LDAP password scheme?

would you mind sharing what you learned and which config worked for you?

Hello Rainer,

Sure.

As I've written in my first post, our Unix user accounts are stored in an LDAP directory (actually OpenLDAP). In case of FTP access, the authentication takes place in the VNXe, based on the account information (username and password) from the LDAP database.

The passwords in the LDAP reply need to be encrypted using a method supported by VNXe, of course, otherwise the authentication won't work. Unfortunately, I haven't found any information on the supported algorithms.

I got a hint from EMC Support that plain text passwords might work, but that's not the case according to my experiments. Linux encrypted passwords ({CRYPT} scheme) doesn't work either. Finally I had luck with salted SHA1 ({SSHA} scheme) hashes (see http://www.openldap.org/faq/data/cache/347.html), as I've written in my previous answer.

I can't tell you whether there are other working algorithms or not because I haven't tried more.

There is perhaps one more thing worth mentioning: you should double-check the security settings of your LDAP server. In our OpenLDAP a default setting prevented the userPassword attribute from showing up in normal LDAP responses. But the account  VNXe uses for connecting to the LDAP directory (the one that is specified under the Unix Directory Service settings in Unisphere) needs to have read access to this field, of course.

To sum up, follow the steps below to setup FTP access for LDAP (Unix) users:

1. Configure LDAP connection settings in Unisphere (Settings / NAS Servers / Unix Directory Service).

2. The passwords in LDAP should be encrypted with a VNXe-supported algorithm (e. g. {SSHA}).

3. Make sure that VNXe has access to the password field in the LDAP database.

4. Configure FTP for Unix users in Unisphere (Settings / NAS Servers / Sharing Protocols).

5. Test FTP and drink a beer afterwards.