Active IQ Unified Manager Discussions

LDAP Configuration


Hello All,


I'm curious, is the LDAP setup for a Clusterd 9.x environment only done per SVM?


I got to believe you can setup LDAP for the login into the storage array somewhere.


Meaning, if you want to be able to access the storage array at  "<FQDN>/sysmgr/SysMgr.html" with your AD account, how is that done?


I notice when I go into the GUI and find the LDAP section under "Configuration > Serices" but it appears that section is only listing what has been setup somewhere else and it not editable.








You can add 'LDAP client configuration' at the Cluster level (Admin SVM) or the SVM level.

@Cluster Level: When you log-in, on the landing page, there is configuration tab next to 'Protection': It does give an option to add LDAP client.

We don't use LDAP, hence I cannot 100% comment on why it cannot be edited, but I see there is command for editing, which suggest its possible:

::> vserver services ldap client modify -client-config


Some useful kBs: (Check out this)


Well the first link you sent seems pretty easy but for whatever reason I can't seem to fins the small gear icon being called in within the steps for cluster level.


I'm running NetApp Release 9.2P3 but I wouldn't think that should make a difference.



  1. Add an LDAP client configuration by using one of the following methods:
    • Cluster level: click  > LDAP.
    • SVM level: click SVM > SVM Settings > LDAP Client.
  2. Click Add.
  3. Type the name of the LDAP client.
  4. Add either the Active Directory domain or the LDAP server.
  5. Click  (advanced options), select the Schema, and click Apply.
  6. Specify the Base DN and TCP Port.
  7. Click Binding, and then specify the authentication details.
  8. Click Save and Close.
  9. Verify that the LDAP client that you added is displayed.


Yes, it should be fairly straight forward. The GUI could be different for 9.2. You can even do it via CLI. I think there is lot of documentation for ontap 9 around it. If you cannot find it, could you send me the screenshot where you are looking at ?


I would think it would be the same as well. 


I'm easing my way into the CLI as I'm still learning NetApp storage. I would send a screenshot but I'm simply lpooking at the opening landing page for NetApp GUI.


Let's just say I was going to set it up using CLI - from what I gaher it's just teh following. Adding the LDAP URI (server) and then enabling LDAP for cluster.


That seems to be what I have found.


Add Servers:

cluster1::> vserver services name-service ldap client create
-vserver cluster1 -client-config corp -servers,


Enable LDAP:

cluster1::> vserver services name-service ldap create
-vserver cluster1 -client-config corp -client-enabled true


I asl ohave some 8.x cluster to make the change for and that I have not found the command syntax yet.


No worries. Give it a try and if you need any information let us know.


How to set up and configure LDAP for Clustered Data ONTAP 8.x


Do you have the steps for 9.x or is it the same as 8.x?


Please take a look a these links:


How to configure LDAP Authentication for Cluster (Admin) SVM (9/9.1/9.2)

How to authenticate clustered Data ONTAP administrators against an LDAP or NIS server (8,8.2,8.3)


Using LDAP (ontap 9.x)


Why are there so many links to just configure LDAP? They all slightly look differnt as well. I simply want to allow AD users to log into the storage arrays. Also, what is the nsswitch for and why is this needed?


I guess just tell me this, is we only want cluster level LDAP enabled, then we must use the "Admin" SVM correct?


Yes, you can simply use Cluster (Admin) SVM, instead of data SVM.


Regarding ns-switch, it is simply telling SVM to follow the order in which it should lookup for group/host/passwd infomration.

::*> vserver services name-service ns-switch show -vserver ClusterSVMname
Vserver Database Order
--------------- ------------ ---------
ClusterSVMname hosts files,dns
ClusterSVMname group ldap,files
ClusterSVMname passwd ldap,files


I assume you already have at least one SVM joined to AD?

If yes, then it should be as simple as:
1) Create a domain tunnel with "security login domain-tunnel create"
2) Allow users or groups to login to your cluster by executing "security login create" with "-authentication-method" paremeter set to "domain". On admin SVM in your case, yes.

Hope that helps.


Hey @bkamil  - Making the change won't liock me out of my system correct? I can always still be able to use the "admin" account like normal to access the storage array?



If you don't touch the "admin" account it will still be there.




So what my systems that have NO CIFS, only FC?


How can I make this work for those or I have to create a data SVM with CIFS?


I'm learning more and more that NetApp really only uses LDAP for NFS authentication/access and not really for user access with AD.


AD is Microsoft's implementation of LDAP.

In most cases people use AD for authentication because it's being widely used in the organization anyway. If you don't have AD-connected SVM on a cluster then yes, you need to create one and define it as domain tunnel. It's quick, easy and such an SVM does not even need to have any data volumes or shares defined (empty/dummy SVM, if you will).

Having said that, it seems like there is actually a way to talk to AD as any other LDAP and use it in a way that, as you pointed out correctly, is typically used for NFS. You might want to check this out. I never used it myself like that, though:


Thank @bkamil I was able to get much of my AD Authentication working. I simply now just need to create thjat dummy SVM for some systems that don't have an SVM running CIFS.


Thanks everyone else for their hlepful info as well!




@General  Thanks for the response! if you think any of the above reply have solved your issue then please consider markign it as solution so other can leverage it.






I have all of my SVM's joined to AD but they are not setup for LDAP. 


I simply want users to be able to login into the storage array "sysmgr" and that's it. I don't want LDAP "per" SVM, only at the cluster. 


Sp the stpoes you mentioned wouldn't apply to me.  The point of LDAP is using Security Groups, not individual users and that's what the commandyou provided seems to do.


"security login create" works fine with AD groups. Including the cluster level / admin SVM.
Try to do what I suggested and let us know if you get stuck.


Well, I'm trying to run it but on my 8.2 I can't get into advanced mode by running "set -privilege advanced". Which is weird.


Nevermind I got it in advanced mode. Now let's see if all the rest works.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner