We are using Centrify DirectControl v4 for Unix authentication and mapping with AD. The Filer, v7.3.1, has with LDAP enabled to map the Unix accounts, via Centrify, with AD. However, some AD accounts does not map with Centrify fromt the Filer. Centrify has multizones and the Unix account are in more than one zones. It 'seems' the problem occurs when the Unix accounts are in multiple Centrify zones and but the Filer only checks in one particular zone. Also, I'm 100% sure if I have ldap configure correctly on the Filer.
We can close this forum posting. This morning, Centrify got on a webex with 'buim' and re-configured NetApps filer to point "ldap.base" to point to the Universal zone (in his case) where all the user accounts were residing and zone-enabled. There was no need for setting "ldap.base.passwd". After this, the query worked fine. On Netapps, we also setup "home directory" to "UnixHomeDirectory" so that we can query home directory properly. Marcus can add anything I missed. Thx
The options ldap.base should be pointing to the Universal zone where you have all the users/groups are located and should be in the format shown below. Substitute the zone name and AD domain name in question. If it still does not work, I will be happy to do a webex with you as I am from Centrify support. This does not seem to be a Netapp issue per se. Thx
Can you please see section 2.2 of this whitepaper or the extract below. Specifically on options.ldap.base where its pointing to Centrify zone location (default location is Program Data) but yours is showing "DC=corp,DC=company,DC=net". If you have trouble accessing this document, please let me know.
If you wish to use the new RFC 2307 UNIX schema attributes that are included in Windows Server 2003 R2, you will need to use both Centrify DirectControl and Windows Server 2003 R2. First, ensure that the Active Directory forest is set to a Windows Server 2003 functional level. You then need to create an RFC 2307 DirectControl Zone associated with the Active Directory domain that is set up on the Windows Server 2003 R2 domain controller. The NetApp server will be able to access user and group records visible in a specific DirectControl Zone. Once this is done, start a terminal session on your NetApp server and type in the following to view your current LDAP settings:
To configure the NetApp server to use the RFC 2307 attributes, make the following