We are using Centrify DirectControl v4 for Unix authentication and mapping with AD. The Filer, v7.3.1, has with LDAP enabled to map the Unix accounts, via Centrify, with AD. However, some AD accounts does not map with Centrify fromt the Filer. Centrify has multizones and the Unix account are in more than one zones. It 'seems' the problem occurs when the Unix accounts are in multiple Centrify zones and but the Filer only checks in one particular zone. Also, I'm 100% sure if I have ldap configure correctly on the Filer.
Any suggestions/assistance appreciated.
Here the ldap options.
ldap.base.passwd CN=Users,OU=Universal,OU=Zones,OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL;OU=UNIX,OU=Special Purpose,DC=corp,DC=company,DC=net:ONELEVEL
Can you please see section 2.2 of this whitepaper or the extract below. Specifically on options.ldap.base where its pointing to Centrify zone location (default location is Program Data) but yours is showing "DC=corp,DC=company,DC=net". If you have trouble accessing this document, please let me know.
2.2 Mapping with RFC 2307 and DirectControl 3.0
If you wish to use the new RFC 2307 UNIX schema attributes that are included in Windows Server 2003 R2, you will need to use both Centrify DirectControl and Windows Server 2003 R2. First, ensure that the Active Directory forest is set to a Windows Server 2003 functional level. You then need to create an RFC 2307 DirectControl Zone associated with the Active Directory domain that is set up on the Windows Server 2003 R2 domain controller. The NetApp server will be able to access user and group records visible in a specific DirectControl Zone. Once this is done, start a terminal session on your NetApp server and type in the following to view your current LDAP settings:
To configure the NetApp server to use the RFC 2307 attributes, make the following
changes using these options ldap commands:
options ldap.ADDomain ADDOMAIN
options ldap.name ldapuser
options ldap.passwd not24get
options ldap.enable on
options ldap.base CN=netappzone,CN=Zones,CN=Centrify,CN=Program Data,DC=addomain,DC=com
In the above example, the Active Directory domain is “ADDOMAIN”, the user name of an Active Directory user with directory read permission for the NetApp server to get Active
Directory data is “ldapuser”, the password for this user is “not24get” and the Zone name visible to the server containing the RFC-2307 user profile information is “netappzone
If the Active Directory user names and UNIX user names are not the same, then you need to make the same changes to the mapping file mentioned previously.
I became curious and got a got a look at what Centrify does. Behaviour you describe appears consistent and by design. Reading description for zones:
- A Zone can consist of any mixture of DirectControl-managed UNIX, Linux or Mac computers
- A single user or group ... cannot log in to computers in any Zone to which they are not a member
So zone looks like privileges separation boundary and server (which NetApp in this case is) can belong to one zone only. So only users in the same zone can access it.
Clarification, what I meant above was I'm NOT 100% sure I have ldap setup correctly.
This is the 'cifs domain info' output. From this info, I input as the Domain in the 'ldap.ADdomain'. So should I use 'corp' or 'corp.company.net' for the 'ldap.ADdomain'?
NetBios Domain: CORP
Windows 2003 Domain Name: corp.company.net
Type: Windows 2003
This one zone, OU=Universal, have all the user/groups accounts. So should I put this zone in the 'ldap.base'? The 'ldap.base' is what I'm not clear about.
The options ldap.base should be pointing to the Universal zone where you have all the users/groups are located and should be in the format shown below. Substitute the zone name and AD domain name in question. If it still does not work, I will be happy to do a webex with you as I am from Centrify support. This does not seem to be a Netapp issue per se. Thx
We can close this forum posting. This morning, Centrify got on a webex with 'buim' and re-configured NetApps filer to point "ldap.base" to point to the Universal zone (in his case) where all the user accounts were residing and zone-enabled. There was no need for setting "ldap.base.passwd". After this, the query worked fine. On Netapps, we also setup "home directory" to "UnixHomeDirectory" so that we can query home directory properly. Marcus can add anything I missed. Thx