As Andrey said you should set your ldap.ADdomain
Your LDAP base should be the AD domain, not clear below but using the MS docs it would be dc=contso,dc=local
By default anonymous binds will be refused by AD. To get it work try using Simple binds with out TLS & provide a user (does not need to be privileged) to act as a proxy account to do the LDAP queries.
You also want your nssmap objectClass.posixAccount to be "user" - it's looking for a class, not an attribute (like sAMAccountName).
You probably want your attribute.homedirectory to be "UnixHomeDirectory" (which will give it in NFS format), userPassword to be unixUserPassword
On 07/30/2012 08:53 AM, Borzenkov, Andrey wrote:
Option ldap.ADdomainshould be AD domain name (single entry), not list of domain controllers. It tries to find domain dc2.ad.cxo.name; is it really domain name?
*From:*toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *On Behalf Of *Steffen Knauf *Sent:* Monday, July 30, 2012 4:13 PM *To:* toasters@teaparty.net *Subject:* LDAP Options
Hi,
i try to configure our Filer to an LDAP Server (Windows 2008 R2), without Success. Perhaps you have some ideas what's wrong
ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name
ldap.base dc=ad,dc=cxo,dc=name
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level anonymous
ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount sAMAccountName
ldap.nssmap.objectClass.posixGroup Group
ldap.passwd ******
ldap.port 389
ldap.servers
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on
I get the following error messages:
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using DNS site query (muc).
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using generic DNS query.
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique addresses found
Testing:
chip1*> getXXbyYY getpwbyname_r sknauf
Could not get passwd entry for name = sknauf
chip1*> wcc -u adcxo/sknauf
no passwd entry for adcxo/sknauf
nsswitch.conf :
chip1*> rdfile /etc/nsswitch.conf
#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012
hosts: files nis dns
passwd: files ldap
netgroup: files ldap
group: files ldap
shadow: files ldap nis
Ping:
chip1*> ping dc2.ad.cxo.name
dc2.ad.cxo.name is alive
chip1*> ping dc2
dc2.ad.cxo.name is alive
Thanks & greets
Steffen
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.