As Andrey said you should set your ldap.ADdomain

Your LDAP base should be the AD domain, not clear below but using the MS docs it would be dc=contso,dc=local

By default anonymous binds will be refused by AD. To get it work try using Simple binds with out TLS & provide a user (does not need to be privileged) to act as a proxy account to do the LDAP queries.

You also want your nssmap objectClass.posixAccount to be "user" - it's looking for a class, not an attribute (like sAMAccountName).

You probably want your attribute.homedirectory to be "UnixHomeDirectory" (which will give it in NFS format), userPassword to be unixUserPassword

On 07/30/2012 08:53 AM, Borzenkov, Andrey wrote:

Option ldap.ADdomainshould be AD domain name (single entry), not list of domain controllers. It tries to find domain dc2.ad.cxo.name; is it really domain name?

*From:*toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *On Behalf Of *Steffen Knauf *Sent:* Monday, July 30, 2012 4:13 PM *To:* toasters@teaparty.net *Subject:* LDAP Options

Hi,

i try to configure our Filer to an LDAP Server (Windows 2008 R2), without Success. Perhaps you have some ideas what's wrong

---

ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name

ldap.base dc=ad,dc=cxo,dc=name

ldap.base.group

ldap.base.netgroup

ldap.base.passwd

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount sAMAccountName

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable on

---

I get the following error messages:

---

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using DNS site query (muc).

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using generic DNS query.

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique addresses found

---

Testing:

---

chip1*> getXXbyYY getpwbyname_r sknauf

Could not get passwd entry for name = sknauf

chip1*> wcc -u adcxo/sknauf

no passwd entry for adcxo/sknauf

---

nsswitch.conf :

---

chip1*> rdfile /etc/nsswitch.conf

#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012

hosts: files nis dns

passwd: files ldap

netgroup: files ldap

group: files ldap

shadow: files ldap nis

---

Ping:

---

chip1*> ping dc2.ad.cxo.name

dc2.ad.cxo.name is alive

chip1*> ping dc2

dc2.ad.cxo.name is alive

---

Thanks & greets

Steffen

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.

With Windows 2003R2 or later you do not need to (and should not) install SFU. The rfc2307 NIS schema is part of AD - although not all the attributes will be populated by default (i.e. you will not have a UID unless you explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:

Hi, sorry that was my fault. The correct entry should be:

ldap.ADdomain ad.cxo.name

But still with the same result: Could not get passwd entry for name = sknauf

I don't have much experience with windows 2008 R2 Server. It is necessary to install SFU (Subsystem for unix-based Application) on the Windows Server?

*Von:*Borzenkov, Andrey [mailto:andrey.borzenkov@ts.fujitsu.com] *Gesendet:* Montag, 30. Juli 2012 14:54 *An:* Steffen Knauf; toasters@teaparty.net *Betreff:* RE: LDAP Options

Option ldap.ADdomainshould be AD domain name (single entry), not list of domain controllers. It tries to find domain dc2.ad.cxo.name; is it really domain name?

*From:*toasters-bounces@teaparty.net mailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *On Behalf Of *Steffen Knauf *Sent:* Monday, July 30, 2012 4:13 PM *To:* toasters@teaparty.net mailto:toasters@teaparty.net *Subject:* LDAP Options

Hi,

i try to configure our Filer to an LDAP Server (Windows 2008 R2), without Success. Perhaps you have some ideas what's wrong

---

ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name

ldap.base dc=ad,dc=cxo,dc=name

ldap.base.group

ldap.base.netgroup

ldap.base.passwd

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount sAMAccountName

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable on

---

I get the following error messages:

---

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using DNS site query (muc).

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using generic DNS query.

Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique addresses found

---

Testing:

---

chip1*> getXXbyYY getpwbyname_r sknauf

Could not get passwd entry for name = sknauf

chip1*> wcc -u adcxo/sknauf

no passwd entry for adcxo/sknauf

---

nsswitch.conf :

---

chip1*> rdfile /etc/nsswitch.conf

#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012

hosts: files nis dns

passwd: files ldap

netgroup: files ldap

group: files ldap

shadow: files ldap nis

---

Ping:

---

chip1*> ping dc2.ad.cxo.name

dc2.ad.cxo.name is alive

chip1*> ping dc2

dc2.ad.cxo.name is alive

---

Thanks & greets

Steffen

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.

SFU was needed before 2003R2. With 2003R2 schema or later you can just use the normal RFC2307 attributes and objects (regular UNIX posix stuff like UID).

Do you have an ldap.conf file from a Linux box that works with your Windows domain? There are a lot of different things that can cause issues. This is quite tricky, I am pretty comfortable with LDAP on both the AD and *nix side but it took me quite a while to get this working properly.

Below is my LDAP config. Please note that it is using the Global Catalog port to support name service lookups for accounts across our forest. ldap.ADdomain company.com ldap.base dc=company,dc=com ldap.base.group ldap.base.netgroup ldap.base.passwd ldap.enable on ldap.minimum_bind_level simple ldap.name cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com ldap.nssmap.attribute.gecos gecos ldap.nssmap.attribute.gidNumber gidNumber ldap.nssmap.attribute.groupname cn ldap.nssmap.attribute.homeDirectory *UnixHomeDirectory * ldap.nssmap.attribute.loginShell loginShell ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup ldap.nssmap.attribute.memberUid memberUid ldap.nssmap.attribute.netgroupname cn ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple ldap.nssmap.attribute.uid sAMAccountName ldap.nssmap.attribute.uidNumber uidNumber ldap.nssmap.attribute.userPassword *unixUserPassword * ldap.nssmap.objectClass.nisNetgroup nisNetgroup ldap.nssmap.objectClass.posixAccount user ldap.nssmap.objectClass.posixGroup group ldap.passwd ****** ldap.port 3268 ldap.servers ldap.company.com ldap.servers.preferred ldap.ssl.enable off ldap.timeout 20 ldap.usermap.attribute.unixaccount sAMAccountName ldap.usermap.attribute.windowsaccount sAMAccountName ldap.usermap.base ldap.usermap.enable on

On 07/31/2012 04:44 AM, Steffen Knauf wrote:

hi,

I found a Knowledgebase Entry for LDAP Configuration:

https://kb.netapp.com/support/index?page=content&id=1010909

They installed SFU or "Identity Management for unix". So i'm a confused, what's the right way. I still get no LDAP connection. It's a little bit strange that i see nothing in the error Logfiles.

greets

Steffen

*Von:*toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *Im Auftrag von *Jeremy Page *Gesendet:* Montag, 30. Juli 2012 16:36 *An:* toasters@teaparty.net *Betreff:* Re: AW: LDAP Options

With Windows 2003R2 or later you do not need to (and should not) install SFU. The rfc2307 NIS schema is part of AD - although not all the attributes will be populated by default (i.e. you will not have a UID unless you explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:

Hi, sorry that was my fault. The correct entry should be:



ldap.ADdomain                ad.cxo.name



But still with the same result: Could not get passwd entry for
name = sknauf



I don't have much experience with windows 2008 R2 Server. It is
necessary to install SFU (Subsystem for unix-based Application) on
the Windows Server?

duction of a manual signature that is included in any attachment.

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.

The attributes are there, they may not have values assigned to them though. Installign SFU will add *additional* custom attributes, extending the AD schema.

On 08/01/2012 09:39 AM, Steffen Knauf wrote:

hi,

thanks for your ldap options @Jeremy!

With ssl enable i got a sll error. I think there are some problems with the self signed Certificate. That's my fault.

But without ssl i got an established connection:

chip1.29634 dc1.ad.cxo.name.389 65280 0 8760 0 ESTABLISHED

......with the same result.

I'll install the unix Services Role (Identity Management for unix), because lot's of attributes are missing. I'll give you an update if it works.

thanks for your help!

Steffen

*Von:*toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] *Im Auftrag von *Jeremy Page *Gesendet:* Dienstag, 31. Juli 2012 15:20 *An:* toasters@teaparty.net *Betreff:* Re: AW: LDAP Options

SFU was needed before 2003R2. With 2003R2 schema or later you can just use the normal RFC2307 attributes and objects (regular UNIX posix stuff like UID).

Do you have an ldap.conf file from a Linux box that works with your Windows domain? There are a lot of different things that can cause issues. This is quite tricky, I am pretty comfortable with LDAP on both the AD and *nix side but it took me quite a while to get this working properly.

Below is my LDAP config. Please note that it is using the Global Catalog port to support name service lookups for accounts across our forest. ldap.ADdomain company.com ldap.base dc=company,dc=com ldap.base.group ldap.base.netgroup ldap.base.passwd ldap.enable on ldap.minimum_bind_level simple ldap.name cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com ldap.nssmap.attribute.gecos gecos ldap.nssmap.attribute.gidNumber gidNumber ldap.nssmap.attribute.groupname cn ldap.nssmap.attribute.homeDirectory *UnixHomeDirectory * ldap.nssmap.attribute.loginShell loginShell ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup ldap.nssmap.attribute.memberUid memberUid ldap.nssmap.attribute.netgroupname cn ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple ldap.nssmap.attribute.uid sAMAccountName ldap.nssmap.attribute.uidNumber uidNumber ldap.nssmap.attribute.userPassword *unixUserPassword * ldap.nssmap.objectClass.nisNetgroup nisNetgroup ldap.nssmap.objectClass.posixAccount user ldap.nssmap.objectClass.posixGroup group ldap.passwd ****** ldap.port 3268 ldap.servers ldap.company.com ldap.servers.preferred ldap.ssl.enable off ldap.timeout 20 ldap.usermap.attribute.unixaccount sAMAccountName ldap.usermap.attribute.windowsaccount sAMAccountName ldap.usermap.base ldap.usermap.enable on

On 07/31/2012 04:44 AM, Steffen Knauf wrote:

hi,



I found a Knowledgebase Entry for LDAP Configuration:



https://kb.netapp.com/support/index?page=content&id=1010909



They installed SFU or "Identity Management for unix". So i'm a
confused, what's the right way. I still get no LDAP connection.
It's a little bit strange that i see nothing in the error Logfiles.



greets



Steffen



*Von:*toasters-bounces@teaparty.net
<mailto:toasters-bounces@teaparty.net>
[mailto:toasters-bounces@teaparty.net] *Im Auftrag von *Jeremy Page
*Gesendet:* Montag, 30. Juli 2012 16:36
*An:* toasters@teaparty.net <mailto:toasters@teaparty.net>
*Betreff:* Re: AW: LDAP Options



With Windows 2003R2 or later you do not need to (and should not)
install SFU. The rfc2307 NIS schema is part of AD - although not
all the attributes will be populated by default (i.e. you will not
have a UID unless you explicitly set it).


On 07/30/2012 09:41 AM, Steffen Knauf wrote:

    Hi, sorry that was my fault. The correct entry should be:



    ldap.ADdomain                ad.cxo.name



    But still with the same result: Could not get passwd entry for
    name = sknauf



    I don't have much experience with windows 2008 R2 Server. It
    is necessary to install SFU (Subsystem for unix-based
    Application) on the Windows Server?



duction of a manual signature that is included in any attachment.




_______________________________________________

Toasters mailing list

Toasters@teaparty.net <mailto:Toasters@teaparty.net>

http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.