OnTap + LDAP (Active Directory) help needed

christianhuebner · ‎2010-08-03

I am trying to authenticate a FAS6040 with OnTap 8.0 against the LDAP interface of Active Directory (i.e. without CIFS).

So far I can connect to the LDAP server and query records (getXXbyYY) but the records I get back are missing all supplemental groups (memberOf in Active Directory).

What do I have to map to get access to the supplemental groups so I can add the right users to the correct roles?

Any help would be greatly appreciated.

Thanks

Christian

This is my LDAP configuration:

ldap.ADdomain

ldap.base dc=mydomain,dc=local

ldap.base.group dc=mydomain,dc=local

ldap.base.netgroup

ldap.base.passwd dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name myLDAPuser

ldap.nssmap.attribute.gecos cn

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname memberOf

ldap.nssmap.attribute.homeDirectory unixHomeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid sAMAccountName

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount User

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd myPassword

ldap.port 389

ldap.servers my.ldap.server

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable on

rsmits1074 · ‎2010-08-04

Hello,

Are you sure this is right ? : ldap.base.passwd dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

I am no expert on this, but objectCategory=Group ? This is not the : group ldap setting, but the passwd entry. Or is this some trick I do not know about ?

Greetings .. Richard

christianhuebner · ‎2010-08-04

You are correct, that was supposed to go into group, not passwd and I corrected it after posting this.

Alas, it does not make a difference, even when set in ldap.base.group. It works for our Linux hosts, that's why I tried it on the NetApp.

Thanks

Christian

rsmits1074 · ‎2010-08-30

Hi,

Can you explain something to me ?

dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

Why do you put : ?sub?&(objectCategory=Group) (gidnumber=*)

behind your scope ? I am having currently some ldap performance issues, and this could help me.

Where did you find this information ?

Greetings .. Richard

CURUFINWE · ‎2011-09-01

I don't know if this has been resolved, but just in case you may want to check this post

http://communities.netapp.com/thread/16160

The resolution boils down to

- bug 314631 (see https://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=314631)

- set the following hidden option:

ldap.skip_cn_unescape.enable on

loudymanschwab · ‎2011-11-11

Had a similar problem, and it came down to sAMAccountName having title caps for some (but not all) users in AD. It appears that OnTap searches for secondary groups by using whatever it receives back from "ldap.nssmap.attribute.uid" and looks in the attribute "ldap.nssmap.attribute.memberUid" within group objects. In my AD, this attribute only included all lower case names (so searches with title caps were failing). I changed "ldap.nssmap.attribute.uid" to msSFU30Name which solved my problem. However, you may or may not have this attribute depending on how you expanded your schema. Either way, find an attribute in your user objects that always matches the case of the attribute memberUid in your group objects.

OnTap + LDAP (Active Directory) help needed

Get ready to power on