#LDAP authentication for users

Hi All,

I have a question for how to implement LDAP to authenticate the users for logging into Netapp AFF cluster mode system manager and SSH

Thank you

get ldap set up for ssh first and make sure that is working. it's basically have a data svm configured with cifs, then set up a domain-tunnel for the admin svm to use that cifs configuration.

after that, add users with domain as the auth method with the http and ontapi applications, and that should get it working for system manager.

https://kb.netapp.com/onprem/ontap/da/NAS/How_to_log_into_ONTAP_CLI_with_an_Active_Directory_domain_account
note: the domain tunnel is required for system manager to use domain auth, even if it's not required for domain auth to the data svm, because system manager will be going through the cluster management lif, not an svm management lif.

Thank you so much I have one question is that possible without creating domain tunnel or can we use cluster admin vserver for creating domain tunnel, thank you

you cannot, because the admin vserver cannot have a data protocol configured on it

This is not necessarily true. There is a way, if I recall, using plain ldap for login. It’s certainly not as trivial to setup like a domain tunnel through an active-directory/cifs connection

Please help me if you have some docs to configure LDAP authentication

https://kb.netapp.com/onprem/ontap/da/NAS/How_to_configure_LDAP_Authentication_for_Cluster_(Admin)_SVM

Thank you Michael I have one question in the command vserver service name-service ldap client create -vserver Clustername there is one flag called -ad-domain and in this flag I see option as - but when ran in environment it gives error , can you please help me on this ad-domain field is not valid

Error is -ad-domain field is not valid

the -ad-domain flag is mutually exclusive with -ldap-servers so make sure to only provide one. Oh and also if your ONTAP is very old, that flag probably doesn't exist yet. What ONTAP version are you running?

It’s running on 9.12.1P2

But as per command im entering ad-domain not for ldap-server and that is “-“ in command given

And also when we check name service ldap client show there also against active directory domain there is “-“

sorry I don't understand completely what you mean. Do you meann you try using -ad-domain "-" or something like that?

basically there are 2 ways to configure LDAP. one is to explicitly call out the LDAP servers (that's what the -ldap-servers is used for). The other way is to simply re-use the DCs that are already configured in CIFS, that's what the -ad-domain is used for. You can do either or, it doesn't matter, both work, but if you have an AD domain inn CIFS configured, using the -ad-domain parameter is simpler because you don't need to configure anything else besides the domain. But you could still set the DCs as LDAP servers explicitly using the -ldap-servers option

Oh ok I think they have given wrong command in the given KB article of @north whale can you please comments

Here is the command from the kb:

vserver services name-service ldap client create -vserver ClusterSVMname -client-config ADIDMU_ldap -session-security none -use-start-tls false -bind-dn username@domain.lab -ad-domain - -schema AD-IDMU -lab -min-bind-level anonymous -base-dn DC=domain,DC=lab -base-scope subtree -port 389

That appears to list every option. I am pretty sure you can just drop the -ad-domain argument. Plus if the argument tab-completes with an option then it is a default (like if you get to -port-> default is 389 and auto-completes)

Most default options do not need to be specified because…well they are default

I have corrected the command in the KB. If "-ad-domain" is used, you need to specify an actual value instead of a hyphen ("-") like they had, or an empty string ("").

@north whale there is one question in command called vserver service name service ldap client modify -bind-password can you please help me what’s password we need to use in this

The password for the Bind DN (user) that was specified in the LDAP client configuration.

Can you help me understand what’s the benefits of using secure tunnel over ldap for user authentication

By secure tunnel do you mean domain tunnel? If so, that is a much easier way to configure domain users to manage the cluster than using LDAP in my opinion. The LDAP configuration can be a bit tedious to get things setup properly, whereas the domain tunnel usually just works once configured. The LDAP configuration is available for customers that do not want or need to use Active Directory (AD), but can also be used with AD with the proper configuration.

Thanks! This was very helpful

Hello all, hello @kind meteor , so we are also trying to use Cluster ssh authentication with AD User but want to use only call out LDAP Server (not Domain Tunnel). We setup LDAP Config with Bind Use, DNS and check ldap is working fine. We created AD User in Cluster SVM with Method "nsswitch" for ssh and http. LDAP Schema is "MS-AD-BIS". But still it is not possible to login to Cluster with AD User. With Getxxbyyy we got error message "Failed to resolve xxx Reason: Entry not found for "username"" So we have no clue at the moment what is missing. Is there any settings requiered in AD USer object for UID or other unix attributes? When Yes do you know how to do and whatr is necessary. Thank you very much - everything regarding this topic is helpful. BR Marcel

yes because you can only do what you want by using a domain tunnel SVM

Interesting, so I understand your post before that both are possible LDAP direct or Domain Join with Tunnel? What did I miss, why not possible. Thx for clarifying a little bit. BR

Well you have to wait for someone at NetApp to answer this one. It's simply not possible, that's the way they designed it 🤷‍♂️
My post before was just about configuring LDAP for looking up users (e.g. usermapping, unix UIDs, UID<->SID mapping etc.) I didn't realize you wanted to login to your cluster using AD accounts

Ok thank you for information, interesting is that we have a NetApp case open - they still searching for a solution but didn't say it is not working. Maybe someone from NetApp @north whale will comment here. Thx

What's the case number?

Hey Michael Case is 2009946216. Pls have look Thx

Hello @north whale , had you the chance to check the case? thx

Yes. It looks like the UNIX attributes are not defined in your LDAP server. Have you tried defining those for at least a test user to determine if that works or not?

Good morning @north whale
many thanks for your help.
Which are the missing attributes? Actual we don´t have a uid or uidNumber defined in our AD. Is the uid just the samaccountname? So we only have to add the uid with the value of the samaccountname in our AD User? Or do we also need a uidnumber defined?
Best regards

uid, uidNumber, and gidNumber are required attributes for a user. The uid can be the sAMAccountName.

Good morning @north whale ,
many thanks for your support.
Yesterday we could solve our problems and it worked very well.
But... 🙂
Which numbers do we have to insert?
uid=sAMAccountName (here we inserted my sAMAccountName)
uidNumber= ? (We choosed the random number 1100)
gidNumber=? (We also choosed the random number 1100)

There is no uidnumber defined in the systemshell. (Under cat /var/etc/passwd).

Best regards

you still need to link you unix to some LDAP. Usually this is SSSD conecting to Microsoft AD and then it pulls the same info

There's an awesome Technical Report, TR-4887, by Justin Parisi that contains a very good description on how Multiprotocol access works. That, together with TR 4835, "LDAP in ONTAP" should give you all you need to know to implement it

It really sounds like you should be using a domain tunnel. These attributes do not need to be defined when using that configuration. Is there a specific reason that you want to use LDAP only? As far as what the values should be, as noted by @kind meteor above, there are good references available, but you all will need to choose what values fit your environment.

I think OP is confusing the LDAP settings that are used for usermapping (i.e. the LDAP schema etc.) with the AD-join / domain tunnel which is used for logging into the cluster with AD accounts. Those are two separate things that are not related to each other

Could you help me too.
I need to login to ontap for cluster management only.
I don't need to work with NFS or CIFS data through LDAP or ActiveDirectory.
How to configure LDAP authentification without joining to domain using CIFS server?
TR-4835

You can also use LDAP for identity management for cluster administration logins, but this document does not cover the scope of that use. For LDAP use with cluster logins, see the product documentation.
Ontap version: 9.15.1P2
We have Microsoft AD, but I wouldn't like to join storage there.

Do this

Create auth svm

Vserver create -vserver auth

Vserver remove-protocol -vserver auth -proto *

Net int create -vserver auth -address 192.168.101.5 -netmask 255.255.255.0 -auto true -service-policy default-management-home-port e0M -home-node node-01 -failover-policy broadcast-domain-wide

route create -vserver auth -dest 0.0.0.0/0 192.168.101.1

DNS create -vserver auth -domain example.com -ip 192.168.201.10,192.168.202.10

Vserver Active-directory create -vserver auth -account-name auth -domain example.com

Security login domain-tunnel create -vserver auth

Security login create -user “example\NetApp admins” -authentication domain -app ontapi

Security login create -user “example\NetApp admins” -authentication domain -app http

Security login create -user “example\NetApp admins” -authentication domain -app ssh

Do something like that. No cifs svm needed. It creates an Active Directory object called auth

Then does a domain tunnel. I do this all the time with customers. Easy. More secure

Thank you. It's a good way , but still require registering in Domain.
Is there any way don't register/join storage in domain?

It’s nothing more than an ad object. It can’t serve data.
Have someone create the machine account in the Computers OU. then if needed have a domain admin as the object. It’s a member server with no capability to serve data

If you need/want external login, you must register with something (ad or ldap for instance)