Updating LDAP server - Will it be disruptive? | NetApp | Page 1

tiny wind Oct 3, 2023, 2:36 PM

#

HI All, I have a need to change our LDAP server to a new one but also a new service account and password. Will this be disruptive during the switchover to multiprotocol users and NFSv4/v3 consumers?

sand spear Oct 9, 2023, 7:06 AM

#

i guess i would try to do the 2 operations in separate runs... add the new server with the old service account... you can have multiple ldap servers... remove the old server... change the service account... at least then you will know what causes possible breakage

tiny wind Oct 9, 2023, 2:33 PM

#

Seems like a plan, That'll help our change management get through!

radiant fiber Nov 11, 2023, 2:18 PM

#

create the two ldap configurations and then just modify the vserver to use the new configuration at the right time. I would expect all the caches to flush at this point.

sturdy gorge Feb 7, 2024, 1:05 PM

#

i have a similar question - maybe. I am pressured to enable LDAP over TLS on CIFS -SVMs that so far did not have it.

Will the change be disruptive?

I am usually more an NFS guy...
I look at this article at the moment...
https://docs.netapp.com/us-en/ontap/smb-admin/enable-ldap-over-ssl-tls-task.html

Enable LDAP over TLS on the server

Before your SMB server can use TLS for secure communication with an Active Directory LDAP server, you must modify the SMB server security settings to enable ...

visual canopy Feb 7, 2024, 7:32 PM

#

If I recall, ldap over TLS uses certificates. If that’s in fact true, then you need to generate the proper csr for the svm. Get the local certificate authority to sign it. Install the locally signed certificate plus any root/intermediate certificate authority certificates (server-ca) then you can try the LDAP over TLS. I do not remember if it actually tries to reauthenticate (like it does when enabling aes encryption after joining the domain)

odd phoenix Feb 7, 2024, 8:51 PM

#

actually, for LDAP over TLS, you just need to install the server's certificate in the ONTAP truststore. The server doesn't mutually authenticate with ONTAP

visual canopy Feb 7, 2024, 9:48 PM

#

Cool. I think my customers just installed the cert anyway

odd phoenix Feb 7, 2024, 11:29 PM

#

yeah you usually need it if you have a very secure browser policy that rejects self-signed certs for example (we have some customers like that)

sturdy gorge Feb 8, 2024, 9:35 AM

#

thank you both, very useful bits of information... but what will happen to ongoing traffic when i implement it?

tiny wind Feb 12, 2024, 2:21 PM

#

Im suspecting that it will only queue the auth requests or simply try again

#

it'll probably look like failures and then the client will try again

ionic sable Feb 12, 2024, 9:59 PM

#

sturdy gorge thank you both, very useful bits of information... but what will happen to ongoi...

New connections to the AD LDAP servers will use the new configuration. There should be no disruption. If there are additional questions, it may help to create a separate discussion and you should be able to link to this one, if needed.

sturdy gorge Feb 13, 2024, 8:08 AM

#

outstanding t back you guys

#

thank

tiny wind Feb 13, 2024, 2:27 PM

#

I havent made my change yet so still a valid thread imo

#Updating LDAP server - Will it be disruptive?