Visit Open-E website
Results 1 to 6 of 6

Thread: LDAP & DSS NAS Integration

  1. #1
    Join Date
    Sep 2007
    Posts
    80

    Default LDAP & DSS NAS Integration

    The following questions relate to using LDAP with the NAS function of DSS. I have also asked Support, who suggest using V1.23 (we are using V1.32), but have not yet answered the other questions, but our customer needs to know now. Can I please ask anyone who has experience with using LDAP with DSS/NAS?

    (A) Please can you clarify the meaning of the following statement from the DSS User Guide...
    Users should be stored in Organization Unit (ou) "People", groups in "Groups", and computers in "Computers".

    does this mean that if the user's existing LDAP directory does not look like above (which would appear to be rather unlikely), then DSS will not be able to access user accounts? Our educational customer has a large LDAP directory structure with about 30,000 (30.000) objects in it, as follows...

    PolytechName
    Campus 1
    Staff
    <user accounts>
    Students
    <user accounts>
    Campus 2
    Staff
    <user accounts>
    Students
    <user accounts>
    Campus 3 etc.

    Can you please tell us how to make this work?

    (B) We need to provide access to both Staff & Students at 1 Campus (at the moment, and maybe > 1 Campus later).

    Does it search for users down the directory tree starting at the Base DN? or just look at one container? (hopefully not!)

    (C) We understand that Netware eDirectory is not natively supported, but as it is LDAP-based, we think it should work.
    The standard container "types" used in all Novell directories are "Organisation" ("o") and "Organisation Unit" ("ou"), so this gives us the following settings....
    Base DN: ou=Campus1,o=PolytechName
    admin DN: cn=admin,ou=Campus1,o=PolytechName

    Should we be using "ou=Campus1" or "dc=Campus1" instead?

    But using these causes DSS to run VERY slowly, and all responses to the web interface are very very slow. Maybe this is the post V1.23 issue.

    Thanks for any help you can provide us.

  2. #2
    Join Date
    Sep 2007
    Posts
    80

    Default

    Further to this, we have tried LDAP with DSS v1.23, again with no luck.

    (A) We verified general directory/NAS operation by using AD mode to access our AD.

    (B) We then tried to use LDAP mode to access to our AD, replicating the directory structure (with People, Groups, and Computers containers under the Base DN) exactly as per DSS User Guide. (tho we note that we created the People & Group OUs, while the existing Computers object was of a "container" type).

    We used an LDAP util (Softerra LDAP browser 2.5.3) against the AD to verify correct DN format, and we see regular successful login events in the AD server's Audit Log from the DSS server. BUT no users/groups ever appear in the NAS Resources Users/Groups list.

    (C) Back to Netware and LDAP access to eDirectory and DSS v1.32:
    We get the following LDAP trace...
    "LDAPSearchToCB failed to send any entries, err = remote failure (-635)"
    which we understand relates to an invalid/etc. attribute encountered.

    If anyone has anything to offer, we would appreciate it!
    Regards

  3. #3

    Default

    Hello,

    anything new on this? We are also very interested in using Open-E DSS with an external LDAP, but the external LDAP documentation appears to be a bit holey. Is anyone out there who has some experiences with using external LDAP and Open-E?

    Regards
    Bernhard Hahn

  4. #4
    Join Date
    May 2008
    Location
    Hamburg, Germany
    Posts
    108

    Default

    Quote Originally Posted by bhahn
    Hello,

    anything new on this? We are also very interested in using Open-E DSS with an external LDAP, but the external LDAP documentation appears to be a bit holey. Is anyone out there who has some experiences with using external LDAP and Open-E?

    Regards
    Bernhard Hahn
    Bernhard,

    we're using an external LDAP setup (OpenLDAP2 v2.4.9) with DSS (5.0.DB49000000.3278) in connection with NFS and SMB access. Seems to work fine, although we suffer from a rather slow DSS web interface, I hadn't accounted that to using LDAP until I stumbled over this thread.

    (Unix and SaMBa) users are in "ou=people,<our LDAP root>", Unix groups in "ou=group,<our LDAP root>". SaMBa groups are in "ou=samba,ou=group,<our LDAP root>".

    SaMBa hosts are in "ou=samba,ou=hosts,<our LDAP root>".

    Our (only handful of) MS Windows clients are members of a SaMBa-based domain, all SaMBa accounts are stored in the LDAP tree as well, in the branches mentioned above .

    We have set "base domain name" in DSS's advanced LDAP configuration to "<our LDAP root>".

    Regards,
    Jens

  5. #5

    Default

    Hi,

    thanks for your repliy! I figured out how to integrate users and groups samba like into ldap. By logging in onto a share I got a the following error message in the DSS samba logfiles.

    [2009/04/16 09:49:27, 0] auth/pampass.c:smb_pam_account(572)
    smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: bhahn
    [2009/04/16 09:49:27, 0] auth/pampass.c:smb_pam_accountcheck(780)
    smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User bhahn!

    Google doesn't help...

    Rgds
    Bernhard

  6. #6
    Join Date
    May 2008
    Location
    Hamburg, Germany
    Posts
    108

    Default

    Quote Originally Posted by bhahn
    Hi,

    thanks for your repliy! I figured out how to integrate users and groups samba like into ldap. By logging in onto a share I got a the following error message in the DSS samba logfiles.

    [2009/04/16 09:49:27, 0] auth/pampass.c:smb_pam_account(572)
    smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: bhahn
    [2009/04/16 09:49:27, 0] auth/pampass.c:smb_pam_accountcheck(780)
    smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User bhahn!

    Google doesn't help...

    Rgds
    Bernhard
    Bernhard,

    how have you created the user/group entries in openLDAP, manually or via SaMBa? Do you use a SaMBa server, too? If yes: Can the SaMBa server work with the entries or does it have problems as well?

    I had quite a time to set all references (SaMBa to Unix groups&users) straight and had created a number of entries manually, but in the meantime both the SaMBa server and DSS seem to like our LDAP content

    Have you checked the slapd logs to see what queries are sent by the DSS and whether valid results are returned or not?

    I've found the following message that may be related to the source of your trouble:

    https://forums.openfiler.com/viewtopic.php?id=1741

    Regards
    Jens

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •