ONTAP LDAP Authentication Fails with UNIX Identities Using Windows AD
Applies to
- LDAP authentication with Windows Active Directory (AD) as LDAP server
- UNIX identities for login (SSH, HTTP, ONTAP GUI)
- ONTAP 9
Issue
ONTAP configures to use Windows AD as an LDAP server for UNIX identity authentication failed to allow users to log in via SSH or GUI, despite successful user lookups. The following symptoms and log messages were observed:
- User lookup works, but login fails:
::*> getxxbyyy getpwbyname -node node-01 -vserver svm -username user1 pw_name: user1 pw_passwd: pw_uid: 432214 pw_gid: 999 pw_gecos: user1 pw_dir: /users/user1 pw_shell: /bin/bash - Event log shows authentication failure:
ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: svm, username: user1, application: http.BR - Security login entries exist but authentication fails:
::*> security login show -vserver svm -user-or-group-name user1 Vserver: svm User/Group Name Application Authentication Method Role Name -------------------------------------------------------------------------- user1 http nsswitch admin user1 ontapi nsswitch admin user1 ssh nsswitch admin - In some cases, EMS logs show:
[secd: secd.unexpectedFailure:error]: Unexpected SecD failure in Vserver "admin". Details: Error: LdapGetfulluserinfo procedure failed[0ms] No servers available for LDAP_NIS_AND_NAME_MAPPING, vserver:-1, domain:.