ONTAP Discussions

Windows 2016 ldap authentication for cluster administration

chinchillaking
1,785 Views

Hello,

 

May we know Windows 2016 or above ldap support authentication for cluster administration (not for NAS multiprotocol, just for LDAP auth login Cluster admin?

 

If support, what Attributes must define in Windows 2016 LDAP? e.g. uid, gid, unixhomeDirectory, loginshell, unixUserPassword......

 

appreciate if anyone can provide answer

1 ACCEPTED SOLUTION

parisi
1,741 Views

Probably way easier to set up a CIFS domain tunnel for this:

https://docs.netapp.com/us-en/ontap/authentication/configure-authentication-tunnel-task.html

 

Otherwise, ONTAP does support LDAP for cluster admin auth, but with Windows LDAP it gets a little tricky due to the password hashes being handled a bit differently. You'll likely have to manually enter a password in the account's unixuserPassword field.

View solution in original post

5 REPLIES 5

parisi
1,742 Views

Probably way easier to set up a CIFS domain tunnel for this:

https://docs.netapp.com/us-en/ontap/authentication/configure-authentication-tunnel-task.html

 

Otherwise, ONTAP does support LDAP for cluster admin auth, but with Windows LDAP it gets a little tricky due to the password hashes being handled a bit differently. You'll likely have to manually enter a password in the account's unixuserPassword field.

chinchillaking
1,703 Views

Hi Parisi,

 

Thanks for your info, after setup unixuserPassword, it works

Guedes
1,445 Views

Hi chinchillaking, please, how you set unixuserPassword?

chinchillaking
1,421 Views

Hi Guedes,

 

Microsoft deprecation of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016.

 

Use temp Windows 2012 install IDMU, NIS server role and Password Synchronization, then reset temp user password in Windows 2012 AD, it will auto gen unixuserPassword, copy the hex value and recreate in Windows 2016 user account, it work.

Guedes
1,416 Views

Hi chinchillaking! Thanks for this workaround! I acctually was able to hash by other means:  perl -e 'print crypt("password", "salt"),"\n"'

Just text > hex and then paste the value for the attribute. This site do text > hex:

https://www.rapidtables.com/convert/number/ascii-to-hex.html

It works and don´t need a temp environment to generate those hashed passwords.

Public