hi,
thanks for your ldap options @Jeremy!
With ssl enable i got a sll error. I think there are some problems with the self signed Certificate. That's my fault.
But without ssl i got an established connection:
chip1.29634 dc1.ad.cxo.name.389 65280 0 8760 0 ESTABLISHED
......with the same result.
I'll install the unix Services Role (Identity Management for unix), because lot's of attributes are missing. I'll give you an update if it works.
thanks for your help!
Steffen
Von: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] Im Auftrag von Jeremy Page
Gesendet: Dienstag, 31. Juli 2012 15:20
An: toasters@teaparty.net
Betreff: Re: AW: LDAP Options
SFU was needed before 2003R2. With 2003R2 schema or later you can just use the normal RFC2307 attributes and objects (regular UNIX posix stuff like UID).
Do you have an ldap.conf file from a Linux box that works with your Windows domain? There are a lot of different things that can cause issues. This is quite tricky, I am pretty comfortable with LDAP on both the AD and *nix side but it took me quite a while to get this working properly.
Below is my LDAP config. Please note that it is using the Global Catalog port to support name service lookups for accounts across our forest.
ldap.ADdomain company.com
ldap.base dc=company,dc=com
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level simple
ldap.name cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory UnixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword unixUserPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd ******
ldap.port 3268
ldap.servers ldap.company.com
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on
On 07/31/2012 04:44 AM, Steffen Knauf wrote:
hi,
I found a Knowledgebase Entry for LDAP Configuration:
https://kb.netapp.com/support/index?page=content&id=1010909
They installed SFU or "Identity Management for unix". So i'm a confused, what's the right way. I still get no LDAP connection. It's a little bit strange that i see nothing in the error Logfiles.
greets
Steffen
Von: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] Im Auftrag von Jeremy Page
Gesendet: Montag, 30. Juli 2012 16:36
An: toasters@teaparty.net
Betreff: Re: AW: LDAP Options
With Windows 2003R2 or later you do not need to (and should not) install SFU. The rfc2307 NIS schema is part of AD - although not all the attributes will be populated by default (i.e. you will not have a UID unless you explicitly set it).
On 07/30/2012 09:41 AM, Steffen Knauf wrote:
Hi, sorry that was my fault. The correct entry should be:
ldap.ADdomain ad.cxo.name
But still with the same result: Could not get passwd entry for name = sknauf
I don't have much experience with windows 2008 R2 Server. It is necessary to install SFU (Subsystem for unix-based Application) on the Windows Server?
duction of a manual signature that is included in any attachment.
_______________________________________________Toasters mailing listToasters@teaparty.nethttp://www.teaparty.net/mailman/listinfo/toasters
Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.