I'm curious, is the LDAP setup for a Clusterd 9.x environment only done per SVM?
I got to believe you can setup LDAP for the login into the storage array somewhere.
Meaning, if you want to be able to access the storage array at "<FQDN>/sysmgr/SysMgr.html" with your AD account, how is that done?
I notice when I go into the GUI and find the LDAP section under "Configuration > Serices" but it appears that section is only listing what has been setup somewhere else and it not editable.
You can add 'LDAP client configuration' at the Cluster level (Admin SVM) or the SVM level.
@Cluster Level: When you log-in, on the landing page, there is configuration tab next to 'Protection': It does give an option to add LDAP client.
We don't use LDAP, hence I cannot 100% comment on why it cannot be edited, but I see there is command for editing, which suggest its possible:
::> vserver services ldap client modify -client-config
Some useful kBs:
https://kb.netapp.com/app/answers/answer_view/a_id/1071273/loc/en_US (Check out this)
Well the first link you sent seems pretty easy but for whatever reason I can't seem to fins the small gear icon being called in within the steps for cluster level.
I'm running NetApp Release 9.2P3 but I wouldn't think that should make a difference.
Yes, it should be fairly straight forward. The GUI could be different for 9.2. You can even do it via CLI. I think there is lot of documentation for ontap 9 around it. If you cannot find it, could you send me the screenshot where you are looking at ?
I would think it would be the same as well.
I'm easing my way into the CLI as I'm still learning NetApp storage. I would send a screenshot but I'm simply lpooking at the opening landing page for NetApp GUI.
Let's just say I was going to set it up using CLI - from what I gaher it's just teh following. Adding the LDAP URI (server) and then enabling LDAP for cluster.
That seems to be what I have found.
cluster1::> vserver services name-service ldap client create
-vserver cluster1 -client-config corp -servers 172.16.0.100,172.16.0.101
cluster1::> vserver services name-service ldap create
-vserver cluster1 -client-config corp -client-enabled true
I asl ohave some 8.x cluster to make the change for and that I have not found the command syntax yet.
Please take a look a these links:
How to configure LDAP Authentication for Cluster (Admin) SVM (9/9.1/9.2)
How to authenticate clustered Data ONTAP administrators against an LDAP or NIS server (8,8.2,8.3)
Why are there so many links to just configure LDAP? They all slightly look differnt as well. I simply want to allow AD users to log into the storage arrays. Also, what is the nsswitch for and why is this needed?
I guess just tell me this, is we only want cluster level LDAP enabled, then we must use the "Admin" SVM correct?
Yes, you can simply use Cluster (Admin) SVM, instead of data SVM.
Regarding ns-switch, it is simply telling SVM to follow the order in which it should lookup for group/host/passwd infomration.
::*> vserver services name-service ns-switch show -vserver ClusterSVMname
Vserver Database Order
--------------- ------------ ---------
ClusterSVMname hosts files,dns
ClusterSVMname group ldap,files
ClusterSVMname passwd ldap,files
I assume you already have at least one SVM joined to AD?
If yes, then it should be as simple as:
1) Create a domain tunnel with "security login domain-tunnel create"
2) Allow users or groups to login to your cluster by executing "security login create" with "-authentication-method" paremeter set to "domain". On admin SVM in your case, yes.
Hope that helps.
So what my systems that have NO CIFS, only FC?
How can I make this work for those or I have to create a data SVM with CIFS?
I'm learning more and more that NetApp really only uses LDAP for NFS authentication/access and not really for user access with AD.
AD is Microsoft's implementation of LDAP.
In most cases people use AD for authentication because it's being widely used in the organization anyway. If you don't have AD-connected SVM on a cluster then yes, you need to create one and define it as domain tunnel. It's quick, easy and such an SVM does not even need to have any data volumes or shares defined (empty/dummy SVM, if you will).
Having said that, it seems like there is actually a way to talk to AD as any other LDAP and use it in a way that, as you pointed out correctly, is typically used for NFS. You might want to check this out. I never used it myself like that, though:
Thank @bkamil I was able to get much of my AD Authentication working. I simply now just need to create thjat dummy SVM for some systems that don't have an SVM running CIFS.
Thanks everyone else for their hlepful info as well!
I have all of my SVM's joined to AD but they are not setup for LDAP.
I simply want users to be able to login into the storage array "sysmgr" and that's it. I don't want LDAP "per" SVM, only at the cluster.
Sp the stpoes you mentioned wouldn't apply to me. The point of LDAP is using Security Groups, not individual users and that's what the commandyou provided seems to do.