ONTAP LDAP Authentication Fails with UNIX Identities Using Windows AD
Applies to
- LDAP authentication with Windows Active Directory (AD) as LDAP server
- UNIX identities for login (SSH, HTTP, ONTAP GUI)
- ONTAP 9
Issue
ONTAP configures to use Windows AD as an LDAP server for UNIX identity authentication failed to allow users to log in via SSH or GUI, despite successful user lookups. The following symptoms and log messages were observed:
- User lookup works, but login fails:
::*> getxxbyyy getpwbyname -node node-01 -vserver svm -username user1pw_name: user1pw_passwd:pw_uid: 432214pw_gid: 999pw_gecos: user1pw_dir: /users/user1pw_shell: /bin/bash
- Event log shows authentication failure:
ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: svm, username: user1, application: http.BR
- Security login entries exist but authentication fails:
::*> security login show -vserver svm -user-or-group-name user1Vserver: svmUser/Group Name Application Authentication Method Role Name--------------------------------------------------------------------------user1 http nsswitch adminuser1 ontapi nsswitch adminuser1 ssh nsswitch admin
- In some cases, EMS logs show:
[secd: secd.unexpectedFailure:error]: Unexpected SecD failure in Vserver "admin". Details: Error: LdapGetfulluserinfo procedure failed[0ms] No servers available for LDAP_NIS_AND_NAME_MAPPING, vserver:-1, domain:.