ONTAP Discussions

Windows LDAP Authentication for Cluster Admin

chinchillaking
2,113 Views

Hello,

 

Customer want to use AD ldap for cluster admin login follow KB https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_LDAP_Authentication_for_Cluster_(Admin)_SVM but failed. Customer exist AD ldap auth Hitachi storage admin login no problem, they did not want to use CIFS tunnel.

 

I test KB in my simulator still failed with below setting.

- schema copy AD-IDMU to AD-IDMU-lab and change groupOfUniqueNames, uniqueMember and Name Mapping windowsAccount

chinchillaking_1-1673859781306.png

- setup ldap client as below

chinchillaking_0-1673859689788.png

- modify name-services as below

chinchillaking_2-1673859948849.png

- test UNIX credentials are pulled correctly from Windows AD LDAP

chinchillaking_3-1673860040040.png

chinchillaking_4-1673860115963.png

- check the ldap status no problem

chinchillaking_5-1673860181330.png

- security login account add in cluster

chinchillaking_6-1673860237218.png

- Install Identity Management for UNIX, Server for NIS and Password Synchronization

chinchillaking_7-1673860449829.png

 

chinchillaking_8-1673860465366.png

- reset hvadmin password trigger password synchronization, the unixUserPassword update

chinchillaking_9-1673860522571.png

- try login ssh display "Access denied" or system manager and display "Sign In Failed. Please verify Username and Password."

- when login with hvadmin, wireshark display it will query ldap but event log not much info troubleshoot

chinchillaking_10-1673861028053.png

chinchillaking_11-1673861170335.png

 

any advise?

 

 

 

 

1 ACCEPTED SOLUTION

chinchillaking
1,952 Views

I found the problem, Windows AD Schema did not allow search unixUserPassword, change below problem fixed.

 

ADSI editior > select a well known naming context > Schema > OK > searchFlags Attribute for CN=unixUserPassword change default 128 to 0
right click Schema > Update Schema Now

View solution in original post

1 REPLY 1

chinchillaking
1,953 Views

I found the problem, Windows AD Schema did not allow search unixUserPassword, change below problem fixed.

 

ADSI editior > select a well known naming context > Schema > OK > searchFlags Attribute for CN=unixUserPassword change default 128 to 0
right click Schema > Update Schema Now

Public