Dell Unity: In a Multiprotocol Environment Using LDAP, Shared Access from Windows Clients Fails Due to No Mapping-User Correctable

Summary: This article explains the steps to separate and work around the issue of incorrect mapping when using LDAP where the encryption method used affects LDAP mapping.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Unity LDAP is configured correctly, but users are not mapped.

If using the LDAP Search command to search for users against the LDAP server, they appear correctly. 

 
NOTE: The search command requires login to the root shell. Contact support if you need assistance. They can assist with enabling the root shell and using the command.
 

Command:

ldapsearch -h <ldapserver ip> -D "<BindDN>" -w <Password> -b "<BaseDN>" -s <scope(base,one,sub)> "cn=<username>"

Example of a successful command:

---------------------
root@solaris11:~# ldapsearch -h 5.6.7.xxx -D "cn=admin,dc=peeps,dc=lab" -w Password123# -b "ou=people,dc=peeps,dc=lab" -s sub "cn=user1"
version: 1
dn: uid=user1,ou=People,dc=peeps,dc=lab
uid: user1
uidNumber: 1
gidNumber: 1
cn: user1
sn: user1
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/user1
You have new mail in /var/mail/root
---------------------


However, if using the SVC NAS command to search for users, it fails with the following message:

Command:

svc_nas <server name> -ldap -lookup -user <user name>

Example of a failed command:

---------------------
service@********* spb:~/user# svc_nas nas_multi -ldap -lookup -user user2

nas_multi : commands processed: 1
command(s) succeeded
output is complete

1659693343: LDAP: 6: LdapService::connect: Connection to Ldap server ***.***.***.*** SUCCEEDED IP[0/1]=***.***.***.*** port=389
1659693343: LDAP: 3: User user2t: User name + password + uid + gid are too large to fit into buffer.
1659693343: LDAP: 6: Unable to get information for user user2
---------------------
---------------------

In addition, the failed username may contain unnecessary characters after the username.

Example of a successful command:

---------------------
service@********* spb:~/user# svc_nas nas_multi -ldap -lookup -user user1

nas_multi : commands processed: 1
command(s) succeeded
output is complete

1659694219: LDAP: 6: user: user1, uid: 12333, gid: 12333, homeDir: /home/user1

Command succeeded
---------------------

---------------------

Cause

The customer has set the LDAP encryption method to "PBKDF2_SHA256."

Unity supports "PBKDF2_SHA256," but there is a restriction, the sum of [username + password + uid + gid] must be within 452 Bytes.

With PBKDF2_SHA256 encryption, if many bytes are used for the password, the 452-byte limit may be exceeded when the uidNumber, gidNumber, and uid are added to the total. 

Exceeding the 452-byte limit causes shared access from Windows clients to fail due to no mapping in an LDAP multiprotocol environment.

For example, if the customer password uses 447 bytes, the remaining number of bytes to use for uidNumber, gidNumber, and uid is only 5 bytes.

Example that fits in 452-Byte limit:
userPassword= 404 Byte
uidNumber   =  16 Byte
gidNumber   =  16 Byte
uid         =  16 Byte
Total       = 452 Byte

Resolution

Consider using an encryption scheme other than PBKDF2_SHA256, for example, use SSHA-512.

LDAP Encryption Schemes Supported by Unity:
As of August 2022, the following ciphers are available in OE 5.2:
SHA, SHA-256, SHA-384, SHA-512, SSHA, SSHA-256, SSHA-384, SSHA-512, MD5, SMD5, PKCS5S2, CRYPT, CRYPT-MD5, CRYPT-SHA-256, CRYPT-SHA-512, PBKDF2_SHA256**
**When using PBKDF2_SHA256, the sum of [username + password + uid + gid] is limited to 452 Bytes.

Affected Products

Dell EMC Unity
Article Properties
Article Number: 000204586
Article Type: Solution
Last Modified: 14 Dec 2023
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.