Symptoms

These warning messages appear for the nas server, and the server shows in a degraded or ok_but status:Message: LDAP servers configured for the LDAP client of NAS server LDAP Testing are not reachable.Description: None of the LDAP servers configured for LDAP client of the NAS server are reachable. Check network connectivity. Ensure at least one LDAP server is available and the storage system can access it.Message: LDAP client settings on NAS server LDAP Testing are not valid within domain eng1880.prodcse.eng.umsg.lab.emc.com.Description: The LDAP client settings on the NAS server are not configured correctly for the domain. You may encounter unexpected issues or mapping errors when using LDAP as a Unix directory service. Verify account settings. Check the binding and access permissions for the configured LDAP servers.This message shows up, but all other indications show that the server is reachable.

Cause

This can have two causes, the first cause is a legitimate configuration problem or environmental problem that prevents the ldap server from being reached. A major configuration problem or environmental issue is outside the scope of this knowledgebase article. The second cause is some smaller issue with the ldap.conf file that is in use that could prevent certain types of lookups from succeeding (ie netgroups, or hosts, or secondary group membership). All containers specified in the ldap.conf file MUST exist. Additionally if you remove nss_base_netgroup or nss_base_hosts the server will automatically set them to a default value based on the baseDN. Its not possible to just remove the entries to fix the problem. This knowledgebase article will be covering the ldap.conf file correction.If the nas server is in a degraded state, things like user mapping diagnostics and setting multiprotocol options cant be done.

Resolution

The problem is caused by Dell EMC Unity identifying any configuration problem as breaking LDAP functionality so it marks the server as degraded, even if its working for user and group lookups. Its a requirement that all containers exist (including ones that may not be in use, such as netgroup and host.).The most common cause for this is an improperly configured ldap.conf file. You can retrieve this file in the nas server properties under naming services:Dell EMC Unity will attempt to automatically generate an ldap.conf file for your domain. However the containers it sets here for nss_base_passwd,nss_base_group,nss_base_hosts and nss_base_netgroup are usually not going to be correct for your environment. example auto-generated ldap.conf file:# Containersnss_base_passwd cn=Users,dc=domain,dc=com?onenss_base_group cn=Users,dc=domain,dc=com?onenss_base_hosts cn=Computers,dc=domain,dc=com?onenss_base_netgroup cn=netgroup,cn=domain,cn=DefaultMigrationContainer30,dc=domain,dc=com?one# Objectsnss_map_objectclass posixAccount Usernss_map_objectclass posixGroup Groupnss_map_objectclass ipHost Computer# Attributesnss_map_attribute userPassword unixUserPasswordnss_map_attribute homeDirectory unixHomeDirectorynss_map_attribute memberUid memberfast_search 0The previously mentioned base containers are extremely important to have configured correctly for user/group lookups to succeed. Ensure that all of these containers exist in active directory and that they are pointing to the right place. The most common problem is the nss_base_netgroup container. cn=netgroup,cn=domain,cn=DefaultMigrationContainer30,dc=domain,dc=com usually does not exist in the domain so when we query the container it throws an error that causes the degraded flag to be set on the nas server.Even if netgroups are not in use this container needs to point to a valid location to clear the degraded state. It can be pointed anywhere as long as the container actually exists. You cant simply remove the netgroup container if its not in use as it will pick the same default container that is in the ldap.conf on creation.For example if you don't have netgroups and are unsure of where to point it, you could make it match the computers container:nss_base_hosts cn=Computers,dc=domain,dc=com?onenss_base_netgroup cn=Computers,dc=domain,dc=com?oneIf the hosts container is also pointed to a location that does not exist, you will need to adjust the path for both. If you do use netgroups, then ensure its pointed at the right location.Once you fix the ldap.conf file, upload it back to the Dell EMC Unity system by hitting upload schema. Then give the system 10-15 minutes to requery its status. If all of the containers point to the right places and have all the needed attributes in those containers then the degraded state should clear. Once the nas server queries its status the degraded state will go away, but may still show alerts saying the settings are incorrect for the domain if there are any missing attributes in the selected containers.

Support Cases