1 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Abstract
This guide will help you to troubleshoot the following scenarios: The user is unable to connect to the cluster by IP address. The user is unable to connect to the cluster by FQDN or SmartConnect zone. The user is unable to connect to some nodes. The LDAP authentication provider is reporting as offline.
January 5, 2018
EMC ISILON CUSTOMER TROUBLESHOOTING GUIDE
TROUBLESHOOT YOUR LDAP AUTHENTICATION PROVIDER
OneFS 7.2 - 8.1.0
2 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Contents and overview
Note Follow all of these steps, in order, until you reach a resolution.
1. Follow these
steps.
2. Perform
troubleshooting
steps in order.
3. Appendixes
Page 3 Before you begin
Page 4 Start troubleshooting
Page 5 LDAP configuration
Appendix B How to use this flowchart
Appendix C Example output isi auth ldap view <provider>
Appendix D Example output isi auth users view <user> --provider=ldap
Appendix E Example LDIF output
Page 6 Access zone configuration
Page 8 Verify required user attributes
Page 10 NTLM password hash
Page 11 NT password attribute
Page 12 Test authentication
Page 16 LDAP is offline
Page 18 Verify LDAP configuration
Page 19 Test LDAP ports
Page 22 Verify secure LDAP configuration - StartTLS
Page 23 Verify secure LDAP configuration - SSL
Appendix A If you need further assistance
Page 29 Test LDAP
3 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Configure logging through SSH
We recommend that you configure screen logging to log all session input and output during your troubleshooting session.
This log file can be shared with EMC Isilon Technical Support if you require assistance at any point during troubleshooting.
Note: The screen session capability does not work in OneFS 7.1.0.6 and 7.1.1.2. If you are running either of these versions,
configure logging by using your local SSH client's logging feature.
1. Open an SSH connection to the cluster and log in by using the root account .
Note: If the cluster is in compliance mode, use the compadmin account to log in. All compadmin commands must be
preceded by the sudo prefix.
2. Change the directory to /ifs/data/Isilon_Support by running the following command:
cd /ifs/data/Isilon_Support
3. Run the following command to capture all input and output from the session:
screen -L
This will create a file named screenlog.0 that will be appended to during your session.
4. Perform troubleshooting.
Before you begin
CAUTION!If the node, subnet, or pool that you are working on goes down during the course of
troubleshooting and you do not have any other way to connect to the cluster, you could
experience data unavailability.
Therefore, make sure that you have more than one way to connect to the cluster before
you start this troubleshooting process. The best method is to have a serial cable
available. This way, if you are unable to connect through the network, you will still be
able to connect to the cluster physically.
For specific requirements and instructions for making a physical connection to the
cluster, see article 16744 on the EMC Online Support site.
Before you begin troubleshooting, confirm that you can either connect through another
subnet or pool, or that you have physical access to the cluster.
4 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Start troubleshooting
IntroductionStart troubleshooting here. If you need
help to understand the flowchart
conventions used in this guide, see
Appendix B: How to use this flowchart.
Is the LDAP
provider reporting
as online?
NoYes
Go to Page 5
Start
If you have not done so already, log in to
the cluster and configure screen logging
through SSH, as described on page 3.
Go to Page 16
Verify that your LDAP provider is online by running the
following command:
isi auth status
See the example output at the bottom of this page.
Example isi auth status outputID Active Server Status
------------------------------------------------------------------------------
lsa-activedirectory-provider:AD.JBLOGS.COM ad-dc.jblogs.com online
lsa-local-provider:System - active
lsa-file-provider:System - active
lsa-ldap-provider:ldap_example ldap://192.168.100.50 online
lsa-nis-provider:nis_example 192.168.100.50 online
5 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
You could have arrived here from:
Page 4 - Start troubleshooting
LDAP configuration
Page
5
Verify that your LDAP provider is enabled by
running the following command, where
<provider> is the name of the LDAP provider:
isi auth ldap view <provider>
See Appendix C for example output.
Is the LDAP
provider enabled?
Go to Page 6
Yes
Enable the LDAP provider by running the following command,
where <provider> is the name of the LDAP provider:
isi auth ldap modify <provider> --enabled=yes
No
__________
6 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Access zone configuration
Page
6
You could have arrived here from:
Page 5 - LDAP configuration
View the access zone configuration by running the following command:
isi zone zones list --verbose
See example output at the bottom of this page.
Go to Page 7
Example isi zone zones list --verbose outputCluster1# isi zone zones list --verbose
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: -
Auth Providers: lsa-local-provider:System, lsa-file-provider:System, lsa-ldap-provider:ldap_example, lsa-nis-
provider:nis_example
Local Provider: Yes
NetBIOS Name:
All SMB Shares: Yes
All Auth Providers: No
User Mapping Rules: -
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Audit Success: close, create, delete, get_security, logoff, logon, read, rename, set_security, tree_connect, write
Audit Failure: close, create, delete, get_security, logoff, logon, read, rename, set_security, tree_connect, write
Zone ID: 1
--------------------------------------------------------------------------------
Name: Zone2
Cache Size: 4.77M
Map Untrusted:
SMB Shares: Zone2 Files:Files, Home:Home
Auth Providers: lsa-local-provider:System, lsa-file-provider:System, lsa-ldap-provider:ldap_example, lsa-nis-
provider:nis_example
Local Provider: Yes
NetBIOS Name:
All SMB Shares: No
All Auth Providers: No
User Mapping Rules: -
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Audit Success: close, create, delete, get_security, logoff, logon, read, rename, set_security, tree_connect, write
Audit Failure: close, create, delete, get_security, logoff, logon, read, rename, set_security, tree_connect, write
Zone ID: 2
7 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Access zone configuration (2)
Page
7
You could have arrived here from:
Page 6 - Access zone configuration
Are all authentication
providers enabled for the zone
you are connecting to?Yes
Add the LDAP provider to the zone by running the following command, where <zone> is the zone name and
<provider> is the name of the LDAP provider:
isi zone zones modify <zone> --add-auth-providers=<provider-type>:<provider-name>
For example: isi zone zones modify zone2 --add-auth-providers=ldap:ldap1
No
In the isi zone zones
list --verbose output, is the
LDAP provider listed as an
authentication provider for the zone
you are connecting to?
No
Go to Page 8
Yes Go to Page 8
Go to Page 8
Note Using the output from page 6, find the
zone you are connecting to and note if
All Auth providers is set to Yes
or that the authentication provider is
listed in the Auth Providers section.
8 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify required user attributes
Page
8
Check whether the required user attributes are configured properly, run the following
command, where <user> is the user name of the user who cannot authenticate and
<provider-name> is the name of the provider:
isi auth users view <user> --provider=ldap:<provider-name>
See Appendix D for example output and a list of required user attributes.
To ensure user or group authentication, certain user attributes
need to be configured. Using the example output in
Appendix D, verify whether or not the required user attributes
are configured on your LDAP provider.
Are the required
user attributes
configured properly?
Go to Page 14
Go to Page 9
Yes
No
__________
__________
You could have arrived here from:
Page 7 - Access zone configuration (2)_______________________________
Note Certain LDAP user attributes need
to be configured properly in order for
user or group authentication to work.
9 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify required user attributes (2)
Page
9
You could have arrived here from:
Page 8 - Verify required user attributes
Was the correct user
information returned?
See Appendix D for
example output.
Yes
Have your local LDAP administrator provide you with
example LDIF output for the user and group in question.
Attach this to your Isilon Technical Support
service request (SR).
See Appendix E for example LDIF output.
No
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
__________
Go to Page 10
Is the user who is unable to
authenticate an SMB user?
Yes
No
10 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
NTLM password hash
Page
10
OneFS 6.5 and later versions
require NTLM password hash for
LDAP authentication over SMB.
Does your LDAP provider
have NTLM password
hash propagated?
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
Do not know
Contact your local LDAP
administrator to propagate
NTLM password hash in
order for SMB authentication
to work.
No Go to Page 11Yes
You could have arrived here from:
Page 9 - Verify required user attributes (2)
Page 15 - Verify required user attributes (4)
__________________________________
___________________________________
11 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
NT password attribute
Page
11
You could have arrived here from:
Page 10 - NTLM password hash
Edit the Nt Password Attribute, run the following command, where <provider> is the
name of the LDAP provider, and <attribute> is the NT password attribute that is
configured in your LDAP schema:
isi auth ldap modify <provider> --nt-password-attribute <attribute>
Note: The attribute is case sensitive.
The NT Password attribute needs to be configured for SMB
authentication. View the Nt Password Attribute for your LDAP
provider by running the following command, where <provider> is the
name of the LDAP provider:
isi auth ldap view <provider>
See Appendix C for example output.
Does the Nt Password
Attribute match the attribute
configured in your LDAP schema?
No
Go to Page 12
Yes Go to Page 12
__________
12 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test authentication
Page
12
You could have arrived here from:
Page 11 - NT password attribute
Test authentication by performing the following three steps on the affected node.
If each step successfully completes, authentication is working.
1. Attempt to map a user token by running the following command, where <user>
is the user name of the user:
isi auth mapping token --user="<user>"
See example output at the bottom of this page. An error message will be received
if this step fails.
Go to Page 13
Example isi auth mapping token --user="<user>" output
Cluster-1# isi auth mapping token --user="testuser1"
User
Name: TEST\testuser1
UID: 11838
SID: S-1-5-21-1606848-115176313-8392115-156283
On Disk: 11838
ZID: 1
Zone: System
Privileges: -
Primary Group
Name: TEST\domain users
GID: 10006
SID: S-1-5-21-1606848-115176313-8392115-513
On Disk: 10006
Supplemental Identities
Name: TEST\security_group_1
GID: 11930
SID: S-1-5-21-1606988-115176313-8395115-444484
Name: TEST\building_access
GID: 13320
SID: S-1-5-21-1680848-115176313-8392115-921913
13 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test authentication (2)
Page
13
You could have arrived here from:
Page 12 - Test authentication
2. From a client, attempt to connect to the affected node by IP address and
access a share. Type the following command in the run box, where <nodeIP>
is the IP address of the node and <share> is the name of a share:
\\<nodeIP>\<share>
3. Test NTLM authentication by connecting to the affected node by IP
address. Run the following command, where:
<drive> is the letter of a drive that is not currently in use.
<nodeIP> is the IP address of the node.
<share> is the name of a share.
<user> is the user name of the user.
net use <drive> \\<nodeIP>\<share> /user:<user>
Did the three test steps
complete successfully?End troubleshootingYes
No
Have your local LDAP administrator provide you with
example LDIF output for the user and group in question.
Attach this to your Isilon Technical Support
service request (SR).
See Appendix E for example LDIF output.
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
__________
14 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify required user attributes (3)
Page
14
You could have arrived here from:
Page 8 - Verify required user attributes
Configure the required user attributes properly.
For instructions, see the "Modify an LDAP provider" section of the OneFS
Administration Guide for your version of OneFS. For a list of attributes to
modify, see the "isi auth ldap modify" section of the same guide.
Verify that the required user attributes are configured properly by running the
following command, where <user> is the user name:
isi auth users view <user> --provider=ldap
See Appendix D for example output and a list of required user attributes.
Was the correct user
information returned?
See Appendix D for
example output.
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
No
Go to Page 15Yes
__________
Yes
Are the required
user attributes
configured properly?
No
15 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify required user attributes (4)
Page
15
You could have arrived here from:
Page 14 - Verify required user attributes (3)
Can the user now
connect using the
desired protocol?
End troubleshootingYes
Have your local LDAP administrator provide you with
example LDIF output for the user and group in
question. Attach this to your Isilon Technical Support
service request (SR).
See Appendix E for example LDIF output.
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
No
Is the user an SMB user?
No
Return to Page 10Yes
__________
16 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
LDAP is offline
Page
16
You could have arrived here from:
Page 4 - Start troubleshooting
Check whether the required provider attributes are configured properly, run
the following command, where <provider> is the provider name:
isi auth ldap view <provider>
See Appendix C for example output and a list of required provider attributes.
Certain criteria can trigger an offline state. Using the example output in
Appendix C, verify whether or not the required provider attributes are properly
configured on your LDAP provider.
Is a secure
connection to the
LDAP server
required?
Go to Page 18
Go to Page 21
No
Yes
__________
__________
Note Certain LDAP provider attributes
need to be configured properly or
they can trigger an offline state.
Are the provider
attributes configured
properly?
Yes
Go to Page 17No
17 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify required user attributes (5)
Page
17
You could have arrived here from:
Page 16 - LDAP is offline
Configure the required provider attributes properly.
For instructions, see the "Modify an LDAP provider" section of the OneFS
Administration Guide for your version of OneFS. For a list of attributes to
modify, see the "isi auth ldap modify" section of the same guide.
Verify that the required provider attributes are configured properly by running
the following command, where <provider> is the provider name:
isi auth ldap view <provider>
See Appendix C for example output and a list of required provider attributes.
Was the correct provider
information returned?
See Appendix C for
example output.
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
No
Go to Page 18Yes
__________
Yes
Are the required
provider attributes
configured properly?
No
18 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify LDAP configuration
Page
18
You could have arrived here from:
Page 16 - LDAP is offline
Page 17 - Verify required user attributes (5)
From the isi auth ldap view <provider> output in Appendix C, verify that Server Uris (item c) begins with
ldap: and not ldaps:
To edit the Server Uri attribute, run the following command where <provider> is the name of the provider, and
<ip or fqdn> is either the IP address or the FQDN of the server:
isi auth ldap modify --provider-name=<provider> --server-uris=ldap://<ip or fqdn>
From the isi auth ldap view <provider> output in Appendix C, verify that Require secure connection
(item g) is set to No.
To disable the Require secure connection attribute, run the following command, where <provider> is the name
of the provider:
isi auth ldap modify --provider-name=<provider> --require-secure-connection=no
Go to Page 19
__________
__________
_____________________
___________________________________
19 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP ports
Page
19
Are you using SSL for
your LDAP connectivity?
For each LDAP server, run this
command, where <ldapIP> is the IP
address for the LDAP server:
nc -z <ldapIP> 636
For each LDAP server, run this
command, where <ldapIP> is the IP
address for the LDAP server:
nc -z <ldapIP> 389
No
Yes
Go to Page 20
Note The nc -z commands start a new
TCP session to the specific IP
address and port to test whether the
ports are listening.
You could have arrived here from:
Page 18 - Verify LDAP configuration
Page 20 - Test LDAP ports (2)
Page 25 - Verify secure LDAP configuration (3)
Page 26 - Verify secure LDAP configuration (4)
_____________________________
_____________________________________
_____________________________________
________________________
20 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP ports (2)
Page
20
What were the results of the
nc -z commands that you ran
on page 19?
Succeed
on All
Failed
on AllMixed
Results
Consult with your local
networking or LDAP
administrator to allow the
failed servers to respond on
the necessary ports.
Go to Page 27Go to Page 28
You could have arrived here from:
Page 19 - Test LDAP ports
The command succeeded
on some LDAP servers,
and failed on others.
21 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP ports (3)
Page
21
You could have arrived here from:
Page 16 - LDAP is offline
Which method of LDAP
connectivity are you using?
Go to Page 22 Go to Page 23
StartTLS SSL
22 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Page
22
You could have arrived here from:
Page 21 - Test LDAP ports (3)
StartTLS
From the isi auth ldap view <provider> output in Appendix C, verify that Server Uris (item c) begins with
ldap: and not ldaps:
To edit the Server Uri attribute, run the following command, where <provider> is the name of the provider, and
<ip or fqdn> is either the IP address or the FQDN of the server:
isi auth ldap modify --provider-name=<provider> --server-uris=ldap://<ip or fqdn>
Go to Page 24
__________
Verify secure LDAP configuration
StartTLS
23 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify secure LDAP configuration
SSL
Page
23
You could have arrived here from:
Page 21 - Test LDAP ports (3)
SSL
From the isi auth ldap view <provider> output in Appendix C, verify that Server Uris (item c) begins with
ldaps: and not ldap:
To edit the Server Uri attribute, run the following command, where <provider> is the name of the provider, and
<short or fqdn> is either the DNS name or the FQDN of the server:
isi auth ldap modify --provider-name=<provider> --server-uris=ldaps://<short or fqdn>
The Server URI attribute must match what is in the certificate.
Go to Page 24
__________
24 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
From the isi auth ldap view <provider> output in Appendix C, verify that Require secure connection
(item "g") is set to No.
To disable the Require secure connection attribute, run the following command, where <provider> is the name
of the provider:
isi auth ldap modify --provider-name=<provider> --require-secure-connection=no
Verify secure LDAP configuration (2)
Page
24
Go to Page 25
You could have arrived here from:
Page 22 - Verify secure LDAP configuration, StartTLS
Page 23 - Verify secure LDAP configuration, SSL
___________________________________________
_______________________________________
__________
25 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify secure LDAP configuration (3)
Page
25
You could have arrived here from:
Page 24 - Verify secure LDAP configuration (2)
Does the LDAP server
use a private certificate?
Return to Page 19 Go to Page 26
No Yes
26 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Verify secure LDAP configuration (4)
Page
26
You could have arrived here from:
Page 25 - Verify secure LDAP configuration (3)
To specify the Certificate Authority File, run the following command, where <provider> is the name
of the provider and <location> is the file path of the certificate authority file in /ifs:
isi auth ldap modify <provider> --certificate-authority-file=<location>
See Appendix C for example output.
Return to Page 19
Run the following command to configure the LDAP provider to ignore TLS errors , where <provider> is the
name of the provider:
isi auth ldap modify <provider> --ignore-tls-errors=yes
See Appendix C, item "e" for example output.__________
__________
27 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP ports (4)
Page
27
You could have arrived here from:
Page 20 - Test LDAP ports (2)
Failed on All
Is your LDAP environment
configured to use a
non standard port?
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
No
Run the following command on all LDAP
servers that are configured for a non standard
port, where <ldapIP> is the IP address of the
LDAP server and <port> is the non standard
port that you have configured:
nc -z <ldapIP> <port>
Yes
Did the above
command succeed on
all servers?
Go to Page 28
Yes
No
Note A non standard port is any port other
than 389 or 636.
28 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP ports (5)
Page
28
Succeed on All
Go to Page 29
You could have arrived here from:
Page 20 - Test LDAP ports (2)
Page 27 - Test LDAP ports (4)
________________________
________________________
Yes
Are you using StartTLS? Go to Page 30No
29 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Add the certificate authority certificate, append the previous command with the following, where <location> indicates
the file path to the certificate authority file:
LDAPTLS_CACERT="<location>"
The resulting command should look like:ldapsearch -x -W -z 10 -H <server-uri> -b '<base-dn>' -D "<bind-dn>" LDAPTLS_CACERT="<location>"
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup))
Test LDAP directly by running the following command, where:
<server-uri> is the server URI.
<base-dn> is the base DN.
<bind-dn> is the bind DN.
Please note that the below command is a single command, wrapped onto two lines.
ldapsearch -x -W -z 10 -H <server-uri> -b '<base-dn>' -D "<bind-dn>"
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup))
Go to Page 31
Test LDAP
Page
29
You could have arrived here from:
Page 28 - Test LDAP ports (5)
30 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP directly by running the following command, where:
<server-uri> is the server URI.
<base-dn> is the base DN.
<bind-dn> is the bind DN.
Please note that the below command is a single command, wrapped onto two lines.
ldapsearch -x -W -z 10 -H <server-uri> -b '<base-dn>' -D "<bind-dn>"
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup))
Go to Page 31
Test LDAP (2)
Page
30
You could have arrived here from:
Page 28 - Test LDAP ports (5)
31 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP (3)
Page
31
Did the ldapsearch
command return an error message
or did you receive LDIF output?
See the note for a list
of potential errors and Appendix E for
example output.
Note Potential error messages (this is not a complete list):
ldap_start_tls: Connect error (-11)
ldap_result: Cannot contact LDAP server (-1)
ldap_start_tls: Cannot contact LDAP server (-1)
ldap_bind: Invalid credentials (49)
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
Error
Message
Go to Page 32
LDIF
Output
You could have arrived here from:
Page 29 - Test LDAP
Page 30 - Test LDAP (2)
_________________
____________________
32 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Test LDAP (4)
Page
32
You could have arrived here from:
Page 31 - Test LDAP (3)
Does the LDIF output
contain the object classes that
you expected?
See Appendix E for example
LDIF output.
Have your local LDAP administrator
provide you with a sample of the LDIF
structure, for example, users, groups, and
netgroups. Attach this sample to your Isilon
Technical Support service request (SR).
Note the page number that you
are currently on.
Upload log files and contact Isilon Technical
Support, as instructed in Appendix A.
No
If the LDIF output does contain the
expected object classes, this indicates
there is another issue that is
preventing authentication.
Yes
__________
33 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Contact EMC Isilon Technical Support
If you need to contact Isilon Technical Support during troubleshooting, reference the page or step that you need help with.
This information and the log file will help Isilon Technical Support staff resolve your case more quickly.
Appendix A: If you need further assistance
Upload node log files and the screen log file to EMC Isilon Technical Support
1. When troubleshooting is complete, type exit to end your screen session.
2. Gather and upload the node log set and include the SSH screen log file by using the command appropriate for your
method of uploading files. If you are not sure which method to use, use FTP.
ESRS:
isi_gather_info --esrs --local-only -f /ifs/data/Isilon_Support/screenlog.0
FTP:
isi_gather_info --ftp --local-only -f /ifs/data/Isilon_Support/screenlog.0
HTTP:
isi_gather_info --http --local-only -f /ifs/data/Isilon_Support/screenlog.0
SMTP:
isi_gather_info --email --local-only -f /ifs/data/Isilon_Support/screenlog.0
SupportIQ:
Copy and paste the following command.
Note: When you copy and paste the command into the command-line interface, it will appear on multiple lines (exactly
as it appears on the page), but when you press Enter, the command will run as it should.
isi_gather_info --local-only -f /ifs/data/Isilon_Support/screenlog.0 --noupload \
--symlink /var/crash/SupportIQ/upload/ftp
3. If you receive a message that the upload was unsuccessful , refer to article 16759 on the EMC Online Support site for
directions on how to upload files over FTP.
___________
34 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Decision diamondYes No
Process stepProcess step with command:
command xyz
Go to Page #
Page
# Note Provides context and additional
information. Sometimes a note is linked
to a process step with a colored dot.
CAUTION!Caution boxes warn that
a particular step needs
to be performed with
great care, to prevent
serious consequences.
End point Document ShapeCalls out supporting documentation
for a process step. When possible,
these shapes contain links to the
reference document.
Sometimes linked to a process step
with a colored dot.
Optional process step
Directional arrows indicate
the path through the
process flow.
IntroductionDescribes what the section helps you to
accomplish.
You could have arrived here from:
Page # - "Page title"
Appendix B: How to use this flowchart
35 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Appendix C: Example output
Example isi auth ldap view <provider> output
Required provider attributes There are certain criteria that can trigger an offline state. To ensure LDAP is online, be sure that the following settings are configured accurately:
a. Name
b. Base DN
c. Server Uris
d. Bind DN
e. Ignore TLS errorsf. Bind password (this setting is not displayed in the CLI output, instead it is configured in the OneFS web administration interface.)
g. Require Secure Connection
e. Ignore TLS Errors
Required user attributesTo ensure user or group authentication, be sure that the following attributes are configured properly:
1. gidNumber
2. homeDirectory
3. uid
4. loginShell
5. uidNumber
6. Nt Password Attribute (this attribute is required only for SMB authentication)
You could have arrived here from:
Page 5 - LDAP configuration
Page 11 - NT password attribute
Page 16 - LDAP is offline
Page 17 - Verify required user attributes (5)
Page 18 - Verify LDAP configuration
Page 22 - Verify secure LDAP configuration,
StartTLS
Page 23 - Verify secure LDAP configuration, SSL
Page 24 - Verify secure LDAP configuration (2)
Page 26 - Verify secure LDAP configuration (4)
_______________________
______________________________________________
_____________________________
___________________________________
________________________________________
______________________________________
______________________________________
_______
___________________________________
a
b
c
d
1
2
g
3
4
5
6
e
cluster-1# isi auth ldap view ldap_example
Name: ldap_example
Base DN: cn=users,dc=10-9,dc=lab,dc=emc,dc=test
Server Uris: ldap://10.11.12.70
Status: online
Alternate Security Identities Attribute: -
Authentication: Yes
Balance Servers: Yes
Bind DN: uid=admin,cn=users,dc=10-9,dc=test
Bind Timeout: 10
Certificate Authority File: -
Check Online Interval: 3m
CN Attribute: cn
Create Home Directory: No
Crypt Password Attribute: -
Email Attribute: mail
Enabled: Yes
Enumerate Groups: Yes
Enumerate Users: Yes
Findable Groups: -
Findable Users: -
GECOS Attribute: gecos
GID Attribute: gidNumber
Group Base DN: -
Group Domain: LDAP_DOMAIN
Group Filter: (objectClass=posixGroup)
Group Members Attribute: memberUid
Group Search Scope: default
Groupnet: groupnet0
Home Directory Template: -
Homedir Attribute: homeDirectory
Ignore TLS Errors: No
Listable Groups: -
Listable Users: -
Login Shell: -
Member Of Attribute: -
Name Attribute: uid
Netgroup Base DN: -
Netgroup Filter: (objectClass=nisNetgroup)
Netgroup Members Attribute: memberNisNetgroup
Netgroup Search Scope: default
Netgroup Triple Attribute: nisNetgroupTriple
Normalize Groups: No
Normalize Users: No
Nt Password Attribute: ntPassword
Ntlm Support: all
Provider Domain: -
Require Secure Connection: No
Restrict Findable: Yes
Restrict Listable: No
Search Scope: subtree
Search Timeout: 100
Shadow User Filter: (objectClass=shadowAccount)
Shadow Expire Attribute: shadowExpire
Shadow Flag Attribute: shadowFlag
Shadow Inactive Attribute: shadowInactive
Shadow Last Change Attribute: shadowLastChange
Shadow Max Attribute: shadowMax
Shadow Min Attribute: shadowMin
Shadow Warning Attribute: shadowWarning
Shell Attribute: loginShell
UID Attribute: uidNumber
Unfindable Groups: wheel, 0, group1, 15, group2, 16
Unfindable Users: root, 0, user1, 15, user2, 16
Unique Group Members Attribute: -
Unlistable Groups: -
Unlistable Users: -
User Base DN: -
User Domain: domain_test
User Filter: (objectClass=posixAccount)
User Search Scope: default
36 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Appendix D: Example output
Example isi auth users view <user> --provider=ldap output
Required user attributesTo ensure user or group authentication, be sure that the following attributes are configured properly:
1. Name
2. UID
3. GID
4. Home Directory
5. Shell
Cluster-1# isi auth users view tuser --provider=ldap
Name: tuser
DN: CN=tuser,CN=Users,DC=dur,DC=example,DC=com
DNS Domain: -
Domain: LDAP_USERS
Provider: lsa-ldap-provider:ldap_example
Sam Account Name: tuser
UID: 1005
SID: S-1-22-1-1005
Enabled: Yes
Expired: No
Expiry: -
Locked: No
Email: -
GECOS: -
Generated GID: No
Generated UID: No
Generated UPN: -
Primary Group
ID:
GID:1800
Name: isilon
Home Directory: /home/user home
Max Password Age: Never
Password Expired: No
Password Expiry: -
Password Last Set: -
Password Expires: Yes
Shell: /bin/tcsh
1
2
3
4
5
You could have arrived here from:
Page 8 - Verify required user attributes
Page 9 - Verify required user attributes (2)
Page 14 - Verify required user attributes (3)
__________________________________
___________________________________
_______________________________
37 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Required user attributesTo ensure user or group authentication, be sure that the following attributes are configured properly:
1. gidnumber
2. homedirectory
3. loginshell
4. uid
5. uidnumber
Appendix E: Example output
Example LDIF output
# Entry 23: cn=Test User,ou=Users,dc=nismaster,dc=example,dc=com
dn: cn=Test User,ou=Users,dc=nismaster,dc=example,dc=com
cn: Test User
gidnumber: 1800
givenname: Test
homedirectory: /home/users/tuser
loginshell: /bin/tcsh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user
uid: tuser
uidnumber: 1005
userpassword: {MD5}Ho0TCNi6UB8gG7/JGpXU7w==
1
2
4
3
5
You could have arrived here from:
Page 9 - Verify required user attributes (2)
Page 13 - Test authentication (2)
Page 15 - Verify required user attributes (4)
Page 31 - Test LDAP (3)
Page 32 - Test LDAP (4)
__________________________________
___________________________
___________________________________
____________________
____________________
38 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot your LDAP
Authentication Provider
We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback.
Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS-IS. DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 in North America 1-866-464-7381www.EMC.com