4

I am trying to get my FAS2040 to action user lookups using LDAP, below is the filer configuration options:

filer> options ldap
ldap.ADdomain                dc1.colour.domain.local
ldap.base                  OU=Users,OU=something1,OU=something2,OU=darkside,DC=colour,DC=domain,DC=local
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable                  on
ldap.minimum_bind_level      anonymous
ldap.name                    domain-admin-account
ldap.nssmap.attribute.gecos  gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount posixAccount
ldap.nssmap.objectClass.posixGroup posixGroup
ldap.passwd                  ******
ldap.port                    389
ldap.servers
ldap.servers.preferred
ldap.ssl.enable              off
ldap.timeout                 20
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable          on

output of nsswitch.conf:

hosts: files dns
passwd: ldap files 
netgroup: ldap files 
group: ldap files 
shadow: files nis

Error Message(s):

[filer: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for dc1.colour.domain.LOCAL.
[filer: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using DNS site query (site).
[filer: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using generic DNS query.
Could not get passwd entry for name = <random user>

the filer can ping the FQDN of dc1
the filer can ping the IP of dc1
the filer cannot ping "dc1"

I'm not sure where I'm going wrong, so any pointers would be great.

it_stuck
  • 41
  • 3

2 Answers2

1

So you do not have a server IP listed. Thus it is trying to use the DNS RR record for the domain name. Is that available? It should have a _msdcs.domain.com entry that somewhere in there lists of the IP address of all the Domain Controllers in the domain. Sounds like the second and thrid error line are pointing that out.

My guess is that the Could not get passwd entry for name = <random user> error is a cascade from that previous error.

geoffc
  • 2,165
  • 5
  • 25
  • 40
  • 1
    it was down to the settings in the "options ldap" on the fas controllers. the settings for the "OU" 's must match those listed in you active directory ie: instead of options ldap.PosixAccount PosixAccount use options ldap.PosixAccount sAMAccountName – it_stuck Jul 03 '11 at 23:27
  • You can also check ONTAP's wcc command if the system can resolve UIDs etc. – pfo Jun 22 '12 at 12:26
0

Why are there so many things uncofugured? and why dis your minimum bind leven anonymus? Let a dedicatet user do all this stuf.

Here is my config:

filer1> options ldap
ldap.ADdomain                foo.com
ldap.base                    dc=foo,dc=com
ldap.base.group              dc=foo,dc=com
ldap.base.netgroup           dc=foo,dc=com
ldap.base.passwd             dc=foo,dc=com
ldap.enable                  on
ldap.minimum_bind_level      simple
ldap.name                    cn=netapp,cn=users,dc=foo,dc=com
ldap.nssmap.attribute.gecos  name
ldap.nssmap.attribute.gidNumber msSFU30GidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory msSFU30HomeDirectory
ldap.nssmap.attribute.loginShell msSFU30LoginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    sAMAccountName
ldap.nssmap.attribute.uidNumber msSFU30UidNumber
ldap.nssmap.attribute.userPassword msSFU30Password
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount User
ldap.nssmap.objectClass.posixGroup Group
ldap.passwd                  ******
ldap.port                    636
ldap.servers
ldap.servers.preferred
ldap.ssl.enable              on
ldap.timeout                 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base            dc=foo,dc=com
ldap.usermap.enable          on

What is the output of the following command? (this is my output)

nslookup
> set q=srv
_msdcs
Server:  dc01.foo.com
Address:  10.17.0.1

_msdcs.foo.com
        primary name server = dc01.foo.com
        responsible mail addr = hostmaster
        serial  = 14628
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
> _ldap._tcp.dc._msdcs
(followed by a LOOONG list of posible servers :)
Daywalker
  • 495
  • 5
  • 25