Data Domain:具有 Active Directory 的 LDAP 启用失败并显示错误“Validation Failed”
Summary: 启用了 Active Directory 的轻型目录访问协议 (LDAP) 失败并显示错误。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
如果在 Data Domain 系统上导入了不正确的证书,启用 Active Directory 的 LDAP 可能会失败。
例:
例:
sysadmin@dd01# authentication ldap show LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: yes **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: NOTICE: Run: timeout 60 /bin/ldapsearch -x -H ldaps://MYADSERV.lab.example.com/ -b 'dc=lab,dc=example,dc=lab' -s base -LLL -D 'administrator@lab.example.com' -y /etc/openldap/bindpw_file 2>&1 Aug 16 22:07:20 dd01 sms: NOTICE: Output: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Aug 16 22:07:20 dd01 sms: NOTICE: ldapsearch error:255 Aug 16 22:07:20 dd01 sms: ERROR: _check_ldap_status: Failed to run ldapsearch query: **** An error occurred while running an internal command. Aug 16 22:07:20 dd01 sms: INFO: _sms_ldap_get_status:1183: LDAP server MYADSERV.lab.example.com has an error: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: _validate_ldap_status_during_enable:1380: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: sms_ldap_setup_config_job:2253: **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 -ddsh: NOTICE: MSG-DDSH-00017: (tty=pts/2, session=15211) sysadmin: command "authentication ldap enable" exited with code: 33 Aug 16 22:07:44 dd01 sms: INFO: Map MG/DG UUID into volume UUID and Name
Cause
对于与 Active Directory 的 LDAP 集成,系统需要具有 FDQN 的 LDAP 证书。
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 ------------------- ----------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
请注意,DDMC 不支持 AD LDAP。
Resolution
- 客户使用 FDQN 生成新的 LDAP 证书 。
- 安装 带 FDQN 的新证书并启用 LDAP。
例:
具有 FDQN 的 LDPA 证书
具有 FDQN 的 LDPA 证书
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ----------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 MYADSERV.lab.example.com imported-ca ldap Mon Aug 16 22:05:09 2021 Sat Aug 16 22:15:08 2031 2F:82:C5:C1:0A:DF:26:A2:97:63:9B:74:3E:AC:D8:39:5E:0E:08:B9 ------------------------ ---------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: y LDAP is enabled.
Additional Information
以下是使用 AD 为用户和组完成 LDAP 配置的要求。
- 在 AD 上为 Data Domain 用户配置组,并为该组设置 GID。
- 每个 AD 用户都必须设置 UID 和 GID。
示例:
在 DD 上:
# authentication ldap groups show
LDAP Group Role ---------- ----- myadmins admin ---------- -----
在 AD 服务器上:
# get-adgroup myadmins -properties * |findstr gidNumber gidNumber : 200 # get-aduser test -properties * |findstr uidNumber uidNumber : 600 #get-aduser test -properties * |findstr gidNumber gidNumber : 200
通过 SSH 连接
$ ssh test@ddve EMC Data Domain Virtual Edition Password: Last login: Thu Aug 19 17:25:23 PDT 2021 from xx.xx.xx.xx on gui Welcome to Data Domain OS 7.6.0.5-685135 ---------------------------------------- test@ddve4#
在 Windows Server 2016(及后续版本)的 Active Directory 用户和计算机中配置 ID 映射:
在域控制器上:
- 单击 Administrative Tools
- 启动 Active Directory 用户和计算机 (ADUC)。
- 从“视图”菜单启用高级功能。
- 转到“用户”下的特定用户对象
- 右键单击用户对象以打开“属性”菜单,
- 转到“属性编辑器”(Attribute Editor) 选项卡。
- 对于 Users,指定 uidNumber。对于组,指定 gidNumber。
Affected Products
Data DomainArticle Properties
Article Number: 000190700
Article Type: Solution
Last Modified: 20 Aug 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.