Unsolved
This post is more than 5 years old
5 Posts
0
4601
Active directory mapping / Unable to get information
HI,
I would like to centralize User mapping in Active Directory. I use only CIFS protocol and just have one windows 2008 Domain. I read all documentation about this architecture.I don't understand roles of IDMU installation because for me Active Directory own already Unix Attribut. Can tou explain roles of IDMU ?
I try without configuring IDMU. You find configuration after :
ldap.conf
# Containers
# Replace "dc=mydomain,dc=com" by your base DN.
# If you have a dedicated container for netgroups, replace
# "cn=netgroup,cn=mydomain,cn=DefaultMigrationContainer30" by the right DN.
nss_base_passwd dc=xxx,dc=xxx,dc=fr?sub
nss_base_group dc=xxx,dc=xxx,dc=fr?sub
nss_base_hosts dc=xxx,dc=xxx,dc=fr?sub
#nss_base_netgroup cn=netgroup,cn=mydomain,cn=DefaultMigrationContainer30,dc=mydomain,dc=com?sub
# Objects
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_objectclass ipHost Computer
# Attributes
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
# eof
server_ldap
server_2 :
LDAP domain: xxx.xxx.fr
base DN: dc=xxx,dc=xxx,dc=fr
State: Configured - Connected
NIS domain: xxx.xxx.fr
Proxy (Bind) DN: CN=cssgdd cssgdd,OU=Comptes,OU=LGD,OU=O-9,OU=R-OUTILS,DC=xxx,DC=xxx,DC=fr
Configuration file - TTL: 1200 seconds
Next configuration update in 362 seconds
DIT schema type: MS
LDAP configuration servers:
Server 163.80.83.141 port 389 : Active, disconnected
SSL not enabled, Persona: none specified, Cipher Suite List: none specified
Domain naming contexts:
DC=xxx,DC=xxx,DC=fr
CN=Configuration,DC=xxx,DC=xxx,DC=fr
CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=fr
DC=DomainDnsZones,DC=xxx,DC=xxx,DC=fr
DC=ForestDnsZones,DC=xxx,DC=xxx,DC=fr
Domain supported authentication mechanisms:
GSSAPI
GSS-SPNEGO
EXTERNAL
DIGEST-MD5
Supported LDAP version: 3
Supported LDAP version: 2
Default search base: dc=xxx,dc=xxx,dc=fr
Domain default search scope: ONE
passwd base DN:
dc=xxx,dc=xxx,dc=fr - search scope SUB
passwd object class: User
passwd attributes: cn, uid, uidNumber, gidNumber, unixUserPassword, loginShell, gecos, description
group base DN:
dc=xxx,dc=xxx,dc=fr - search scope SUB
group object class: Group
group attributes: cn, gidNumber, unixUserPassword, memberUid, description
memberUid syntax is IA5String (Posix)
hosts base DN:
dc=xxx,dc=xxx,dc=fr - search scope SUB
host object class: Computer
host attributes: cn, ipHostNumber, description
No netgroup base DN
When i test connection with active directiry : server_ldap server_2 -lookup -uid 12345
server_2 :
Unable to get information for uid 12345
Have you an idea for resolve my problem ?
Thanks for your help
Best regards
François-Xavier DERVELOY
France
SAMEERK1
296 Posts
0
March 29th, 2012 05:00
Hi,
if you are running only cifs environment, i think usermapper on Data Mover would be the best choice to do the mappings.
Sameer Kulkarni
Rainer_EMC
8.6K Posts
0
March 29th, 2012 07:00
if you are CIFS only you dont get any advantages from user mapping through IDMU - just more work and complexity
stay with internal usermapper - unless you can provide a good reason
Rainer
FXDERVELOY
5 Posts
0
March 29th, 2012 08:00
It's not so easy.
I have 70 celerra on 50 sites. I use quota ( qtree and quota user). I have 80 000 user on Active Directory.
Usermapper works fine but it's not a "very good" solution !
I would like centralise UID for two principals raesons :
- It's not possible for me to manage quota efficiently. I have an exploitation Tools for hotline (Web Interface). And i can't manage quota with it because it's impossible to know the mapping SID / UID without to connect on good nas.
If uid are centralized, i could launch nas_quota command with an automatic process. it's an important cost reduction for me because in could to delegate quota management to hotline !
- It's not easy for desaster recovery process. It's simple to import / export Usermapper when you failover 1 site (1 Nas) from 1 site (1 nas). But it's impossible to failover 2 or more sites to 1 NAS ( with 1 xBlade). I can't merge usermapper because all usermapper begin at the same number.
In my technical context centralized UID seems a good idea. For this reason i search to bench this solution.
Best regards
Francois-Xavier DERVELOY
France
Rainer_EMC
8.6K Posts
0
March 29th, 2012 10:00
ok - that makes sense then.
Just understand that you then also need to automate some stuff - particulary creation of new users.
Last time I looked at IDMU and AD integration it didnt have automatic UID/GID assignement like usermapper.
So if you just created a new AD user the fields for UID/GID are blank.
If you turn off internal usermapper (as you should to avoid confusion) this means that new AD users cannot connect to the Celerra/VNX until the UID/GID's are assigned in AD.
In a large environment I assume you also have some tools to automate AD user creation - just keep in mind that these should also create the UID/GID mapping in AD.
Of course migrating to it from 70 internal usermappers isnt fun (unless you have already configured different ranges)
Rainer
Rainer_EMC
8.6K Posts
0
March 30th, 2012 09:00
Hi Francois,
I’ll get one of your French experts to help you directly offline.
Faster and more efficient than the forum.
Rainer
christopher_ime
2K Posts
0
March 31st, 2012 00:00
I just wanted to point out that your second reason may not be a limiting factor (however, the other reason would be).
In your 3 site example, if instead from the beginning the usermapper relationship amongst the 3 Celerra's was setup so that the two production Celerra's were configured as SECONDARY usermapper db's with the X-Blade they are replicating to as the PRIMARY usermapper, this would have assured that even though they were separate sites, the PRIMARY usermapper (which they are both replicating to) would have generated unique mappings for the collection of users.
I'll assume it is a bit late now though as the mappings were made local to each site (they were both PRIMARY). However, I also do understand this was a simple example you made to emphasize a point and your first reason would be the ultimate limiting factor.
FXDERVELOY
5 Posts
0
April 2nd, 2012 00:00
Hi,
Thanks rainer for your help.
I take contact to french expert.
Best regards
FXDERVELOY
5 Posts
0
April 5th, 2012 13:00
It's Work now. Connect datamover to Active Directory are simple.
Active Directory
If you have 2003R2 DC or 2008. no nodifications are necessary. Attributes are already present in the AD schema. It's necessary to install IDMU if you need some tools for importing nis map to your domain. If you assume provisionning manually necessary attributes In active Directory, nothing to do.
Datamover Configuration
You need to configure :
ldap.conf in /nasmcd/quota/slot.x/.etc/ldap.conf
nsswitch.conf in /nasmcd/quota/slot.x/.etc/nsswitch.conf
And bind Active directory with server_ldap command.
Tips
For obtain an answer to Ldap directory
gidnumber and uidnumber are mandatory for CIFS environnement. Other attributes are optionals unless if you use an mixed CIFS / NFS environnement.
All works fine
Thanks for help.
Best regards
François-Xavier DERVELOY
Rainer_EMC
8.6K Posts
0
April 6th, 2012 04:00
Thanks for your feedback
Good that it works now
I understand you initial problem was that you had UIDs defined in your AD but no GIDs
Rainer