.

filer9*> options security.admin.authentication internal,nsswitch
filer9*> options security.admin.nsswitchgroup SYSADMIN

If you have an 8.1+ filer, you can bind the roles for each group.Or it will default to giving admin access to any group you specify without a defined role like it does with the old versions.

filer9*> options security.admin.nsswitchgroup SYSADMIN:root

NB : If you try that syntax on an old version, it fails *silently*. Which chewed up a good block of time finding that out. Use the syntax without any roles defined first to test, then add the roles later.

Hope this helps.