Network and Storage Protocols

LDAP Configuration Problem

JOSHBAIRD
6,624 Views

Hi,

I'm attempting to configure LDAP on v8.0.1P4.  This Filer is already joined to a domain using "cifssetup," but I need to configure LDAP to read from our Active Directory for NFS purposes.  Here is my LDAP config:

ldap.ADdomain                na.domain.lan

ldap.base                    dc=na,dc=domain,dc=lan

ldap.base.group              dc=na,dc=domain,dc=lan

ldap.base.netgroup

ldap.base.passwd             dc=na,dc=domain,dc=lan

ldap.enable                  on

ldap.minimum_bind_level      simple

ldap.name                    CN=NetAppServiceAccount,OU=CRP,OU=Administration,DC=na,DC=domain,DC=lan

ldap.nssmap.attribute.gecos  name

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid    uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd                  ******

ldap.port                    389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable              off

ldap.timeout                 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable          off

I have verified using "wcc -u domainusername" that the LDAP connection is not working.  I also tried to use getXXbyYY:

filer*> wcc -u jbaird

no passwd entry for jbaird

filer*> getXXbyYY getpwbyname_r jbaird

Could not get passwd entry for name = jbaird

My nsswitch.conf contains "files ldap" for passwd and for groups. 

I don't see anything interesting in /etc/messages.  What is the next step to debug this problem?

Thanks!

6 REPLIES 6

JOSHBAIRD
6,624 Views

Ok, after taking packet captures, I believe the Filer is constructing the LDAP query incorrectly.  This is how it is attempting to filter the LDAP results:

Filter: (&(objectClass=sAMAccountName)(uid=jbaird))

It should be using a filter like this:

(&(objectClass=user)(sAMAccountName=jbaird))

But, I cannot figure out how to change this filter from the ldap options/commands that are available.  Can anyone help?


Thanks.

JOSHBAIRD
6,624 Views

Ok, I figured this out:

ldap.nssmap.attribute.uid    user

ldap.nssmap.objectClass.posixAccount sAMAccountName

According to the newest packet capture after making these changes, the LDAP server is returning a successful query result!  The user is found, but the Filer is still saying "no passwd entry for jbaird":

filer*> wcc -u jbaird

no passwd entry for jbaird

aborzenkov
6,624 Views

You have to explicitly maintain plain text passwords for users in AD. There is no way to reconstruct it from native AD data. IIRC there were utilities to do it.

Is using Kerberos an option? This would eliminate need to use and maintain plain text passwords.

JOSHBAIRD
6,624 Views

Where is this documented?  The documentation and other posts on the forum lead me to believe that this is not the case.  The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read.  What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?

aborzenkov
6,624 Views

The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read.

Your filer does find user in LDAP, does not it?

What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?

User information does not magically appear in LDAP all by itself. Someone has to enter it there. Windows AD is never using plain text passwords so it is never entered in AD.

JOSHBAIRD
6,624 Views

No, I cannot get the Filer to enumerate any data from AD, even though when I look at a packet capture during a "wcc -u username," I see a successful LDAP query and response.  Support has lead me to this doc: 

https://kb.netapp.com/support/index?page=content&id=1010909&actp=search&viewlocale=en_US&searchid=1354073465185

However, this is exactly how I already had it configured.  "wcc -u username" still returns "no passwd entry for username."

Public