2018-01-18 05:24 AM
I'm looking to integrate our clusters into AD so that when we log into the CLI/GUI we can do so with our AD logons. Maybe I'm missing something but the only thing I can see in the documentation is that you can set up a domain tunnel from a data vserevr. This isn't what I'm after as when you log onto the CLI to admin the filer you login to the cluster vserver. I've not really seen much mentioned of RADUIS apart from using that as the authentication method for CHAPS using ISCSI.
Could anyone point me in the right direction of getting ontap 8.3.2 working with AD lognos for the cluster level CLI.
Solved! SEE THE SOLUTION
2018-01-18 05:37 AM
On our clusters, we setup dedicated domain tunnel vservers. The CLI functions of the domain need to pass thru this vserver. The reason why we chose to dedicate a vserver was for our svm-dr and all that, we didn't want to remember to move the domain tunnel.
That's part one, and then on security login you need to create your group which you want SSH access too.
You cannot do priv/pub key
2018-01-18 05:52 AM
How does that work then? So you have a dedicated vserver just for the domain tunnell. Lets call that VS_TUN. Your cluster mgmt IP lives in your cluster vserver. Lets call that VS_CLUS.
So when I want to log into the cluster CLI to create a volume in any of the vservers I'd log onto the cluster mgmt IP which lives in VS_CLUS. Doesn't that mean you cant do the AD logon piece otherwise you'd be logging onto a data vserver where you wouldn't have full control over the cluster?
Or am I misunderstanding you?
2018-01-18 06:21 AM
You should be always logging into the cluster via the cluster management IP.
Let's say you log into svm_mgt - with your domain creds userid / password
that will get funnelled over to the domain tunnel svm and you will get in. But you need to have your security login setup as well with SSH for your admin groups
2018-01-18 06:40 AM
But If I log into any SVM other than the Cluster SVM I can only control that SVM that I've logged into. I get how the ad auth works with the tunnel on those SVM's but I want to know if there is a way to logon to the cluster SVM and have an AD tunnel or similar setup.
2018-01-18 06:47 AM
There is only one domain-tunnel for the entire cluster. it will service all your AD requests.
We dont' allow SSH directly to our SVM's, everything is done to the cluster, and unless you are secure multitenandcy, I would recommend that.
2018-01-21 08:11 PM
As JGPSHNTAP says this is how it works - the "tunnel" part of the domain-tunnel is a key concept to keep in mind. The cluster SVM talks to AD via the configured data SVM, through the domain-tunnel. With ONTAP 9.3, we also support two factor authentication via this method (2FA)
2018-01-22 01:15 AM
This is now working thanks. I guess what I wasn't clear about is that the tunnel has to be attached to a data SVM but then this allows domain authentication to work on any SVM on that cluster. I thought that if you set the tunnel up, on SVM01 then it only enabled domain authentication on that SVM.