Active IQ Unified Manager Discussions

LDAP Configuration

General
16,235 Views

Hello All,

 

I'm curious, is the LDAP setup for a Clusterd 9.x environment only done per SVM?

 

I got to believe you can setup LDAP for the login into the storage array somewhere.

 

Meaning, if you want to be able to access the storage array at  "<FQDN>/sysmgr/SysMgr.html" with your AD account, how is that done?

 

I notice when I go into the GUI and find the LDAP section under "Configuration > Serices" but it appears that section is only listing what has been setup somewhere else and it not editable.

 

 

 

35 REPLIES 35

Ontapforrum
12,074 Views

Hi,

 

You can add 'LDAP client configuration' at the Cluster level (Admin SVM) or the SVM level.

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.onc-sm-help-960%2FGUID-135F6A57-6050-4573-A569-D8407792A7B8.html&lang=en


@Cluster Level: When you log-in, on the landing page, there is configuration tab next to 'Protection': It does give an option to add LDAP client.


We don't use LDAP, hence I cannot 100% comment on why it cannot be edited, but I see there is command for editing, which suggest its possible:


::> vserver services ldap client modify -client-config

 

Some useful kBs:
https://kb.netapp.com/app/answers/answer_view/a_id/1071273/loc/en_US (Check out this)
https://kb.netapp.com/app/answers/answer_view/a_id/1029712/loc/en_US
https://kb.netapp.com/app/answers/answer_view/a_id/1005361/loc/en_US
https://kb.netapp.com/app/answers/answer_view/a_id/1007165/loc/en_US

General
12,016 Views

Well the first link you sent seems pretty easy but for whatever reason I can't seem to fins the small gear icon being called in within the steps for cluster level.

 

I'm running NetApp Release 9.2P3 but I wouldn't think that should make a difference.

 

Steps

  1. Add an LDAP client configuration by using one of the following methods:
    • Cluster level: click  > LDAP.
    • SVM level: click SVM > SVM Settings > LDAP Client.
  2. Click Add.
  3. Type the name of the LDAP client.
  4. Add either the Active Directory domain or the LDAP server.
  5. Click  (advanced options), select the Schema, and click Apply.
  6. Specify the Base DN and TCP Port.
  7. Click Binding, and then specify the authentication details.
  8. Click Save and Close.
  9. Verify that the LDAP client that you added is displayed.

Ontapforrum
11,999 Views

Yes, it should be fairly straight forward. The GUI could be different for 9.2. You can even do it via CLI. I think there is lot of documentation for ontap 9 around it. If you cannot find it, could you send me the screenshot where you are looking at ?

General
11,979 Views

I would think it would be the same as well. 

 

I'm easing my way into the CLI as I'm still learning NetApp storage. I would send a screenshot but I'm simply lpooking at the opening landing page for NetApp GUI.

 

Let's just say I was going to set it up using CLI - from what I gaher it's just teh following. Adding the LDAP URI (server) and then enabling LDAP for cluster.

 

That seems to be what I have found.

 

Add Servers:

cluster1::> vserver services name-service ldap client create
-vserver cluster1 -client-config corp -servers 172.16.0.100,172.16.0.101

 

Enable LDAP:

cluster1::> vserver services name-service ldap create
-vserver cluster1 -client-config corp -client-enabled true

 

I asl ohave some 8.x cluster to make the change for and that I have not found the command syntax yet.

Ontapforrum
11,970 Views

No worries. Give it a try and if you need any information let us know.

 

How to set up and configure LDAP for Clustered Data ONTAP 8.x
https://kb.netapp.com/app/answers/answer_view/a_id/1033453

General
11,842 Views

Do you have the steps for 9.x or is it the same as 8.x?

Ontapforrum
11,839 Views

Please take a look a these links:

 

How to configure LDAP Authentication for Cluster (Admin) SVM (9/9.1/9.2)
https://kb.netapp.com/app/answers/answer_view/a_id/1074006


How to authenticate clustered Data ONTAP administrators against an LDAP or NIS server (8,8.2,8.3)
https://kb.netapp.com/app/answers/answer_view/a_id/1030834

 

Using LDAP (ontap 9.x)
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nfs-cg%2FGUID-29A25FED-EAD5-41A2-909B-54AB9AD2C0EE.html

General
11,826 Views

Why are there so many links to just configure LDAP? They all slightly look differnt as well. I simply want to allow AD users to log into the storage arrays. Also, what is the nsswitch for and why is this needed?

 

I guess just tell me this, is we only want cluster level LDAP enabled, then we must use the "Admin" SVM correct?

bkamil
11,817 Views

I assume you already have at least one SVM joined to AD?

If yes, then it should be as simple as:
1) Create a domain tunnel with "security login domain-tunnel create"
2) Allow users or groups to login to your cluster by executing "security login create" with "-authentication-method" paremeter set to "domain". On admin SVM in your case, yes.

Hope that helps.

General
11,614 Views

I have all of my SVM's joined to AD but they are not setup for LDAP. 

 

I simply want users to be able to login into the storage array "sysmgr" and that's it. I don't want LDAP "per" SVM, only at the cluster. 

 

Sp the stpoes you mentioned wouldn't apply to me.  The point of LDAP is using Security Groups, not individual users and that's what the commandyou provided seems to do.

bkamil
11,604 Views

"security login create" works fine with AD groups. Including the cluster level / admin SVM.
Try to do what I suggested and let us know if you get stuck.

General
11,597 Views

Well, I'm trying to run it but on my 8.2 I can't get into advanced mode by running "set -privilege advanced". Which is weird.

General
11,592 Views

Nevermind I got it in advanced mode. Now let's see if all the rest works.

Ontapforrum
11,330 Views

🙂 ...it even takes shortcut , for example :

::> set adv

Warning: These advanced commands are potentially dangerous; use them only when
directed to do so by NetApp personnel.
Do you want to continue? {y|n}:

General
10,383 Views

Well, I can't find the admin vserver. The "vserver show" command seems to not exist. So I'm stuck there actually. This 8.x is extermely differnt from 9.x and most of the documentation online for 8.x commands don't really work which is odd.

Ontapforrum
10,367 Views

vserver show should be there.

 

https://library.netapp.com/ecmdocs/ECMP1511539/html/vserver/show.html

 

Is it possible for you to show us the screenshot.

 

admin vserver is simply your 'cluster_name'.   We call it vserver 'type' as 'Admin'.

General
10,361 Views

here is the screenshot.

 

2019-10-02_9-02-55.png

General
10,513 Views

I have 2 things going on here.

 

1. I need to configure LDAP for 8.2 ONTAP.

 

2. I need to configure LDAP for 9.3 ONTAP.

 

The commands for security login create I'm sure will work for 9.3, but they don't seem to be working for 8.2.

 

 

General
10,501 Views

Keep in mind when I log into the CLI for 8.2 I use "root". Never have I been able to login as "admin". Could that be the reason I don't see th correct commands?

 

How do I see and/or change the "admin" password if so, beacuse I have no clue what it is, that was before my time when this cluster was setup.

Ontapforrum
10,499 Views

Omg...that's 7-mode...lol. last version of the 7- mode ontap.

Public