Solved: ONTAP 9.8 simulator "LDAP not configured" even though ldap checks pass

JonathanAlexander · ‎2021-04-12

We are relatively new to netapp on tap and have been trying to configure LDAP (FreeIPA LDAP) on the ONTAP 9.8 simulator to allow LDAP users to login to the admin ssh. So far we have followed this documentation to create the client config and associate it with the cluster server, adding the addition auth methods to the ns-switch configuration, and adding the user to the security login configuration with the ldap application and nsswitch auth method.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-21B12DB3-AE7D-447C-A9AC-77D7D260685A.html&lang=en

However we still are unable to authenticate with an ldap user to a ssh session to the management port. This is what the event log shows:

4/10/2021 00:42:43  node-01          NOTICE        sshd.auth.loginDenied: message="Failed keyboard-interactive / pam for testuser1 from 172.16.239.1 port 53673 ssh2  "
4/10/2021 00:38:28  node-01          DEBUG         secd.unexpectedFailure: vserver (Cluster) Unexpected failure. Error: Ldap Get full user info procedure failed
**[     0] FAILURE: 'Ldap' configuration not available

Client Configuration, check, nsswitch and security login:

node::vserver services name-service ldap> show
               Client
Vserver        Configuration
-------------- -------------
node           node

node::vserver services name-service ldap client> show
        Client        LDAP            Active Directory              Minimum
Vserver Configuration Servers         Domain            Schema      Bind Level
------- ------------- --------------- ----------------- ----------- ----------
node    node          172.16.239.12   -                 RFC-2307    simple

node::vserver services name-service ldap> check -vserver node

                  Vserver: node
Client Configuration Name: node
              LDAP Status: up
      LDAP Status Details: Successfully connected to LDAP server "172.16.239.12".
   LDAP DN Status Details: All the configured DNs are available.

node::security login> show
Vserver: node
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
admin          console     password      admin            no     none
admin          http        password      admin            no     none
admin          ontapi      password      admin            no     none
admin          service-processor 
                           password      admin            no     none
admin          ssh         password      admin            no     none
autosupport    console     password      autosupport      no     none
testuser1      ssh         nsswitch      admin            -      none


node::vserver services name-service ns-switch> show
                               Source
Vserver         Database       Order
--------------- ------------   ---------
node            hosts          files,
                               dns
node            group          files
node            passwd         files,
                               ldap
svm0            hosts          files,
                               dns
svm0            group          files
svm0            passwd         files
svm0            netgroup       files
svm0            namemap        files
8 entries were displayed.

running the access-check it certainly appears that it can query for the user and get the correct response (verified with ldapsearch on the ldap server).

node::vserver services*> access-check authentication show-ontap-admin-unix-creds -vserver node -unix-user-name testuser1
       User Id: 1896000001
      Group Id: 1896000001
Home Directory: 
   Login Shell: /bin/sh

We are wondering if the default schema RFC 2307 supports the FreeIPA centos 8 identity manager default configuration, or if we need to specify specific LDAP attributes for it to use during authentication...

Any help or suggestions are appreciated

parisi · ‎2021-04-13

When you change the passwordstoragescheme, it only takes effect on new passwords. So for the user you want to use, try changing the password in FreeIPA. That will leverage the new password hash setting. This blog has a bit more detail:

https://whyistheinternetbroken.wordpress.com/2020/02/06/freeipa-ontap-logins/

But generally, passwords not being seen are a factor of the bind user permissions.

when you changed to directory manager, did you also modify the bind password? (ldap client modify-bind-password)

View solution in original post

JonathanAlexander · ‎2021-04-12

to further elaborate on the schema issues, I think this may be part of it.

node::vserver services name-service ldap client schema*> show RFC-2307                   

                                           Vserver: ngdc
                                   Schema Template: RFC-2307
                                           Comment: Schema based on RFC 2307 (read-only)
                RFC 2307 posixAccount Object Class: posixAccount
                  RFC 2307 posixGroup Object Class: posixGroup
                 RFC 2307 nisNetgroup Object Class: nisNetgroup
                            RFC 2307 uid Attribute: uid
                      RFC 2307 uidNumber Attribute: uidNumber
                      RFC 2307 gidNumber Attribute: gidNumber
                RFC 2307 cn (for Groups) Attribute: cn
             RFC 2307 cn (for Netgroups) Attribute: cn
                   RFC 2307 userPassword Attribute: userPassword
                          RFC 2307 gecos Attribute: gecos
                  RFC 2307 homeDirectory Attribute: homeDirectory
                     RFC 2307 loginShell Attribute: loginShell
                      RFC 2307 memberUid Attribute: memberUid
              RFC 2307 memberNisNetgroup Attribute: memberNisNetgroup
              RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple
              Enable Support for Draft RFC 2307bis: false
       RFC 2307bis groupOfUniqueNames Object Class: groupOfUniqueNames
                RFC 2307bis uniqueMember Attribute: uniqueMember
Data ONTAP Name Mapping windowsToUnix Object Class: posixAccount
  Data ONTAP Name Mapping windowsAccount Attribute: windowsAccount
   Data ONTAP Name Mapping windowsToUnix Attribute: windowsAccount
   No Domain Prefix for windowsToUnix Name Mapping: false
                               Vserver Owns Schema: true
                   RFC 2307 nisObject Object Class: nisObject
                     RFC 2307 nisMapName Attribute: nisMapName
Press <space> to page down, <return> for next line, or 'q' to quit...

and the freeipa IDM user ldif:

[root@ipa ~]# ldapsearch -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -w xxxxx -x uid=testuser1
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=testuser1
# requesting: ALL
#

# testuser1, users, compat, example.com
dn: uid=testuser1,cn=users,cn=compat,dc=example,dc=com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: test user1
cn: test user1
uidNumber: 1896000001
gidNumber: 1896000001
loginShell: /bin/sh
homeDirectory: /home/testuser1
ipaAnchorUUID:: OklQQTpleGFtcGxlLmNvbTphNDI2Zjk3YS05YmRkLTExZWItYmQwYi0wMDBjMj
 kyNGM1MTM=
uid: testuser1

# testuser1, users, accounts, example.com
dn: uid=testuser1,cn=users,cn=accounts,dc=example,dc=com
givenName: test
sn: user1
uid: testuser1
cn: test user1
displayName: test user1
initials: tu
gecos: test user1
krbPrincipalName: testuser1@EXAMPLE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser1
mail: testuser1@example.com
krbCanonicalName: testuser1@EXAMPLE.COM
ipaUniqueID: a426f97a-9bdd-11eb-bd0b-000c2924c513
uidNumber: 1896000001
gidNumber: 1896000001
krbLastPwdChange: 20210412223856Z
krbExtraData:: AAIAzHRga2FkbWluZEBFWEFNUExFLkNPTQA=
mepManagedEntry: cn=testuser1,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
krbLastFailedAuth: 20210412223308Z
krbLoginFailedCount: 0
krbTicketFlags: 128
krbPasswordExpiration: 20210711223856Z

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

the first thing I noticed is the uniqueMember attribute doesn't exist in the IDM, and rather uses ipaUniqueID. I'll review the custom RFC configuration and report back.

parisi · ‎2021-04-13

Also check out TR-4835. I cover FreeIPA logins there. It’s supported.

https://www.netapp.com/media/19423-tr-4835.pdf

JonathanAlexander · ‎2021-04-13

Thanks. I had reviewed parts of that document before, but looked again searching for freeipa and I think I found the configuration we are missing.. specifically page 81-84.

JonathanAlexander · ‎2021-04-13

So after reviewing the PDF and the section "LDAP authentication for cluster administration" specifically I was able to find a few issues with our configuration.

First being the freeipa admin account we were using for bind-dn could not read the userPassword attributes, confirmed in an ldap browser. I have temporarily switched to using the freeipa "cn=Directory Manager" which does have permissions to read the userPassword field, and confirmed with LDAPSearch and a LDAPBrowser.

Second I changed the passwordStorageScheme as describe in the PDF to CRYPT-SHA512

however when running the getxxbyyy getpwbyname command I still see no password being returned:

node::vserver services name-service ldap client schema*> getxxbyyy getpwbyname -vserver node -username testuser1
  (vserver services name-service getxxbyyy getpwbyname)
pw_name: testuser1
pw_passwd: 
pw_uid: 1896000001
pw_gid: 1896000001
pw_gecos: 
pw_dir: 
pw_shell: /bin/sh

here is my detailed client config

node::vserver services name-service ldap client*> show -vserver node -client-config IdM2  
     Vserver: node
                Client Configuration Name: IdM2
                         LDAP Server List: 172.16.239.12
            (DEPRECATED)-LDAP Server List: 172.16.239.12
                  Active Directory Domain: -
       Preferred Active Directory Servers: -
Bind Using the Vserver's CIFS Credentials: false
                          Schema Template: RFC-2307
                         LDAP Server Port: 389
                      Query Timeout (sec): 3
        Minimum Bind Authentication Level: simple
                           Bind DN (User): cn=Directory Manager
                                  Base DN: dc=example,dc=com
                        Base Search Scope: subtree
                                  User DN: -
                        User Search Scope: subtree
                                 Group DN: -
                       Group Search Scope: subtree
                              Netgroup DN: -
                    Netgroup Search Scope: subtree
               Vserver Owns Configuration: true
      Use start-tls Over LDAP Connections: false
           Enable Netgroup-By-Host Lookup: false
                      Netgroup-By-Host DN: -
                   Netgroup-By-Host Scope: subtree
                  Client Session Security: none
                    LDAP Referral Chasing: false
                  Group Membership Filter:

and the cluster server associated with the client-config

ngdc::vserver services name-service ldap*> show -vserver ngdc

                         Vserver: ngdc
       LDAP Client Configuration: IdM2

Logs still show the same thing

4/10/2021 09:58:11  node-01          NOTICE        sshd.auth.loginDenied: message="Failed keyboard-interactive / pam for testuser1 from 172.16.239.1 port 58431 ssh2  "
4/10/2021 09:58:01  node-01          DEBUG         secd.unexpectedFailure: vserver (Cluster) Unexpected failure. Error: Ldap Get full user info procedure failed
**[     0] FAILURE: 'Ldap' configuration not available

Is there any more logging or debug tracing that can show what exactly is failing?

parisi · ‎2021-04-13

When you change the passwordstoragescheme, it only takes effect on new passwords. So for the user you want to use, try changing the password in FreeIPA. That will leverage the new password hash setting. This blog has a bit more detail:

https://whyistheinternetbroken.wordpress.com/2020/02/06/freeipa-ontap-logins/

But generally, passwords not being seen are a factor of the bind user permissions.

when you changed to directory manager, did you also modify the bind password? (ldap client modify-bind-password)

JonathanAlexander · ‎2021-04-14

Thank you, that blog was extremely helpful and basically the same procedure I went through yesterday.

I did exactly as suggested, modified the -user-dn to the base for my user accounts, added the IPA user to the security login accounts with nsswitch auth method, reset the IPA user password so that is will be rehashed with the new scheme and wala!

~ % ssh testuser1@172.16.239.3
Password:

This is your first recorded login.
Unsuccessful login attempts since last login: 1
node::> whoami
  (security login whoami)

User: testuser1
Role: admin

node::>

So to summarize the solution from the initial post to now

use "cn=Directory Manager" as the bind dn/pass (for testing purposes, prod needs a IPA sys admin that can read pws)
modify the client-config to include the -user-dn for the user base dn (needs set diag or privilige or something to get that option)
modify the passwordStorageScheme as described on page 85 of https://www.netapp.com/media/19423-tr-4835.pdf
reset the IPA user password so it can be rehashed with the new scheme (or wait to create users until after modifying)

Mjizzini · ‎2021-04-12

After configuring the ldap client, you will need to enable LDAP at the Vserver level.

You can check it by running:

::> ldap show -vserver <vserver name>

Error "LDAP configuration is not found" seen on ONTAP CLI

vserver services name-service ldap create