Mailing List Archive: Netapp: toasters

LDAP Options

Index | Next | Previous | View Threaded

sknauf at chipxonio

Jul 30, 2012, 5:13 AM

Post #1 of 10 (1979 views)
Permalink

LDAP Options

Hi,

i try to configure our Filer to an LDAP Server (Windows 2008 R2), without
Success. Perhaps you have some ideas what's wrong

----------------------------------------------------------------------------
------------

ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name

ldap.base dc=ad,dc=cxo,dc=name

ldap.base.group

ldap.base.netgroup

ldap.base.passwd

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount sAMAccountName

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable on

----------------------------------------------------------------------------
------------

I get the following error messages:

----------------------------------------------------------------------------
------------

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found
no AD LDAP server addresses using DNS site query (muc).

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found
no AD LDAP server addresses using generic DNS query.

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD
LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique
addresses found

----------------------------------------------------------------------------
------------

Testing:

----------------------------------------------------------------------------
------------

chip1*> getXXbyYY getpwbyname_r sknauf

Could not get passwd entry for name = sknauf

chip1*> wcc -u adcxo/sknauf

no passwd entry for adcxo/sknauf

----------------------------------------------------------------------------
------------

nsswitch.conf :

----------------------------------------------------------------------------
------------

chip1*> rdfile /etc/nsswitch.conf

#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012

hosts: files nis dns

passwd: files ldap

netgroup: files ldap

group: files ldap

shadow: files ldap nis

----------------------------------------------------------------------------
------------

Ping:

----------------------------------------------------------------------------
------------

chip1*> ping dc2.ad.cxo.name

dc2.ad.cxo.name is alive

chip1*> ping dc2

dc2.ad.cxo.name is alive

----------------------------------------------------------------------------
------------

Thanks & greets

Steffen

andrey.borzenkov at ts

Jul 30, 2012, 5:53 AM

Post #2 of 10 (1911 views)
Permalink

RE: LDAP Options [In reply to]

Option ldap.ADdomain should be AD domain name (single entry), not list of domain controllers. It tries to find domain dc2.ad.cxo.name; is it really domain name?

From: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] On Behalf Of Steffen Knauf
Sent: Monday, July 30, 2012 4:13 PM
To: toasters [at] teaparty
Subject: LDAP Options

Hi,

i try to configure our Filer to an LDAP Server (Windows 2008 R2), without Success. Perhaps you have some ideas what's wrong

----------------------------------------------------------------------------------------
ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name
ldap.base dc=ad,dc=cxo,dc=name
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level anonymous
ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount sAMAccountName
ldap.nssmap.objectClass.posixGroup Group
ldap.passwd ******
ldap.port 389
ldap.servers
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on

----------------------------------------------------------------------------------------

I get the following error messages:

----------------------------------------------------------------------------------------
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using DNS site query (muc).
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found no AD LDAP server addresses using generic DNS query.
Mon Jul 30 13:58:06 CEST [chip1: auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique addresses found
----------------------------------------------------------------------------------------

Testing:
----------------------------------------------------------------------------------------

chip1*> getXXbyYY getpwbyname_r sknauf
Could not get passwd entry for name = sknauf

chip1*> wcc -u adcxo/sknauf
no passwd entry for adcxo/sknauf
----------------------------------------------------------------------------------------

nsswitch.conf :

----------------------------------------------------------------------------------------
chip1*> rdfile /etc/nsswitch.conf
#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012
hosts: files nis dns
passwd: files ldap
netgroup: files ldap
group: files ldap
shadow: files ldap nis
----------------------------------------------------------------------------------------

Ping:
----------------------------------------------------------------------------------------
chip1*> ping dc2.ad.cxo.name
dc2.ad.cxo.name is alive
chip1*> ping dc2
dc2.ad.cxo.name is alive
----------------------------------------------------------------------------------------

Thanks & greets

Steffen

jeremy.page at gilbarco

Jul 30, 2012, 6:32 AM

Post #3 of 10 (1909 views)
Permalink

Re: LDAP Options [In reply to]

As Andrey said you should set your ldap.ADdomain

Your LDAP base should be the AD domain, not clear below but using the MS
docs it would be dc=contso,dc=local

By default anonymous binds will be refused by AD. To get it work try
using Simple binds with out TLS & provide a user (does not need to be
privileged) to act as a proxy account to do the LDAP queries.

You also want your nssmap objectClass.posixAccount to be "user" - it's
looking for a class, not an attribute (like sAMAccountName).

You probably want your attribute.homedirectory to be "UnixHomeDirectory"
(which will give it in NFS format), userPassword to be unixUserPassword

On 07/30/2012 08:53 AM, Borzenkov, Andrey wrote:
>
> Option ldap.ADdomainshould be AD domain name (single entry), not list
> of domain controllers. It tries to find domain dc2.ad.cxo.name; is it
> really domain name?
>
>
>
>
>
> *From:*toasters-bounces [at] teaparty
> [mailto:toasters-bounces [at] teaparty] *On Behalf Of *Steffen Knauf
> *Sent:* Monday, July 30, 2012 4:13 PM
> *To:* toasters [at] teaparty
> *Subject:* LDAP Options
>
>
>
> Hi,
>
>
>
> i try to configure our Filer to an LDAP Server (Windows 2008 R2),
> without Success. Perhaps you have some ideas what's wrong
>
>
>
>
>
> ----------------------------------------------------------------------------------------
>
> ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name
>
> ldap.base dc=ad,dc=cxo,dc=name
>
> ldap.base.group
>
> ldap.base.netgroup
>
> ldap.base.passwd
>
> ldap.enable on
>
> ldap.minimum_bind_level anonymous
>
> ldap.name
> CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name
>
> ldap.nssmap.attribute.gecos gecos
>
> ldap.nssmap.attribute.gidNumber gidNumber
>
> ldap.nssmap.attribute.groupname cn
>
> ldap.nssmap.attribute.homeDirectory homeDirectory
>
> ldap.nssmap.attribute.loginShell loginShell
>
> ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
>
> ldap.nssmap.attribute.memberUid memberUid
>
> ldap.nssmap.attribute.netgroupname cn
>
> ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
>
> ldap.nssmap.attribute.uid uid
>
> ldap.nssmap.attribute.uidNumber uidNumber
>
> ldap.nssmap.attribute.userPassword userPassword
>
> ldap.nssmap.objectClass.nisNetgroup nisNetgroup
>
> ldap.nssmap.objectClass.posixAccount sAMAccountName
>
> ldap.nssmap.objectClass.posixGroup Group
>
> ldap.passwd ******
>
> ldap.port 389
>
> ldap.servers
>
> ldap.servers.preferred
>
> ldap.ssl.enable off
>
> ldap.timeout 20
>
> ldap.usermap.attribute.unixaccount sAMAccountName
>
> ldap.usermap.attribute.windowsaccount sAMAccountName
>
> ldap.usermap.base
>
> ldap.usermap.enable on
>
>
>
> ----------------------------------------------------------------------------------------
>
>
>
> I get the following error messages:
>
>
>
> ----------------------------------------------------------------------------------------
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Found no AD LDAP server addresses using DNS site query (muc).
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Found no AD LDAP server addresses using generic DNS query.
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0
> unique addresses found
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> Testing:
>
> ----------------------------------------------------------------------------------------
>
>
>
> chip1*> getXXbyYY getpwbyname_r sknauf
>
> Could not get passwd entry for name = sknauf
>
>
>
> chip1*> wcc -u adcxo/sknauf
>
> no passwd entry for adcxo/sknauf
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> nsswitch.conf :
>
>
>
> ----------------------------------------------------------------------------------------
>
> chip1*> rdfile /etc/nsswitch.conf
>
> #Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012
>
> hosts: files nis dns
>
> passwd: files ldap
>
> netgroup: files ldap
>
> group: files ldap
>
> shadow: files ldap nis
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> Ping:
>
> ----------------------------------------------------------------------------------------
>
> chip1*> ping dc2.ad.cxo.name
>
> dc2.ad.cxo.name is alive
>
> chip1*> ping dc2
>
> dc2.ad.cxo.name is alive
>
> ----------------------------------------------------------------------------------------
>
>
>
> Thanks & greets
>
>
>
> Steffen
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters [at] teaparty
> http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential
information. If you are not the intended recipient, please notify us
by email by replying to the sender and delete this message. The
sender disclaims that the content of this email constitutes an offer
to enter into, or the acceptance of, any agreement; provided that the
foregoing does not invalidate the binding effect of any digital or
other electronic reproduction of a manual signature that is included
in any attachment.

sknauf at chipxonio

Jul 30, 2012, 6:41 AM

Post #4 of 10 (1919 views)
Permalink

AW: LDAP Options [In reply to]

Hi, sorry that was my fault. The correct entry should be:

ldap.ADdomain ad.cxo.name

But still with the same result: Could not get passwd entry for name = sknauf

I don't have much experience with windows 2008 R2 Server. It is necessary to
install SFU (Subsystem for unix-based Application) on the Windows Server?

Von: Borzenkov, Andrey [mailto:andrey.borzenkov [at] ts]
Gesendet: Montag, 30. Juli 2012 14:54
An: Steffen Knauf; toasters [at] teaparty
Betreff: RE: LDAP Options

Option ldap.ADdomain should be AD domain name (single entry), not list of
domain controllers. It tries to find domain dc2.ad.cxo.name; is it really
domain name?

From: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty]
On Behalf Of Steffen Knauf
Sent: Monday, July 30, 2012 4:13 PM
To: toasters [at] teaparty
Subject: LDAP Options

Hi,

i try to configure our Filer to an LDAP Server (Windows 2008 R2), without
Success. Perhaps you have some ideas what's wrong

----------------------------------------------------------------------------
------------

ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name

ldap.base dc=ad,dc=cxo,dc=name

ldap.base.group

ldap.base.netgroup

ldap.base.passwd

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount sAMAccountName

ldap.nssmap.objectClass.posixGroup Group

ldap.passwd ******

ldap.port 389

ldap.servers

ldap.servers.preferred

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount sAMAccountName

ldap.usermap.attribute.windowsaccount sAMAccountName

ldap.usermap.base

ldap.usermap.enable on

----------------------------------------------------------------------------
------------

I get the following error messages:

----------------------------------------------------------------------------
------------

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found
no AD LDAP server addresses using DNS site query (muc).

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- Found
no AD LDAP server addresses using generic DNS query.

Mon Jul 30 13:58:06 CEST [chip1:
auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer- AD
LDAP server address discovery for DC2.AD.CXO.NAME complete. 0 unique
addresses found

----------------------------------------------------------------------------
------------

Testing:

----------------------------------------------------------------------------
------------

chip1*> getXXbyYY getpwbyname_r sknauf

Could not get passwd entry for name = sknauf

chip1*> wcc -u adcxo/sknauf

no passwd entry for adcxo/sknauf

----------------------------------------------------------------------------
------------

nsswitch.conf :

----------------------------------------------------------------------------
------------

chip1*> rdfile /etc/nsswitch.conf

#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012

hosts: files nis dns

passwd: files ldap

netgroup: files ldap

group: files ldap

shadow: files ldap nis

----------------------------------------------------------------------------
------------

Ping:

----------------------------------------------------------------------------
------------

chip1*> ping dc2.ad.cxo.name

dc2.ad.cxo.name is alive

chip1*> ping dc2

dc2.ad.cxo.name is alive

----------------------------------------------------------------------------
------------

Thanks & greets

Steffen

jeremy.page at gilbarco

Jul 30, 2012, 7:36 AM

Post #5 of 10 (1904 views)
Permalink

Re: AW: LDAP Options [In reply to]

With Windows 2003R2 or later you do not need to (and should not) install
SFU. The rfc2307 NIS schema is part of AD - although not all the
attributes will be populated by default (i.e. you will not have a UID
unless you explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:
>
> Hi, sorry that was my fault. The correct entry should be:
>
>
>
> ldap.ADdomain ad.cxo.name
>
>
>
> But still with the same result: Could not get passwd entry for name =
> sknauf
>
>
>
> I don't have much experience with windows 2008 R2 Server. It is
> necessary to install SFU (Subsystem for unix-based Application) on the
> Windows Server?
>
>
>
> *Von:*Borzenkov, Andrey [mailto:andrey.borzenkov [at] ts]
> *Gesendet:* Montag, 30. Juli 2012 14:54
> *An:* Steffen Knauf; toasters [at] teaparty
> *Betreff:* RE: LDAP Options
>
>
>
> Option ldap.ADdomainshould be AD domain name (single entry), not list
> of domain controllers. It tries to find domain dc2.ad.cxo.name; is it
> really domain name?
>
>
>
>
>
> *From:*toasters-bounces [at] teaparty
> <mailto:toasters-bounces [at] teaparty>
> [mailto:toasters-bounces [at] teaparty] *On Behalf Of *Steffen Knauf
> *Sent:* Monday, July 30, 2012 4:13 PM
> *To:* toasters [at] teaparty <mailto:toasters [at] teaparty>
> *Subject:* LDAP Options
>
>
>
> Hi,
>
>
>
> i try to configure our Filer to an LDAP Server (Windows 2008 R2),
> without Success. Perhaps you have some ideas what's wrong
>
>
>
>
>
> ----------------------------------------------------------------------------------------
>
> ldap.ADdomain dc2.ad.cxo.name dc1.ad.cxo.name
>
> ldap.base dc=ad,dc=cxo,dc=name
>
> ldap.base.group
>
> ldap.base.netgroup
>
> ldap.base.passwd
>
> ldap.enable on
>
> ldap.minimum_bind_level anonymous
>
> ldap.name
> CN=Administrator,CN=Users,DC=ad,DC=cxo,DC=name
>
> ldap.nssmap.attribute.gecos gecos
>
> ldap.nssmap.attribute.gidNumber gidNumber
>
> ldap.nssmap.attribute.groupname cn
>
> ldap.nssmap.attribute.homeDirectory homeDirectory
>
> ldap.nssmap.attribute.loginShell loginShell
>
> ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
>
> ldap.nssmap.attribute.memberUid memberUid
>
> ldap.nssmap.attribute.netgroupname cn
>
> ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
>
> ldap.nssmap.attribute.uid uid
>
> ldap.nssmap.attribute.uidNumber uidNumber
>
> ldap.nssmap.attribute.userPassword userPassword
>
> ldap.nssmap.objectClass.nisNetgroup nisNetgroup
>
> ldap.nssmap.objectClass.posixAccount sAMAccountName
>
> ldap.nssmap.objectClass.posixGroup Group
>
> ldap.passwd ******
>
> ldap.port 389
>
> ldap.servers
>
> ldap.servers.preferred
>
> ldap.ssl.enable off
>
> ldap.timeout 20
>
> ldap.usermap.attribute.unixaccount sAMAccountName
>
> ldap.usermap.attribute.windowsaccount sAMAccountName
>
> ldap.usermap.base
>
> ldap.usermap.enable on
>
>
>
> ----------------------------------------------------------------------------------------
>
>
>
> I get the following error messages:
>
>
>
> ----------------------------------------------------------------------------------------
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Starting AD LDAP server address discovery for DC2.AD.CXO.NAME.
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Found no AD LDAP server addresses using DNS site query (muc).
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> Found no AD LDAP server addresses using generic DNS query.
>
> Mon Jul 30 13:58:06 CEST [chip1:
> auth.ldap.trace.LDAPConnection.statusMsg:info]: AUTH: TraceLDAPServer-
> AD LDAP server address discovery for DC2.AD.CXO.NAME complete. 0
> unique addresses found
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> Testing:
>
> ----------------------------------------------------------------------------------------
>
>
>
> chip1*> getXXbyYY getpwbyname_r sknauf
>
> Could not get passwd entry for name = sknauf
>
>
>
> chip1*> wcc -u adcxo/sknauf
>
> no passwd entry for adcxo/sknauf
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> nsswitch.conf :
>
>
>
> ----------------------------------------------------------------------------------------
>
> chip1*> rdfile /etc/nsswitch.conf
>
> #Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012
>
> hosts: files nis dns
>
> passwd: files ldap
>
> netgroup: files ldap
>
> group: files ldap
>
> shadow: files ldap nis
>
> ----------------------------------------------------------------------------------------
>
>
>
>
>
> Ping:
>
> ----------------------------------------------------------------------------------------
>
> chip1*> ping dc2.ad.cxo.name
>
> dc2.ad.cxo.name is alive
>
> chip1*> ping dc2
>
> dc2.ad.cxo.name is alive
>
> ----------------------------------------------------------------------------------------
>
>
>
> Thanks & greets
>
>
>
> Steffen
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters [at] teaparty
> http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential
information. If you are not the intended recipient, please notify us
by email by replying to the sender and delete this message. The
sender disclaims that the content of this email constitutes an offer
to enter into, or the acceptance of, any agreement; provided that the
foregoing does not invalidate the binding effect of any digital or
other electronic reproduction of a manual signature that is included
in any attachment.

sknauf at chipxonio

Jul 31, 2012, 1:44 AM

Post #6 of 10 (1891 views)
Permalink

AW: LDAP Options [In reply to]

hi,

I found a Knowledgebase Entry for LDAP Configuration:

https://kb.netapp.com/support/index?page=content&id=1010909

They installed SFU or "Identity Management for unix". So i'm a confused,
what's the right way. I still get no LDAP connection. It's a little bit
strange that i see nothing in the error Logfiles.

greets

Steffen

Von: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] Im
Auftrag von Jeremy Page
Gesendet: Montag, 30. Juli 2012 16:36
An: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

With Windows 2003R2 or later you do not need to (and should not) install
SFU. The rfc2307 NIS schema is part of AD - although not all the attributes
will be populated by default (i.e. you will not have a UID unless you
explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:

Hi, sorry that was my fault. The correct entry should be:

ldap.ADdomain ad.cxo.name

But still with the same result: Could not get passwd entry for name = sknauf

I don't have much experience with windows 2008 R2 Server. It is necessary to
install SFU (Subsystem for unix-based Application) on the Windows Server?

duction of a manual signature that is included in any attachment.

jeremy.page at gilbarco

Jul 31, 2012, 6:19 AM

Post #7 of 10 (1913 views)
Permalink

Re: AW: LDAP Options [In reply to]

SFU was needed before 2003R2. With 2003R2 schema or later you can just
use the normal RFC2307 attributes and objects (regular UNIX posix stuff
like UID).

Do you have an ldap.conf file from a Linux box that works with your
Windows domain? There are a lot of different things that can cause
issues. This is quite tricky, I am pretty comfortable with LDAP on both
the AD and *nix side but it took me quite a while to get this working
properly.

Below is my LDAP config. Please note that it is using the Global Catalog
port to support name service lookups for accounts across our forest.
ldap.ADdomain company.com
ldap.base dc=company,dc=com
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level simple
ldap.name
cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory *UnixHomeDirectory *
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword *unixUserPassword *
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd ******
ldap.port 3268
ldap.servers ldap.company.com
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on

On 07/31/2012 04:44 AM, Steffen Knauf wrote:
>
> hi,
>
>
>
> I found a Knowledgebase Entry for LDAP Configuration:
>
>
>
> https://kb.netapp.com/support/index?page=content&id=1010909
>
>
>
> They installed SFU or "Identity Management for unix". So i'm a
> confused, what's the right way. I still get no LDAP connection. It's a
> little bit strange that i see nothing in the error Logfiles.
>
>
>
> greets
>
>
>
> Steffen
>
>
>
> *Von:*toasters-bounces [at] teaparty
> [mailto:toasters-bounces [at] teaparty] *Im Auftrag von *Jeremy Page
> *Gesendet:* Montag, 30. Juli 2012 16:36
> *An:* toasters [at] teaparty
> *Betreff:* Re: AW: LDAP Options
>
>
>
> With Windows 2003R2 or later you do not need to (and should not)
> install SFU. The rfc2307 NIS schema is part of AD - although not all
> the attributes will be populated by default (i.e. you will not have a
> UID unless you explicitly set it).
>
> On 07/30/2012 09:41 AM, Steffen Knauf wrote:
>
> Hi, sorry that was my fault. The correct entry should be:
>
>
>
> ldap.ADdomain ad.cxo.name
>
>
>
> But still with the same result: Could not get passwd entry for
> name = sknauf
>
>
>
> I don't have much experience with windows 2008 R2 Server. It is
> necessary to install SFU (Subsystem for unix-based Application) on
> the Windows Server?
>
>
>
> duction of a manual signature that is included in any attachment.
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters [at] teaparty
> http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential
information. If you are not the intended recipient, please notify us
by email by replying to the sender and delete this message. The
sender disclaims that the content of this email constitutes an offer
to enter into, or the acceptance of, any agreement; provided that the
foregoing does not invalidate the binding effect of any digital or
other electronic reproduction of a manual signature that is included
in any attachment.

sknauf at chipxonio

Aug 1, 2012, 6:39 AM

Post #8 of 10 (1903 views)
Permalink

AW: LDAP Options [In reply to]

hi,

thanks for your ldap options @Jeremy!

With ssl enable i got a sll error. I think there are some problems with the
self signed Certificate. That's my fault.

But without ssl i got an established connection:

chip1.29634 dc1.ad.cxo.name.389 65280 0 8760 0
ESTABLISHED

......with the same result.

I'll install the unix Services Role (Identity Management for unix), because
lot's of attributes are missing. I'll give you an update if it works.

thanks for your help!

Steffen

Von: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] Im
Auftrag von Jeremy Page
Gesendet: Dienstag, 31. Juli 2012 15:20
An: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

SFU was needed before 2003R2. With 2003R2 schema or later you can just use
the normal RFC2307 attributes and objects (regular UNIX posix stuff like
UID).

Do you have an ldap.conf file from a Linux box that works with your Windows
domain? There are a lot of different things that can cause issues. This is
quite tricky, I am pretty comfortable with LDAP on both the AD and *nix side
but it took me quite a while to get this working properly.

Below is my LDAP config. Please note that it is using the Global Catalog
port to support name service lookups for accounts across our forest.
ldap.ADdomain company.com
ldap.base dc=company,dc=com
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level simple
ldap.name
cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory UnixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword unixUserPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd ******
ldap.port 3268
ldap.servers ldap.company.com
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on

On 07/31/2012 04:44 AM, Steffen Knauf wrote:

hi,

I found a Knowledgebase Entry for LDAP Configuration:

https://kb.netapp.com/support/index?page=content
<https://kb.netapp.com/support/index?page=content&id=1010909> &id=1010909

They installed SFU or "Identity Management for unix". So i'm a confused,
what's the right way. I still get no LDAP connection. It's a little bit
strange that i see nothing in the error Logfiles.

greets

Steffen

Von: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] Im
Auftrag von Jeremy Page
Gesendet: Montag, 30. Juli 2012 16:36
An: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

With Windows 2003R2 or later you do not need to (and should not) install
SFU. The rfc2307 NIS schema is part of AD - although not all the attributes
will be populated by default (i.e. you will not have a UID unless you
explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:

Hi, sorry that was my fault. The correct entry should be:

ldap.ADdomain ad.cxo.name

But still with the same result: Could not get passwd entry for name = sknauf

I don't have much experience with windows 2008 R2 Server. It is necessary to
install SFU (Subsystem for unix-based Application) on the Windows Server?

duction of a manual signature that is included in any attachment.

_______________________________________________
Toasters mailing list
Toasters [at] teaparty
http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If
you are not the intended recipient, please notify us by email by replying to
the sender and delete this message. The sender disclaims that the content of
this email constitutes an offer to enter into, or the acceptance of, any
agreement; provided that the foregoing does not invalidate the binding
effect of any digital or other electronic reproduction of a manual signature
that is included in any attachment.

jeremy.page at gilbarco

Aug 1, 2012, 6:55 AM

Post #9 of 10 (1890 views)
Permalink

Re: AW: LDAP Options [In reply to]

The attributes are there, they may not have values assigned to them
though. Installign SFU will add *additional* custom attributes,
extending the AD schema.

On 08/01/2012 09:39 AM, Steffen Knauf wrote:
>
> hi,
>
>
>
> thanks for your ldap options @Jeremy!
>
> With ssl enable i got a sll error. I think there are some problems
> with the self signed Certificate. That's my fault.
>
>
>
> But without ssl i got an established connection:
>
>
>
> chip1.29634 dc1.ad.cxo.name.389 65280 0 8760
> 0 ESTABLISHED
>
>
>
> ......with the same result.
>
>
>
> I'll install the unix Services Role (Identity Management for unix),
> because lot's of attributes are missing. I'll give you an update if it
> works.
>
>
>
> thanks for your help!
>
>
>
> Steffen
>
>
>
>
>
> *Von:*toasters-bounces [at] teaparty
> [mailto:toasters-bounces [at] teaparty] *Im Auftrag von *Jeremy Page
> *Gesendet:* Dienstag, 31. Juli 2012 15:20
> *An:* toasters [at] teaparty
> *Betreff:* Re: AW: LDAP Options
>
>
>
> SFU was needed before 2003R2. With 2003R2 schema or later you can just
> use the normal RFC2307 attributes and objects (regular UNIX posix
> stuff like UID).
>
> Do you have an ldap.conf file from a Linux box that works with your
> Windows domain? There are a lot of different things that can cause
> issues. This is quite tricky, I am pretty comfortable with LDAP on
> both the AD and *nix side but it took me quite a while to get this
> working properly.
>
> Below is my LDAP config. Please note that it is using the Global
> Catalog port to support name service lookups for accounts across our
> forest.
> ldap.ADdomain company.com
> ldap.base dc=company,dc=com
> ldap.base.group
> ldap.base.netgroup
> ldap.base.passwd
> ldap.enable on
> ldap.minimum_bind_level simple
> ldap.name
> cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com
> ldap.nssmap.attribute.gecos gecos
> ldap.nssmap.attribute.gidNumber gidNumber
> ldap.nssmap.attribute.groupname cn
> ldap.nssmap.attribute.homeDirectory *UnixHomeDirectory *
> ldap.nssmap.attribute.loginShell loginShell
> ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
> ldap.nssmap.attribute.memberUid memberUid
> ldap.nssmap.attribute.netgroupname cn
> ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
> ldap.nssmap.attribute.uid sAMAccountName
> ldap.nssmap.attribute.uidNumber uidNumber
> ldap.nssmap.attribute.userPassword *unixUserPassword *
> ldap.nssmap.objectClass.nisNetgroup nisNetgroup
> ldap.nssmap.objectClass.posixAccount user
> ldap.nssmap.objectClass.posixGroup group
> ldap.passwd ******
> ldap.port 3268
> ldap.servers ldap.company.com
> ldap.servers.preferred
> ldap.ssl.enable off
> ldap.timeout 20
> ldap.usermap.attribute.unixaccount sAMAccountName
> ldap.usermap.attribute.windowsaccount sAMAccountName
> ldap.usermap.base
> ldap.usermap.enable on
>
> On 07/31/2012 04:44 AM, Steffen Knauf wrote:
>
> hi,
>
>
>
> I found a Knowledgebase Entry for LDAP Configuration:
>
>
>
> https://kb.netapp.com/support/index?page=content&id=1010909
>
>
>
> They installed SFU or "Identity Management for unix". So i'm a
> confused, what's the right way. I still get no LDAP connection.
> It's a little bit strange that i see nothing in the error Logfiles.
>
>
>
> greets
>
>
>
> Steffen
>
>
>
> *Von:*toasters-bounces [at] teaparty
> <mailto:toasters-bounces [at] teaparty>
> [mailto:toasters-bounces [at] teaparty] *Im Auftrag von *Jeremy Page
> *Gesendet:* Montag, 30. Juli 2012 16:36
> *An:* toasters [at] teaparty <mailto:toasters [at] teaparty>
> *Betreff:* Re: AW: LDAP Options
>
>
>
> With Windows 2003R2 or later you do not need to (and should not)
> install SFU. The rfc2307 NIS schema is part of AD - although not
> all the attributes will be populated by default (i.e. you will not
> have a UID unless you explicitly set it).
>
>
> On 07/30/2012 09:41 AM, Steffen Knauf wrote:
>
> Hi, sorry that was my fault. The correct entry should be:
>
>
>
> ldap.ADdomain ad.cxo.name
>
>
>
> But still with the same result: Could not get passwd entry for
> name = sknauf
>
>
>
> I don't have much experience with windows 2008 R2 Server. It
> is necessary to install SFU (Subsystem for unix-based
> Application) on the Windows Server?
>
>
>
> duction of a manual signature that is included in any attachment.
>
>
>
>
> _______________________________________________
>
> Toasters mailing list
>
> Toasters [at] teaparty <mailto:Toasters [at] teaparty>
>
> http://www.teaparty.net/mailman/listinfo/toasters
>
>
>
> Please be advised that this email may contain confidential
> information. If you are not the intended recipient, please notify us
> by email by replying to the sender and delete this message. The sender
> disclaims that the content of this email constitutes an offer to enter
> into, or the acceptance of, any agreement; provided that the foregoing
> does not invalidate the binding effect of any digital or other
> electronic reproduction of a manual signature that is included in any
> attachment.
>

Please be advised that this email may contain confidential
information. If you are not the intended recipient, please notify us
by email by replying to the sender and delete this message. The
sender disclaims that the content of this email constitutes an offer
to enter into, or the acceptance of, any agreement; provided that the
foregoing does not invalidate the binding effect of any digital or
other electronic reproduction of a manual signature that is included
in any attachment.

sknauf at chipxonio

Aug 1, 2012, 8:20 AM

Post #10 of 10 (1946 views)
Permalink

AW: LDAP Options [In reply to]

You're right the empty attributes are there. But still the same Problem:

Wed Aug 1 17:11:05 CEST [chip1:
auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: User from
192.168.62.41 authenticated by DC.

Wed Aug 1 17:11:05 CEST [chip1: auth.trace.mapNTToUnix:info]: AUTH: Mapping
Windows user sknauf to Unix user sknauf.

Wed Aug 1 17:11:05 CEST [chip1:
auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: User sknauf CIFS home
directory is set to /vol/vol3/users/sknauf.

Wed Aug 1 17:11:05 CEST [chip1: auth.trace.mapNTToUnix:info]: AUTH: Mapping
Windows user sknauf to Unix user pcuser.

Wed Aug 1 17:11:12 CEST [chip1:
auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: sknauf not found in
passwd database during login from 0.0.0.0.

Wed Aug 1 17:11:12 CEST [chip1:
auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Using default UNIX
name pcuser for login from 0.0.0.0.

--------------------------------------

rdfile /etc/nsswitch.conf

#Auto-generated by LDAP Mon Jul 30 10:42:32 CEST 2012

hosts: files nis dns

passwd: files ldap

netgroup: files ldap

group: files ldap

shadow: files ldap nis

--------------------------------------

greets

Steffen

Von: Jeremy Page [mailto:jeremy.page [at] gilbarco]
Gesendet: Mittwoch, 1. August 2012 15:55
An: Steffen Knauf
Cc: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

The attributes are there, they may not have values assigned to them though.
Installign SFU will add *additional* custom attributes, extending the AD
schema.

On 08/01/2012 09:39 AM, Steffen Knauf wrote:

hi,

thanks for your ldap options @Jeremy!

With ssl enable i got a sll error. I think there are some problems with the
self signed Certificate. That's my fault.

But without ssl i got an established connection:

chip1.29634 dc1.ad.cxo.name.389 65280 0 8760 0
ESTABLISHED

......with the same result.

I'll install the unix Services Role (Identity Management for unix), because
lot's of attributes are missing. I'll give you an update if it works.

thanks for your help!

Steffen

Von: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] Im
Auftrag von Jeremy Page
Gesendet: Dienstag, 31. Juli 2012 15:20
An: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

SFU was needed before 2003R2. With 2003R2 schema or later you can just use
the normal RFC2307 attributes and objects (regular UNIX posix stuff like
UID).

Do you have an ldap.conf file from a Linux box that works with your Windows
domain? There are a lot of different things that can cause issues. This is
quite tricky, I am pretty comfortable with LDAP on both the AD and *nix side
but it took me quite a while to get this working properly.

Below is my LDAP config. Please note that it is using the Global Catalog
port to support name service lookups for accounts across our forest.
ldap.ADdomain company.com
ldap.base dc=company,dc=com
ldap.base.group
ldap.base.netgroup
ldap.base.passwd
ldap.enable on
ldap.minimum_bind_level simple
ldap.name
cn=ldap-auth-svc,ou=ldap,ou=services,dc=site,dc=company,dc=com
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory UnixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword unixUserPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd ******
ldap.port 3268
ldap.servers ldap.company.com
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base
ldap.usermap.enable on

On 07/31/2012 04:44 AM, Steffen Knauf wrote:

hi,

I found a Knowledgebase Entry for LDAP Configuration:

https://kb.netapp.com/support/index?page=content
<https://kb.netapp.com/support/index?page=content&id=1010909> &id=1010909

They installed SFU or "Identity Management for unix". So i'm a confused,
what's the right way. I still get no LDAP connection. It's a little bit
strange that i see nothing in the error Logfiles.

greets

Steffen

Von: toasters-bounces [at] teaparty [mailto:toasters-bounces [at] teaparty] Im
Auftrag von Jeremy Page
Gesendet: Montag, 30. Juli 2012 16:36
An: toasters [at] teaparty
Betreff: Re: AW: LDAP Options

With Windows 2003R2 or later you do not need to (and should not) install
SFU. The rfc2307 NIS schema is part of AD - although not all the attributes
will be populated by default (i.e. you will not have a UID unless you
explicitly set it).

On 07/30/2012 09:41 AM, Steffen Knauf wrote:

Hi, sorry that was my fault. The correct entry should be:

ldap.ADdomain ad.cxo.name

But still with the same result: Could not get passwd entry for name = sknauf

I don't have much experience with windows 2008 R2 Server. It is necessary to
install SFU (Subsystem for unix-based Application) on the Windows Server?

duction of a manual signature that is included in any attachment.

_______________________________________________
Toasters mailing list
Toasters [at] teaparty
http://www.teaparty.net/mailman/listinfo/toasters

Please be advised that this email may contain confidential information. If
you are not the intended recipient, please notify us by email by replying to
the sender and delete this message. The sender disclaims that the content of
this email constitutes an offer to enter into, or the acceptance of, any
agreement; provided that the foregoing does not invalidate the binding
effect of any digital or other electronic reproduction of a manual signature
that is included in any attachment.

Please be advised that this email may contain confidential information. If
you are not the intended recipient, please notify us by email by replying to
the sender and delete this message. The sender disclaims that the content of
this email constitutes an offer to enter into, or the acceptance of, any
agreement; provided that the foregoing does not invalidate the binding
effect of any digital or other electronic reproduction of a manual signature
that is included in any attachment.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads