跳转到主内容

如何对 Windows Active Directory 中的 LDAP 问题进行故障排除

Views:
42
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

执行

执行

适用场景

  • ONTAP 9

问题描述

有关 Active Directory LDAP 和集群模式 Data ONTAP 的更多详细信息和最新信息,请参见TR-4073 :安全统一身份验证

在集群模式secd下使用 LDAP 时,会利用 mhost 进程 "" 。此过程负责用户身份验证(名称映射)。名称映射中发生的问题会记录到/mroot/etc/mlog文件中的 secd 日志中。

默认情况

::*> diag secd trace set -node node-01 -module-names name-mapping -trace-all YES
Trace spec set successfully.

::*> diag secd trace show -node node-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Modules:                      NameMapping


options cifs.trace_login下,除非指定,否则名称映射失败不会记录在 secd 日志中:此行为在 Data ONTAP 7- 模式中相同,必须启用此模式才能在日志中查看跟踪匹配失败。

如果名称映射失败,则会显示以下内容:

Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                 TRACE MATCH                                  |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |   RPC secd_rpc_map_name succeeded and is being dumped because of a tracing   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                  match on:                                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                                     All                                      |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |                   RPC recevied at Thu Sep 15 16:55:38 2011                   |
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] |------------------------------------------------------------------------------'
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.032]  debug:  SecD RPC Server received RPC from MGMT.  RPC 351: secd_rpc_map_name  { in secd_prog_1() at server/secd_rpc_server.cpp:806 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.103]  debug:  Setting thread context. VServerId = 6, Protocol = NONE, lifId = 0  { in setThreadContext() at utils/secd_thread_data_manager.cpp:172 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.121]  debug:  secd_rpc_map_name_1_svc called with vserverid = 6  { in secd_rpc_map_name_1_svc() at name_mapping/secd_rpc_map_name.cpp:50 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.168]  debug:  Attempting to map name ldap using the cluster mapping store  { in getAppropriateWindowsToUnixMapping() at name_mapping/secd_name_mapping.cpp:385 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.207]  debug:  IDS_FROM_USER_NAME ldapInfoType requested.
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402]   { in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:552 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.239]  debug:  Looking for LDAP (NIS & Name Mapping) cache (key: "") in vserver 6  { in getConnectionCache() at connection_manager/secd_connection_cache.cpp:450 } 000000ad.0000150a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.255]  debug:  Looking for a connection to LDAP (NIS & Name Mapping)  { in getConnection() at connection_manager/secd_connection_manager.cpp:547 } 000000ad.0000150b 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.268]  debug:  Acquiring a new LDAP (NIS & Name Mapping) connection; favoring cache  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:716 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.282]  debug:  Did not find an available connection in the cache  { in getBestCachedConnection() at connection_manager/secd_connection_cache.cpp:224 } 000000ad.0000150d 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.304]  debug:  Reserving a new LDAP (NIS & Name Mapping) server from discovery  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:728 } 000000ad.0000150e 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.324]  debug:  Created service key: 00000006..LDAP_NIS_AND_NAME_MAPPING  { in makeServiceKey() at server_discovery/secd_service_list.cpp:150 } Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.356]  debug:  Discovery returned 10.61.70.5 (10.61.70.5)  { in getBestConnection() at connection_manager/secd_connection_manager.cpp:743 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.000.377]  debug:  Connecting to LDAP (NIS & Name Mapping) server 10.61.70.5  { in addStartConnectionJournal() at connection_manager/secd_connection_manager.cpp:462 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.652]  debug:  Successfully authenticated over LDAP with 10.61.70.5  { in connect<LdapConnectionState>() at connection_manager/secd_connection.cpp:971 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.688]  debug:  Connected to new LDAP (NIS & Name Mapping) service on 10.61.70.5  { in makeConnectionAttempt() at connection_manager/secd_connection_manager.cpp:846 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.002.929]  debug:  Searching LDAP for the "uidNumber, gidNumber" attribute(s) within base "CN=users,DC=domain,DC=com" (scope: -1) using filter: (&(objectClass=User)(sAMAccountName=ldap))  { in searchLdap() at utils/secd_ldap_utils.cpp:200 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.352]  ERR  :  1057 in searchLdap() at utils/secd_ldap_utils.cpp:215
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.386]  ERR  :  searchLdap: LDAP Error: (80): 'Internal (implementation specific) error':
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.399]  ERR  :  1057 in getLdapInfoFromName() at authorization/secd_ldap_unix_authorization.cpp:652
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.465]  debug:  Closing service handle; reporting status 1  { in ~SecdConnection() at ../bedrock/obj/x86_64/secd/../../../export/common/headers/include/secd/secd_connection.h:106 }
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.488]  ERR  :  1057 in getIdsFromUserName() at authorization/secd_ldap_unix_authorization.cpp:139
Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.505]  warn :  Failed to get an ID for name ldap using UNIX authorization source LDAP, Error: 1057; ignoring; will try next source  { in handleNameAuthResult() at authorization/secd_unix_authorization.cpp:68 } 000000ad.0000151a 001db95a Thu Sep 15 2011 16:55:38 -04:00 [kern_secd:info:2402] | [000.003.575]  debug:  SecD RPC Server sending reply to RPC 351: secd_rpc_map_name  { in secdSendRpcResponse() at server/secd_rpc_server.cpp:1093 }


名称映射跟踪表示以下内容:

  • LDAP 名称映射失败以及正在尝试的用户
  • 用于映射用户的 LDAP
  • 用于搜索的基础 DN
  • 故障期间请求的属性
  • 已使用筛选器
  • 已联系 LDAP 服务器,如果已正确连接 LDAP 服务器
  • LDAP 连接是否已缓存
  • 请求的 SVM ID

 

Scan to view the article on your device
CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support