Network and Storage Protocols

Netapp with Centrify


We are using Centrify DirectControl v4 for Unix authentication and mapping with AD.  The Filer, v7.3.1, has with LDAP enabled to map the Unix accounts, via Centrify, with AD.  However, some AD accounts does not map with Centrify fromt the Filer.  Centrify has multizones and the Unix account are in more than one zones.  It 'seems' the problem occurs when the Unix accounts are in multiple Centrify zones and but the Filer only checks in one particular zone.  Also, I'm 100% sure if I have ldap configure correctly on the Filer.

Any suggestions/assistance appreciated.

Here the ldap options.


ldap.base                    DC=corp,DC=company,DC=net


ldap.base.passwd             CN=Users,OU=Universal,OU=Zones,OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL;OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL

ldap.enable                  on

ldap.minimum_bind_level      anonymous                    NetAppQry

ldap.nssmap.attribute.gecos  gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid    uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd                  ******

ldap.port                    389



ldap.ssl.enable              off

ldap.timeout                 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount


ldap.usermap.enable          on




Can you please see section 2.2 of this whitepaper or the extract below. Specifically on options.ldap.base where its pointing to Centrify zone location (default location is Program Data)  but yours is showing "DC=corp,DC=company,DC=net". If you have trouble accessing this document, please let me know.

2.2 Mapping with RFC 2307 and DirectControl 3.0

If you wish to use the new RFC 2307 UNIX schema attributes that are included in Windows Server 2003 R2, you will need to use both Centrify DirectControl and Windows Server 2003 R2.  First, ensure that the Active Directory forest is set to a Windows Server 2003 functional level.  You then need to create an RFC 2307 DirectControl Zone associated with the Active Directory domain that is set up on the Windows Server 2003 R2 domain controller. The NetApp server will be able to access user and group records visible in a specific DirectControl Zone.  Once this is done, start a terminal session on your NetApp server and type in the following to view your current LDAP settings:

options ldap

To configure the NetApp server to use the RFC 2307 attributes, make the following

changes  using these options ldap commands:

options ldap.ADDomain ADDOMAIN

options ldapuser 

options ldap.passwd not24get 

options ldap.enable on 

options ldap.base CN=netappzone,CN=Zones,CN=Centrify,CN=Program Data,DC=addomain,DC=com

In the above example, the Active Directory domain is “ADDOMAIN”, the user name of an Active Directory user with directory read permission for the NetApp server to get Active

Directory data is “ldapuser”, the password for this user is “not24get” and the Zone name visible to the server containing the RFC-2307 user profile information is “netappzone


If the Active Directory user names and UNIX user names are not the same, then you need to make the same changes to the mapping file mentioned previously.


I became curious and got a got a look at what Centrify does. Behaviour you describe appears consistent and by design. Reading description for zones:

- A Zone can consist of any mixture of DirectControl-managed UNIX, Linux or Mac computers


- A single user or group ... cannot log in to computers in any Zone to which they are not a member

So zone looks like privileges separation boundary and server (which NetApp in this case is) can belong to one zone only. So only users in the same zone can access it.


Clarification, what I meant above was I'm NOT 100% sure I have ldap setup correctly. 


This is the 'cifs domain info' output.  From this info, I input as the Domain in the 'ldap.ADdomain'.  So should I use 'corp' or '' for the 'ldap.ADdomain'?

NetBios Domain:           CORP

Windows 2003 Domain Name:

Type:                     Windows 2003

This one zone, OU=Universal, have all the user/groups accounts.  So should I put this zone in the 'ldap.base'?  The 'ldap.base' is what I'm not clear about.

cheers, Marcus


Hi Marcus

The options ldap.base should be pointing to the Universal zone where you have all the users/groups are located and should be in the format shown below. Substitute the zone name and AD domain name in question. If it still does not work, I will be happy to do a webex with you as I am from Centrify support. This does not seem to be a Netapp issue per se. Thx

CN=netappzone,CN=Zones,CN=Centrify,CN=Program Data,DC=addomain,DC=com


We can close this forum posting. This morning, Centrify got on a webex with 'buim' and re-configured NetApps filer to point "ldap.base" to point to the Universal zone (in his case) where all the user accounts were residing and zone-enabled. There was no need for setting "ldap.base.passwd". After this, the query worked fine. On Netapps, we also setup "home directory" to "UnixHomeDirectory" so that we can query home directory properly. Marcus can add anything I missed. Thx


Does anyone know the configuration for Cluster Mode and Centrify


Hi, have you find how to configure Centrify on Cluster Mode?


I am trying to configure an SVM in Clustered Data OnTap to use Centrify DirectControl, however I can't find any configuration documentation for this.  Has anyone found any?