This post is more than 5 years old
50 Posts
0
1491
iPlanet configure issue
Hi experts,
Belows are the information of the LDAP configuration:
[nasadmin@mdnas emc]$ server_ldap server_2 -info -v
server_2 :
LDAP domain: midea.com.cn
Base DN: dc=midea,dc=com,dc=cn
State: Connected
Proxy (Bind) DN: uid=mdnas,ou=people,o=midea.com.cn,o=isp
Profile Name: default
Profile TTL: 0 seconds
Profile modification timestamp:
Connected to LDAP server address: 182.1.99.29 - port 389
LDAP configuration servers:
Server address: 182.1.99.29 - port: 389
Domain naming contexts:
o=010
o=isp
o=NetscapeRoot
Domain supported authentication mechanisms:
EXTERNAL
DIGEST-MD5
Default search base: dc=midea,dc=com,dc=cn
Domain default search Scope: single-level
No 'passwd' DN
No 'group' DN
No 'hosts' DN
No 'netgroup' DN
LdapDomainSunOne::searchDomainRoot: LDAP search failed - dn: No such object - LDAP error: < (49076) - matchedDn
# server_log server_2
...
2008-05-09 10:19:09: ADMIN: 4: Command succeeded: ns_ldap enable
2008-05-09 10:21:51: ADMIN: 4: Command succeeded: ns_ldap modify domain=midea.com.cn server=182.1.99.29 binddn=uid=mdnas,ou=people,o=midea.com.cn,o=isp password=********
2008-05-09 10:21:51: LDAP: 3: LdapDomainSunOne::verifyNisDomain: LDAP search failed - dn: dc=midea,dc=com,dc=cn - filter: (objectClass=nisDomainObject) - error: No such object (32) - matchedDn
2008-05-09 10:21:51: LDAP: 4: iPlanet: finished the configuration
2008-05-09 10:21:51: LDAP: 4: LDAP domain: midea.com.cn
2008-05-09 10:21:51: LDAP: 4: Base DN: dc=midea,dc=com,dc=cn
2008-05-09 10:21:51: LDAP: 4: State: Failed
2008-05-09 10:21:51: LDAP: 4: Proxy (Bind) DN: uid=mdnas,ou=people,o=midea.com.cn,o=isp
2008-05-09 10:21:51: LDAP: 4: Profile Name: default
2008-05-09 10:21:51: LDAP: 4: Profile TTL: 0 seconds
...
problems: it seem that the Base DN configure is not corrected, but I have no idea how to configure the Base DN.
Can anyone tell me how to solve this issue ? Thanks in advance.
Belows are the information of the LDAP configuration:
[nasadmin@mdnas emc]$ server_ldap server_2 -info -v
server_2 :
LDAP domain: midea.com.cn
Base DN: dc=midea,dc=com,dc=cn
State: Connected
Proxy (Bind) DN: uid=mdnas,ou=people,o=midea.com.cn,o=isp
Profile Name: default
Profile TTL: 0 seconds
Profile modification timestamp:
Connected to LDAP server address: 182.1.99.29 - port 389
LDAP configuration servers:
Server address: 182.1.99.29 - port: 389
Domain naming contexts:
o=010
o=isp
o=NetscapeRoot
Domain supported authentication mechanisms:
EXTERNAL
DIGEST-MD5
Default search base: dc=midea,dc=com,dc=cn
Domain default search Scope: single-level
No 'passwd' DN
No 'group' DN
No 'hosts' DN
No 'netgroup' DN
LdapDomainSunOne::searchDomainRoot: LDAP search failed - dn: No such object - LDAP error: < (49076) - matchedDn
# server_log server_2
...
2008-05-09 10:19:09: ADMIN: 4: Command succeeded: ns_ldap enable
2008-05-09 10:21:51: ADMIN: 4: Command succeeded: ns_ldap modify domain=midea.com.cn server=182.1.99.29 binddn=uid=mdnas,ou=people,o=midea.com.cn,o=isp password=********
2008-05-09 10:21:51: LDAP: 3: LdapDomainSunOne::verifyNisDomain: LDAP search failed - dn: dc=midea,dc=com,dc=cn - filter: (objectClass=nisDomainObject) - error: No such object (32) - matchedDn
2008-05-09 10:21:51: LDAP: 4: iPlanet: finished the configuration
2008-05-09 10:21:51: LDAP: 4: LDAP domain: midea.com.cn
2008-05-09 10:21:51: LDAP: 4: Base DN: dc=midea,dc=com,dc=cn
2008-05-09 10:21:51: LDAP: 4: State: Failed
2008-05-09 10:21:51: LDAP: 4: Proxy (Bind) DN: uid=mdnas,ou=people,o=midea.com.cn,o=isp
2008-05-09 10:21:51: LDAP: 4: Profile Name: default
2008-05-09 10:21:51: LDAP: 4: Profile TTL: 0 seconds
...
problems: it seem that the Base DN configure is not corrected, but I have no idea how to configure the Base DN.
Can anyone tell me how to solve this issue ? Thanks in advance.
Rainer_EMC
8.6K Posts
0
May 9th, 2008 04:00
sorry - forgot the attachment.
How to create that client profile should be covered in the iPlanet documentation.
server should be authenticated first from the LDAP server. Can we archive this goal ??
No, not this way. If you want full Windows functionality (ACLs, Unicode, large files) then you need a Windows authentication using either Kerberos or NTLM.
LDAP can only provide Unix password encryption that isnt compatible with Windows.
So you would have to use the Celerra with old user mode authentication, where you cant use all the modern CIFS features
and have to change every Windows client registry to accept plaintext passwords.
If you use a standalone CIFS server than authentication gets done using this servers local users that you created with mmc.
Dont you have a Windows domain that you can join ?
1 Attachment
NameSvcs.pdf
Chenxt
50 Posts
0
May 8th, 2008 20:00
[nasadmin@mdnas emc]$ server_ldap server_2 -set -p -domain midea.com.cn -servers 182.1.99.29 -binddn "uid=mdnas,ou=people,o=midea.com.cn,o=isp"
The correct Base DN should be:
Base DN: ou=people,o=midea.com.cn,o=isp.
Group DN: ou=group,o=midea.com.cn,o=isp
Rainer_EMC
8.6K Posts
0
May 9th, 2008 00:00
I assume you are running DART 5.5.X - the proper way to configure the Base DN there is create a client configuration profile on the iPlanet server.
The data mover will download this profile and use the configuration there like the defaultSearchBase
see the attached manual for the Celerra side of the config
What are you planing to use LDAP for ?
Chenxt
50 Posts
0
May 9th, 2008 01:00
Chenxt
50 Posts
0
May 9th, 2008 01:00
1. There is not client configuration profile exist. We never use this function in the environment. How to configure the profile??
2. I want to set up a stand alone cifs server, and while the client access the folders/files on the server should be authenticated first from the LDAP server. Can we archive this goal ??
Thans!!!
Chenxt
50 Posts
0
May 9th, 2008 21:00
We have no AD/domain...
So we have to use the standalone server with local user function?
Is that any way we can do to let the standalone server use the users on LDAP server ? Is that just modify the nsswitch.conf can archive this?
I read the nas cli v5.6 doc, the cmd "server_ldap" can set Base DN with the "-basedn" option. Maybe we should upgrade to v5.6.
BTW, can you give guidlines about how to setup the nfs export on NAS compatible with iPlanet?
Thank you very much!
Rainer_EMC
8.6K Posts
0
May 10th, 2008 05:00
How do they login (authenticate) if you dont have domain ?
Chenxt
50 Posts
0
May 12th, 2008 07:00
We were going to setup LDAP for authentication, and now we decide to setup NFS on NAS integation with LDAP by your suggestion.
Rainer_EMC
8.6K Posts
1
May 12th, 2008 17:00
This really isnt a Celerra limitation - the only user directory and authentication schemes that Windows can work with are NT domains or Active Directory domains.
You can use 3rdparty products like Centrify or others to sync AD with LDAP or NIS or you can use AD's LDAP to authenticate Unix clients.
Or a Samba domain controller (unsupported) that uses a common LDAP
Your other option would be to use the old datamover UNIX authentication method.
It think with a properly configured ldap.conf on the data mover it could very well authenticate with LDAP.
But be sure to read the limitations - see attached manual.
You're basically working with a LAN Manager level similar to Windows for Worksgroups ....
NFS is very very different - with NFS v2/3 the client authenticates the user and the NFS server just believes the UID/GID it gets in the NFS request.
A NFS server doesnt have to authenticate - it only has to make sure the clients computer is allowed to mount/access. It doesnt have to deal with passwords.
1 Attachment
CIFS.pdf