Network and Storage Protocols
Network and Storage Protocols
I am trying to authenticate a FAS6040 with OnTap 8.0 against the LDAP interface of Active Directory (i.e. without CIFS).
So far I can connect to the LDAP server and query records (getXXbyYY) but the records I get back are missing all supplemental groups (memberOf in Active Directory).
What do I have to map to get access to the supplemental groups so I can add the right users to the correct roles?
Any help would be greatly appreciated.
Thanks
Christian
This is my LDAP configuration:
Hello,
Are you sure this is right ? : ldap.base.passwd dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)
I am no expert on this, but objectCategory=Group ? This is not the : group ldap setting, but the passwd entry. Or is this some trick I do not know about ?
Greetings .. Richard
You are correct, that was supposed to go into group, not passwd and I corrected it after posting this.
Alas, it does not make a difference, even when set in ldap.base.group. It works for our Linux hosts, that's why I tried it on the NetApp.
Thanks
Christian
Hi,
Can you explain something to me ?
dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)
Why do you put : ?sub?&(objectCategory=Group) (gidnumber=*)
behind your scope ? I am having currently some ldap performance issues, and this could help me.
Where did you find this information ?
Greetings .. Richard
I don't know if this has been resolved, but just in case you may want to check this post
http://communities.netapp.com/thread/16160
The resolution boils down to
- bug 314631 (see https://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=314631)
- set the following hidden option:
ldap.skip_cn_unescape.enable on
Had a similar problem, and it came down to sAMAccountName having title caps for some (but not all) users in AD. It appears that OnTap searches for secondary groups by using whatever it receives back from "ldap.nssmap.attribute.uid" and looks in the attribute "ldap.nssmap.attribute.memberUid" within group objects. In my AD, this attribute only included all lower case names (so searches with title caps were failing). I changed "ldap.nssmap.attribute.uid" to msSFU30Name which solved my problem. However, you may or may not have this attribute depending on how you expanded your schema. Either way, find an attribute in your user objects that always matches the case of the attribute memberUid in your group objects.