Data Domain: LDAP er med Active Directory aktiveret mislykkes med fejlen "Validering mislykkedes"

Summary: LDAP (Lightweight Directory Access Protocol) med Active Directory aktiveret mislykkes med en fejl.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

LDAP med Active Directory aktiveret kan mislykkes, hvis der importeres et forkert certifikat på Data Domain-systemet.

Eksempel:   
sysadmin@dd01# authentication ldap show
LDAP configuration
        Enabled:         no
        Base-suffix:     dc=lab,dc=example,dc=com
        Server Type:     Active Directory
        Binddn:          administrator@lab.example.com
        Server(s):       1
#   Server
-   ------------------------   ---------
1   MYADSERV.com.example.com   (primary)
-   ------------------------   ---------

Secure LDAP configuration
        SSL Enabled:     yes
        SSL Method:      ldaps
        tls_reqcert:     demand
sysadmin@dd01# authentication ldap enable
LDAP configuration
        Enabled:         no
        Base-suffix:     dc=lab,dc=example,dc=com
        Server Type:     Active Directory
        Binddn:          administrator@lab.example.com
        Server(s):       1
#   Server
-   ------------------------   ---------
1   MYADSERV.com.example.com   (primary)
-   ------------------------   ---------


Secure LDAP configuration
        SSL Enabled:     yes
        SSL Method:      ldaps
        tls_reqcert:     demand

LDAP will be enabled with the above configuration.
        Do you want to continue? (yes|no) [no]: yes

**** Failed to enable: validation failed. Error while performing ldap query.


Aug 16 22:07:20 dd01 sms: NOTICE: Run: timeout 60 /bin/ldapsearch -x -H ldaps://MYADSERV.lab.example.com/ -b 'dc=lab,dc=example,dc=lab' -s base -LLL -D 'administrator@lab.example.com' -y /etc/openldap/bindpw_file 2>&1
Aug 16 22:07:20 dd01 sms: NOTICE: Output: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Aug 16 22:07:20 dd01 sms: NOTICE: ldapsearch error:255
Aug 16 22:07:20 dd01 sms: ERROR: _check_ldap_status: Failed to run ldapsearch query: **** An error occurred while running an internal command.
Aug 16 22:07:20 dd01 sms: INFO: _sms_ldap_get_status:1183: LDAP server MYADSERV.lab.example.com has an error: validation failed. Error while performing ldap query.
Aug 16 22:07:20 dd01 sms: ERROR: _validate_ldap_status_during_enable:1380: validation failed. Error while performing ldap query.
Aug 16 22:07:20 dd01 sms: ERROR: sms_ldap_setup_config_job:2253: **** Failed to enable: validation failed. Error while performing ldap query.
Aug 16 22:07:20 dd01 -ddsh: NOTICE: MSG-DDSH-00017: (tty=pts/2, session=15211) sysadmin: command "authentication ldap enable" exited with code: 33
Aug 16 22:07:44 dd01 sms: INFO: Map MG/DG UUID into volume UUID and Name

Cause

Til LDAP-integration med Active Directory kræver systemet et LDAP-certifikat med FDQN.

sysadmin@dd01# adminaccess certificate show
Subject               Type          Application   Valid From                 Valid Until                Fingerprint
-------------------   -----------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
dd01.lab.example.com   host          https         Sat Aug 15 09:14:31 2020   Tue Aug 15 16:14:31 2023   D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9
lab-MYADSERV-CA        imported-ca   ldap          Mon Aug 16 21:51:24 2021   Sun Aug 16 22:01:23 2026   B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75
-------------------   -----------   -----------   ------------------------   ------------------------   -----------------------------------------------------------

Vær opmærksom på, at AD LDAP ikke understøttes på DDMC.

Resolution

  1. Kunden skal generere et nyt LDAP-certifikat med FDQN.
  2. Installer det nye certifikat med FDQN, og slå LDAP til.
Eksempel:
LDPA-certifikat med FDQN  
sysadmin@dd01# adminaccess certificate show
Subject                       Type          Application   Valid From                 Valid Until                Fingerprint
-----------------------     -----------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
dd01.lab.example.com          host          https         Sat Aug 15 09:14:31 2020   Tue Aug 15 16:14:31 2023   D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9
lab-MYADSERV-CA             imported-ca   ldap          Mon Aug 16 21:51:24 2021   Sun Aug 16 22:01:23 2026   B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75
MYADSERV.lab.example.com    imported-ca   ldap          Mon Aug 16 22:05:09 2021   Sat Aug 16 22:15:08 2031   2F:82:C5:C1:0A:DF:26:A2:97:63:9B:74:3E:AC:D8:39:5E:0E:08:B9
------------------------      ----------   -----------   ------------------------   ------------------------   -----------------------------------------------------------

sysadmin@dd01# authentication ldap enable
LDAP configuration
        Enabled:         no
        Base-suffix:     dc=lab,dc=example,dc=com
        Server Type:     Active Directory
        Binddn:          administrator@lab.example.com
        Server(s):       1
#   Server
-   ------------------------   ---------
1   MYADSERV.com.example.com   (primary)
-   ------------------------   ---------

Secure LDAP configuration
        SSL Enabled:     yes
        SSL Method:      ldaps
        tls_reqcert:     demand

LDAP will be enabled with the above configuration.
        Do you want to continue? (yes|no) [no]: y

LDAP is enabled.

Additional Information

Følgende er kravene til at fuldføre LDAP-konfigurationen ved hjælp af AD for brugere og grupper.
  1. Konfigurer en gruppe for Data Domain-brugere på AD, og angiv GID for den pågældende gruppe.
  2. Hver AD-bruger skal have UID og GID indstillet.
Eksempel: 
På DD: 
# authentication ldap groups show
LDAP Group   Role
----------   -----
myadmins     admin
----------   -----
På AD-server: 
#  get-adgroup myadmins -properties * |findstr gidNumber
gidNumber                       : 200

# get-aduser test -properties * |findstr uidNumber
uidNumber                            : 600

#get-aduser test  -properties * |findstr gidNumber
gidNumber                            : 200
Tilslutning via SSH 
$ ssh  test@ddve
EMC Data Domain Virtual Edition
Password:
Last login: Thu Aug 19 17:25:23 PDT 2021 from xx.xx.xx.xx on gui


Welcome to Data Domain OS 7.6.0.5-685135
----------------------------------------

test@ddve4#


Konfiguration af id-tilknytninger i Active Directory-brugere og -computere til Windows Server 2016-versioner (og senere):
På domænecontrolleren:

  1. Klik på Administration 
  2. Start Active Directory-brugere og -computere (ADUC).
  3. Aktivér Avancerede funktioner i menuen Vis.
  4. Gå til det specifikke brugerobjekt under Brugere
  5. Højreklik på Brugerobjekt for at åbne menuen Egenskaber,
  6. Gå til fanen Attributeditor.
  7. Angiv uidNumber for brugere. Angiv gidNumber for Grupper.

Affected Products

Data Domain
Article Properties
Article Number: 000190700
Article Type: Solution
Last Modified: 20 Aug 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.