LDAP mapping - toasters

27 Jan 2006


      Hi,
We've been successful with this configuration.
Key is to use ldap.ADdomain to specify the ldap server - use FQDN (not netbios domain name).
When using ADdomain, the NetApp will find all AD integrated LDAP servers for that domain.
When using AD integrated LDAP, don't put any entries into the ldap server or preferrred ldap server options.
In order to get proper return for a person's secondary groups, msSFU30MemberUid has to be used.  This isn't the attribute that is filled in when using the "Users and Computers" GUI (msSFU30PosixMember is filled in when using the GUI and this one won't work with a NetApp filer).  There is no place in the GUI to directly add to or adit msSFU30MemberUid.  It  has to be edited with an LDAP edit tool or ADSI edit.
------------
  Also the NetApp /etc/nsswitch.conf file has to point to LDAP for passwd, shadow,group info:
filer*> options ldap
ldap.ADdomain                example.com
ldap.base                    dc=example,dc=com
ldap.base.group
ldap.base.netgroup         
  ldap.base.passwd
ldap.enable                  on
ldap.name                    cn=my_user,ou=my_users,dc=example,dc=com
ldap.nssmap.attribute.gecos  name
ldap.nssmap.attribute.gidNumber msSFU30GidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory msSFU30HomeDirectory
ldap.nssmap.attribute.loginShell msSFU30LoginShell
ldap.nssmap.attribute.memberNisNetgroup 
  ldap.nssmap.attribute.memberUid msSFU30MemberUid
ldap.nssmap.attribute.netgroupname 
  ldap.nssmap.attribute.nisNetgroupTriple 
  ldap.nssmap.attribute.uid    sAMAccountName
ldap.nssmap.attribute.uidNumber msSFU30UidNumber
ldap.nssmap.attribute.userPassword msSFU30Password
ldap.nssmap.objectClass.nisNetgroup 
  ldap.nssmap.objectClass.posixAccount User
ldap.nssmap.objectClass.posixGroup Group
ldap.passwd                  ******
ldap.port                    389
ldap.servers
ldap.servers.preferred
----------------
  hosts: files  dns nis
passwd: files      ldap
netgroup: files    nis
group: files       ldap
shadow: files    ldap
------------------------
  To test if the NetApp is returning info, use the getXXbyYY command.  If the filer returns info, but the client doesn't, then you will be able to tell if it is a client or filer issue.
filer>priv set advanced
  filer*>getXXbyYY  getpwbyname_r  unix_user_name      (returns passwd info)
  filer*>getXXbyYY  getgrbyname      unix_group_name   (returns GID)
  filer*>getXXbyYY  getgrlist             unix_user_name  (returns that person's groups)
Thanks
  -O
---------------------------------
Bring words and photos together (easily) with
 PhotoMail  - it's free and works with Yahoo! Mail.