How does LDAP name-mapping work?
Applies to
- ONTAP 9
- LDAP
- name-mapping
Answer
- ONTAP 9 uses an ns-switch database to determine how to process name-mapping
- For user lookups or symmetric name-mapping, LDAP should be specified as a source for passwd and group
- This enables implicit mapping to utilize LDAP
- Windows users are mapped 1-to-1 by their username, eg "user1" is unix user "user1"
- LDAP is only queried to verify "user1" exists, and if so, the unix account attributes and unix group memberships
- LDAP should not be specified as a source for namemap for this usecase
- If asymmetric name-mapping is needed, LDAP can be configured to handle this
- This can serve as a replacement for the "vserver name-mapping" rules used for win-unix or unix-win explicit mapping
- The LDAP client schema in ONTAP specifies which attributes to query to identify a corresponding unix or Windows user account
- Attributes must be defined for Windows and Unix users
- LDAP should be specified as a source for namemap for this usecase
- See TR-4835 Use of LDAP to serve name mapping rules for more information
Additional Information