| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||
Solution Type Problem Resolution Sure Solution 1540106.1 : Sun Storage 7000 Unified Storage System: LDAP configuration for Active Directory not working
Customer using Windows 2003 R2 Active Directory Server was attempting to configure LDAP authentication for appliance administration via the BUI. Clients access to storage was via CIFS and the appliance was joined to the Active Directory Domain. The customer did not want to install the IDMU extensions to Active Directory in their environment, so required LDAP attribute mappings that would replace the Unix extensions provided by IDMU. In this Document
Created from <SR 3-6717426191> Applies to:Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]Sun Storage 7410 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A] Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A] Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A] Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A] 7000 Appliance OS (Fishworks) This customer was presenting shares to CIFS clients only so the only consideration given for attribute mappings were those required for use by the appliance to authenticate administrative users. SymptomsUnable to add users to the Appliance as directory users when using an Active Directory server as the LDAP server. CauseAttribute mappings are required to accomplish the task.
SolutionIt was necessary to find substitute values for uidNumber and gidNumber in the standard Active Directory schema. For uidnumber, employeeNumber was chosen and for gidnumber primaryGroupID was chosen. For each user granted administrative access to the appliance, it was necessary to set a valid unix UID value for employee number in Active Directory.
It is necessary to pick a proxy user and to make the initial connection to the AD server. The following attribute mappings/settings worked in the lab and for the customer: You will need the following actual information to complete the fields listed below gecos = display Name (LdapAdmin)
UID Number = User ID (Employee Number:234789 or Account Name: apple.carrier or acarrier ) GID Number = primary Group ID (example: 10) UID = sAMAccountName (SAM name or Domain/user or DN or sAMAccountName or userPrincipalName) description = distinguished Name (describe the information or account created) homeDirectory = sAMAccountType (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679637%28v=vs.85%29.aspx) posixAccount = user (map "posixAccount" to "user" ) shadowAccount = person (Domain Admin or Account Owner) posixGroup = group (map "posixGroup" to "group") cn = Users (MyServer, Administrators, Readers, Users) dc = domain controller (dc=domain dc=net) proxy_password = ********* (in Appliance Kit code 2011.04.24.5.0,1-1.33 hit reutrn to set the password, previous code will be 'set proxy_password=pasword' then return) On the 7xx0 Storage Appliance in CLI goto CLI:> configuration services ldap
Parameters to set in LDAP user_mapattr = "gecos=displayName,uidnumber=employeeNumber,gidnumber=primaryGroupID,uid=sAMAccountName,description=distinguishedName,homeDirectory=sAMAccountType" user_mapobjclass = "posixAccount=user,shadowAccount=person" group_mapobjclass = "posixGroup=group" user_search = "cn=Users,dc={domain controller 1},dc={domain controller 2}" group_search = "cn=Users,dc={domain controller 1},dc={domain controller 2}" proxy_dn = "cn={proxy user name},cn=Users,dc={domain controller 1},dc={domain controller 2}" proxy_password = {password for proxy user} base_dn = "dc={domain component 1},dc={domain component 2}" search_scope = sub cred_level = proxy auth_method = simple use_tls = false
Attachments This solution has no attachment |
||||||||||||||||
|
||||||||||||||||