Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Network and Storage Protocols

LDAP Configuration Problem



I'm attempting to configure LDAP on v8.0.1P4.  This Filer is already joined to a domain using "cifssetup," but I need to configure LDAP to read from our Active Directory for NFS purposes.  Here is my LDAP config:

ldap.ADdomain                na.domain.lan

ldap.base                    dc=na,dc=domain,dc=lan

ldap.base.group              dc=na,dc=domain,dc=lan


ldap.base.passwd             dc=na,dc=domain,dc=lan

ldap.enable                  on

ldap.minimum_bind_level      simple

ldap.name                    CN=NetAppServiceAccount,OU=CRP,OU=Administration,DC=na,DC=domain,DC=lan

ldap.nssmap.attribute.gecos  name

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid    uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd                  ******

ldap.port                    389



ldap.ssl.enable              off

ldap.timeout                 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName


ldap.usermap.enable          off

I have verified using "wcc -u domainusername" that the LDAP connection is not working.  I also tried to use getXXbyYY:

filer*> wcc -u jbaird

no passwd entry for jbaird

filer*> getXXbyYY getpwbyname_r jbaird

Could not get passwd entry for name = jbaird

My nsswitch.conf contains "files ldap" for passwd and for groups. 

I don't see anything interesting in /etc/messages.  What is the next step to debug this problem?




Ok, after taking packet captures, I believe the Filer is constructing the LDAP query incorrectly.  This is how it is attempting to filter the LDAP results:

Filter: (&(objectClass=sAMAccountName)(uid=jbaird))

It should be using a filter like this:


But, I cannot figure out how to change this filter from the ldap options/commands that are available.  Can anyone help?



Ok, I figured this out:

ldap.nssmap.attribute.uid    user

ldap.nssmap.objectClass.posixAccount sAMAccountName

According to the newest packet capture after making these changes, the LDAP server is returning a successful query result!  The user is found, but the Filer is still saying "no passwd entry for jbaird":

filer*> wcc -u jbaird

no passwd entry for jbaird


You have to explicitly maintain plain text passwords for users in AD. There is no way to reconstruct it from native AD data. IIRC there were utilities to do it.

Is using Kerberos an option? This would eliminate need to use and maintain plain text passwords.


Where is this documented?  The documentation and other posts on the forum lead me to believe that this is not the case.  The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read.  What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?


The Filer should be able to enumerate users from external NIS and LDAP sources from what I have read.

Your filer does find user in LDAP, does not it?

What would be the point of configuring the Filer to read from an LDAP directory if it cannot even enumerate user information from the LDAP/NIS directory?

User information does not magically appear in LDAP all by itself. Someone has to enter it there. Windows AD is never using plain text passwords so it is never entered in AD.


No, I cannot get the Filer to enumerate any data from AD, even though when I look at a packet capture during a "wcc -u username," I see a successful LDAP query and response.  Support has lead me to this doc: 


However, this is exactly how I already had it configured.  "wcc -u username" still returns "no passwd entry for username."

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner