Data Domain: Active Directory를 사용하는 LDAPS가 "Validation Failed" 오류와 함께 활성화되지 않음
Summary: Active Directory가 활성화된 LDAP(Lightweight Directory Access Protocol)가 오류와 함께 실패합니다.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Data Domain 시스템에서 잘못된 인증서를 가져온 경우 Active Directory가 활성화된 LDAP가 실패할 수 있습니다.
본보기:
본보기:
sysadmin@dd01# authentication ldap show LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: yes **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: NOTICE: Run: timeout 60 /bin/ldapsearch -x -H ldaps://MYADSERV.lab.example.com/ -b 'dc=lab,dc=example,dc=lab' -s base -LLL -D 'administrator@lab.example.com' -y /etc/openldap/bindpw_file 2>&1 Aug 16 22:07:20 dd01 sms: NOTICE: Output: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Aug 16 22:07:20 dd01 sms: NOTICE: ldapsearch error:255 Aug 16 22:07:20 dd01 sms: ERROR: _check_ldap_status: Failed to run ldapsearch query: **** An error occurred while running an internal command. Aug 16 22:07:20 dd01 sms: INFO: _sms_ldap_get_status:1183: LDAP server MYADSERV.lab.example.com has an error: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: _validate_ldap_status_during_enable:1380: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: sms_ldap_setup_config_job:2253: **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 -ddsh: NOTICE: MSG-DDSH-00017: (tty=pts/2, session=15211) sysadmin: command "authentication ldap enable" exited with code: 33 Aug 16 22:07:44 dd01 sms: INFO: Map MG/DG UUID into volume UUID and Name
Cause
Active Directory와 LDAP 통합을 위해서는 FDQN이 포함된 LDAP 인증서가 시스템에 필요합니다.
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 ------------------- ----------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
AD LDAP는 DDMC에서 지원되지 않습니다.
Resolution
- 고객이 FDQN을 사용하여 새 LDAP 인증서를 생성합니다 .
- FDQN을 사용하여 새 인증서를 설치하고 LDAP를 활성화합니다.
본보기:
FDQN이 있는 LDPA 인증서
FDQN이 있는 LDPA 인증서
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ----------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 MYADSERV.lab.example.com imported-ca ldap Mon Aug 16 22:05:09 2021 Sat Aug 16 22:15:08 2031 2F:82:C5:C1:0A:DF:26:A2:97:63:9B:74:3E:AC:D8:39:5E:0E:08:B9 ------------------------ ---------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: y LDAP is enabled.
Additional Information
다음은 사용자 및 그룹에 AD를 사용하여 LDAP 구성을 완료하기 위한 요구 사항입니다.
- AD에서 Data Domain 사용자에 대한 그룹을 구성하고 해당 그룹의 GID를 설정합니다.
- 모든 AD 사용자에게는 UID 및 GID가 설정되어 있어야 합니다.
예:
DD에서 다음을 수행합니다.
# authentication ldap groups show
LDAP Group Role ---------- ----- myadmins admin ---------- -----
AD 서버에서 다음을 수행합니다.
# get-adgroup myadmins -properties * |findstr gidNumber gidNumber : 200 # get-aduser test -properties * |findstr uidNumber uidNumber : 600 #get-aduser test -properties * |findstr gidNumber gidNumber : 200
SSH를 통한 연결
$ ssh test@ddve EMC Data Domain Virtual Edition Password: Last login: Thu Aug 19 17:25:23 PDT 2021 from xx.xx.xx.xx on gui Welcome to Data Domain OS 7.6.0.5-685135 ---------------------------------------- test@ddve4#
Active Directory 사용자 및 컴퓨터에서 Windows Server 2016(및 그 이후) 버전에 대한 ID 매핑 구성:
도메인 컨트롤러에서 다음을 수행합니다.
- Administrative Tools를 클릭합니다.
- ADUC(Active Directory 사용자 및 컴퓨터)를 시작합니다.
- 보기 메뉴에서 고급 기능을 활성화합니다.
- Users 아래의 특정 사용자 개체로 이동합니다.
- User 개체를 마우스 오른쪽 단추로 클릭하여 속성 메뉴를 엽니다.
- 속성 편집기 탭으로 이동합니다.
- Users의 경우 uidNumber를 지정합니다. 그룹의 경우 gidNumber를 지정합니다.
Affected Products
Data DomainArticle Properties
Article Number: 000190700
Article Type: Solution
Last Modified: 20 Aug 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.