topic Re: Loading user and netgroup files in ONTAP Discussions

Loading user and netgroup files

trever417 — Thu, 09 Jan 2025 16:01:29 GMT

We utilize an authentication source that produces passwd and netgroup files for unix based authentication. We are currently manually importing the files via the following commands from the ontapp console:

vserver services name-service unix-user load-from-uri -vserver <vserver> -uri <path to file>
vserver services name-service unix-group load-from-uri -vserver <vserver> -uri <path to file>

I would like to automate this process in some form, but so far I have not been able to comeup with a solution. Looking for any thoughts. REST, local scripts that can be scheduled...etc.....

Re: Loading user and netgroup files

AlexDawson — Fri, 10 Jan 2025 08:14:26 GMT

Hi there! There is an API endpoint, detailed at https://docs.netapp.com/us-en/ontap-restapi/ontap/name-services_unix-users_endpoint_overview.html#creating-a-unix-user-configuration-with-all-fields-specified - however it looks like you'd need to develop something to retrieve a list of users and then update/delete as necessary.

Another option would be to just CLI passthrough to the same command you're using now - https://docs.netapp.com/us-en/ontap-restapi//ontap/getting_started_with_the_ontap_rest_api.html#Tagging_Resources_for_Tracking_Purposes:~:text=4d37%2D8150%2D87ee15983696%22-,Using%20the%20private%20CLI%20passthrough%20with%20the%20ONTAP%20REST%20API,-REST%20API%20access - but it is not the recommended way to do things.

And finally, the most old-school way would be to setup SSH key authentication and run the command whenever the passwd/group file is detected as updated - https://docs.netapp.com/us-en/ontap/system-admin/access-cluster-ssh-task.html - but there are security risks inherent here

Hope this helps!

Re: Loading user and netgroup files

trever417 — Fri, 10 Jan 2025 14:17:06 GMT

Thank you for the information. I should have been a little more discriptive. We are not using local accounts, but loading them from a file:

Option 1: API Endpoint: Call: https://XXX/api/name-services/unix-users/<UID of SVM>

Returns:

"error": {
"message": "Cannot display the UNIX users because file-only configuration is enabled. Use the CLI to view the UNIX user file.",
"code": "1264685"
}
B: CLI passthough. Same thing, no opttion for the file loaded users: error:
Cannot display the UNIX users because file-only configuration is enabled. "Use the CLI to view the UNIX user file"

Looks like Passthrough might be the only option.

Re: Loading user and netgroup files

AlexDawson — Mon, 13 Jan 2025 03:03:19 GMT

Quite likely. Or you could look at setting up NIS or NIS+.. although it's now 2025 and I can't believe I'm suggesting that 😉

Re: Loading user and netgroup files

trever417 — Mon, 13 Jan 2025 12:47:40 GMT

I agree, our security department went back in time on an authentication provider.