Network and Storage Protocols

OnTap + LDAP (Active Directory) help needed


I am trying to authenticate a FAS6040 with OnTap 8.0 against the LDAP interface of Active Directory (i.e. without CIFS).

So far I can connect to the LDAP server and query records (getXXbyYY) but the records I get back are missing all supplemental groups (memberOf in Active Directory).

What do I have to map to get access to the supplemental groups so I can add the right users to the correct roles?

Any help would be greatly appreciated.



This is my LDAP configuration:

ldap.base                    dc=mydomain,dc=local              dc=mydomain,dc=local
ldap.base.passwd             dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)
ldap.enable                  on     
ldap.minimum_bind_level      anonymous                   myLDAPuser
ldap.nssmap.attribute.gecos  cn     
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname memberOf
ldap.nssmap.attribute.homeDirectory unixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn     
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount User   
ldap.nssmap.objectClass.posixGroup Group  
ldap.passwd                  myPassword
ldap.port                    389    
ldap.servers                 my.ldap.server
ldap.ssl.enable              off    
ldap.timeout                 20     
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.enable          on     



Are you sure this is right ? : ldap.base.passwd       dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

I am no expert on this, but objectCategory=Group ? This is not the : group ldap setting, but the passwd entry. Or is this some trick I do not know about ?

Greetings .. Richard

You are correct, that was supposed to go into group, not passwd and I corrected it after posting this.

Alas, it does not make a difference, even when set in It works for our Linux hosts, that's why I tried it on the NetApp.





Can you explain something to me ?

dc=mydomain,dc=local ?sub?&(objectCategory=Group) (gidnumber=*)

Why do you put : ?sub?&(objectCategory=Group) (gidnumber=*)

behind your scope ? I am having currently some ldap performance issues, and this could help me.

Where did you find this information ?

Greetings .. Richard


I don't know if this has been resolved, but just in case you may want to check this post

The resolution boils down to

- bug 314631 (see

- set the following hidden option:

ldap.skip_cn_unescape.enable on


Had a similar problem, and it came down to sAMAccountName having title caps for some (but not all) users in AD.  It appears that OnTap searches for secondary groups by using whatever it receives back from "ldap.nssmap.attribute.uid" and looks in the attribute "ldap.nssmap.attribute.memberUid" within group objects. In my AD, this attribute only included all lower case names (so searches with title caps were failing).  I changed "ldap.nssmap.attribute.uid" to msSFU30Name which solved my problem.  However, you may or may not have this attribute depending on how you expanded your schema.  Either way, find an attribute in your user objects that always matches the case of the attribute memberUid in your group objects.