ONTAP Discussions

Admin Authentication using Windows DC

AllanHedegaard
5,283 Views

I have a very simple thing, that I have spend hours on trying to fix.

 

Setting a Windows DC as LDAP server and using this for administrative logins. It seems impossible. So I really need some help here.

 

1) Set a LDAP client config with binding username and pw. Not sure what to pick in minimum authentication, but tried them all (anon, simple, sasl)

2) Set the LDAP config for my SVM (cluster)

3) Created a user with secure login create and the nsswitch (for remote lookups) - ssh, http and ontapi

4) Added the ldap source in ns-switch

 

I have full visibility to both a '12R2 and a 19 DC, but non of them lets me perform the LDAP lookup. If I test the ldap from other applications it looks fine.

 

diag secd authentication translate has been used to test and it tells me LDAP is unavaible.

 

[     3] Source: LDAP unavailable. Ignoring and trying next

 

Funny thing is that the connection is up according to vserver services ldap check:

 

 LDAP Status: up
      LDAP Status Details: Successfully connected to LDAP server

 

I must be overlooking something basic. Do I need to do anything on the Windows server to make it work? I also tried all the different schemas in LDAP client with no luck.

 

I can see the bind account is logging on the domain controller.

 

Am I really the first guy to want external authentication. 🙂

 

Desperate for advise. Been stuck for to long.

 

7 REPLIES 7

paul_stejskal
5,258 Views

Need more details. Do you have a case open or a serial # so I can look with a fresh ASUP ready to go?

AllanHedegaard
5,252 Views

Dear Paul,

I was surprised to see your message.  Not sure if my service contract covers this kind of configuration issue? Most likely it is my own lack of competence, and knowledge about ldap, that is the problem.

 

 

paul_stejskal
5,248 Views

It's borderline Support/PS. Technically it's a new setup, but it's probably something simple. Let me know when you have that serial # or case # and I can look at ASUPs.

AllanHedegaard
5,087 Views

Not really much to go on, but this is where I am stuck. I can see the bind user is logging on to my DC.

 

Tried configuring the UID value in ADSIEDIT for the particular user, but it seems no make no difference. Looks more like a general LDAP connectivity issue. 

 

CDOT02::diag secd trace*> diag secd authentication show-creds -vserver CDOT02 -unix-user-name  domain.com\user

Vserver: CDOT02 (internal ID: XXXX)

Error: Acquire UNIX credentials procedure failed
  [  1 ms] Hostname found in Name Service Cache
  [     1] Resolved LDAP servers: 10.0.0.10. Vserver: -1
  [     1] Failed to initiate Kerberos authentication. Trying NTLM.
  [     5] LDAP search for the "uid, uidNumber, gidNumber,
           unixUserPassword, name, unixHomeDirectory, loginShell"
           attribute(s) within base
           "CN=Users,DC=DOMAIN,DC=COM" (scope: 2) using
           filter "(&(objectClass=User)(uid=domain.com\user))" fail
  [     5]   Additional info:
  [     6] Source: LDAP unavailable. Ignoring and trying next
           available source for user-name:
           domain.com\user
  [     6] Entry for user-name: domain.com\user not
           found in the current source: FILES. Entry for user-name:
           domain.com\user not found in any of the
           available sources
**[     6] FAILURE: Unable to retrieve UID for UNIX user
**        domain.com\user

Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: libc returned a transient error.  Please look at the journal for detail".

AllanHedegaard
5,085 Views

Tried enabling LDAP debugging on my Windows Domain controller. I am only able to see the bind entered/exited.

 

Internal event: Function ldap_bind entered.

 

No function ldap_search are logged. So to me it looks like the Ontap is never making the query. Smiley Indifferent

paul_stejskal
5,065 Views

Now that I think of it, which schema are you using?

 

Go ahead and open a case as this seems like it isn't working right. That way we can have proper tracking. You can reference this thread and I'll check on it once open.

RandomStorage
4,774 Views

If i understand you correctly, you're trying to get AD-integrated access to the Netapp Management GUI.

 

If so, i used this as a guide to get my netapp (running 9.6) working where i could log in with an Active Directory user.

 

https://red8.com/knowledge-base/netapp-ontap-active-directory-authentication/

Public