Data Domain:具有 Active Directory 的 LDAP 啟用失敗,並顯示錯誤「驗證失敗」
Summary: 啟用 Active Directory 的輕量型目錄存取通訊協定 (LDAP) 失敗,並顯示錯誤。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
如果 Data Domain 系統匯入不正確的憑證,啟用 Active Directory 的 LDAP 可能會失敗。
例:
例:
sysadmin@dd01# authentication ldap show LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: yes **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: NOTICE: Run: timeout 60 /bin/ldapsearch -x -H ldaps://MYADSERV.lab.example.com/ -b 'dc=lab,dc=example,dc=lab' -s base -LLL -D 'administrator@lab.example.com' -y /etc/openldap/bindpw_file 2>&1 Aug 16 22:07:20 dd01 sms: NOTICE: Output: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Aug 16 22:07:20 dd01 sms: NOTICE: ldapsearch error:255 Aug 16 22:07:20 dd01 sms: ERROR: _check_ldap_status: Failed to run ldapsearch query: **** An error occurred while running an internal command. Aug 16 22:07:20 dd01 sms: INFO: _sms_ldap_get_status:1183: LDAP server MYADSERV.lab.example.com has an error: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: _validate_ldap_status_during_enable:1380: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 sms: ERROR: sms_ldap_setup_config_job:2253: **** Failed to enable: validation failed. Error while performing ldap query. Aug 16 22:07:20 dd01 -ddsh: NOTICE: MSG-DDSH-00017: (tty=pts/2, session=15211) sysadmin: command "authentication ldap enable" exited with code: 33 Aug 16 22:07:44 dd01 sms: INFO: Map MG/DG UUID into volume UUID and Name
Cause
若要將 LDAP 與 Active Directory 整合,系統需要具有 FDQN 的 LDAP 憑證。
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 ------------------- ----------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
請注意,DDMC 不支援 AD LDAP。
Resolution
- 客戶使用 FDQN 產生新的 LDAP 憑證 。
- 使用 FDQN 安裝新憑證並啟用 LDAP。
例:
LDPA 憑證與 FDQN
LDPA 憑證與 FDQN
sysadmin@dd01# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint ----------------------- ----------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- dd01.lab.example.com host https Sat Aug 15 09:14:31 2020 Tue Aug 15 16:14:31 2023 D3:B6:F8:B6:3C:91:DA:B8:BB:96:44:38:3F:85:10:BD:A9:23:9E:D9 lab-MYADSERV-CA imported-ca ldap Mon Aug 16 21:51:24 2021 Sun Aug 16 22:01:23 2026 B7:40:A1:FA:7D:19:B6:D0:EB:FF:5D:72:70:64:43:E1:6B:70:5E:75 MYADSERV.lab.example.com imported-ca ldap Mon Aug 16 22:05:09 2021 Sat Aug 16 22:15:08 2031 2F:82:C5:C1:0A:DF:26:A2:97:63:9B:74:3E:AC:D8:39:5E:0E:08:B9 ------------------------ ---------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- sysadmin@dd01# authentication ldap enable LDAP configuration Enabled: no Base-suffix: dc=lab,dc=example,dc=com Server Type: Active Directory Binddn: administrator@lab.example.com Server(s): 1 # Server - ------------------------ --------- 1 MYADSERV.com.example.com (primary) - ------------------------ --------- Secure LDAP configuration SSL Enabled: yes SSL Method: ldaps tls_reqcert: demand LDAP will be enabled with the above configuration. Do you want to continue? (yes|no) [no]: y LDAP is enabled.
Additional Information
以下是使用 AD 為使用者和群組完成 LDAP 組態的要求。
- 在 AD 上為 Data Domain 使用者設定群組,並設定該群組的 GID。
- 每個 AD 使用者都必須設定 UID 和 GID。
範例:
在 DD 上:
# authentication ldap groups show
LDAP Group Role ---------- ----- myadmins admin ---------- -----
在 AD 伺服器上:
# get-adgroup myadmins -properties * |findstr gidNumber gidNumber : 200 # get-aduser test -properties * |findstr uidNumber uidNumber : 600 #get-aduser test -properties * |findstr gidNumber gidNumber : 200
透過 SSH 連線
$ ssh test@ddve EMC Data Domain Virtual Edition Password: Last login: Thu Aug 19 17:25:23 PDT 2021 from xx.xx.xx.xx on gui Welcome to Data Domain OS 7.6.0.5-685135 ---------------------------------------- test@ddve4#
設定 Windows Server 2016 (及後續) 版本的 Active Directory 使用者和電腦中的 ID 對應:
在網域控制站上:
- 按一下系統管理工具
- 啟動 Active Directory 使用者和電腦 (ADUC)。
- 從檢視功能表中啟用進階功能。
- 前往使用者下的特定使用者物件
- 右鍵單擊用戶物件以打開「屬性」功能表,
- 轉到屬性編輯器選項卡。
- 若為「使用者」,請指定 uidNumber。在「群組」中,指定 gidNumber。
Affected Products
Data DomainArticle Properties
Article Number: 000190700
Article Type: Solution
Last Modified: 20 Aug 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.