ONTAP Discussions

AD Authentication onto the cluster

chris_mckean
7,838 Views

Hi All,

      I'm looking to integrate our clusters into AD so that when we log into the CLI/GUI we can do so with our AD logons.  Maybe I'm missing something but the only thing I can see in the documentation is that you can set up a domain tunnel from a data vserevr.  This isn't what I'm after as when you log onto the CLI to admin the filer you login to the cluster vserver.  I've not really seen much mentioned of RADUIS apart from using that as the authentication method for CHAPS using ISCSI.

 

Could anyone point me in the right direction of getting ontap 8.3.2 working with AD lognos for the cluster level CLI. 

 

 

Cheers

 

Chris

1 ACCEPTED SOLUTION

JGPSHNTAP
7,793 Views

There is only one domain-tunnel for the entire cluster.  it will service all your AD requests.  

 

We dont' allow SSH directly to our SVM's, everything is done to the cluster, and unless you are secure multitenandcy, I would recommend that.

View solution in original post

7 REPLIES 7

JGPSHNTAP
7,826 Views

On our clusters, we setup dedicated domain tunnel vservers.    The CLI functions of the domain need to pass thru this vserver.  The reason why we chose to dedicate a vserver was for our svm-dr and all that, we didn't want to remember to move the domain tunnel.

 

That's part one, and then on security login you need to create your group which you want SSH access too.  

 

You cannot do priv/pub key

chris_mckean
7,819 Views

Hi,

     How does that work then?  So you have a dedicated vserver just for the domain tunnell. Lets call that VS_TUN.  Your cluster mgmt IP lives in your cluster vserver.  Lets call that VS_CLUS.

 

 

So when I want to log into the cluster CLI to create a volume in any of the vservers I'd log onto the cluster mgmt IP which lives in VS_CLUS.  Doesn't that mean you cant do the AD logon piece otherwise you'd be logging onto a data vserver where you wouldn't have full control over the cluster?

 

Or am I misunderstanding you?

 

 

 

Cheers

 

Chris

JGPSHNTAP
7,808 Views

You should be always logging into the cluster via the cluster management IP.  

 

Let's say you log into svm_mgt - with your domain creds   userid / password

 

that will get funnelled over to the domain tunnel svm and you will get in.  But you need to have your security login setup as well with SSH for your admin groups

chris_mckean
7,798 Views

But If I log into any SVM other than the Cluster SVM I can only control that SVM that I've logged into.  I get how the ad auth works with the tunnel on those SVM's but I want to know if there is a way to logon to the cluster SVM and have an AD tunnel or similar setup.

 

Cheers

 

Chris

JGPSHNTAP
7,794 Views

There is only one domain-tunnel for the entire cluster.  it will service all your AD requests.  

 

We dont' allow SSH directly to our SVM's, everything is done to the cluster, and unless you are secure multitenandcy, I would recommend that.

AlexDawson
7,728 Views

As JGPSHNTAP says this is how it works - the "tunnel" part of the domain-tunnel is a key concept to keep in mind. The cluster SVM talks to AD via the configured data SVM, through the domain-tunnel. With ONTAP 9.3, we also support two factor authentication via this method (2FA)

chris_mckean
7,712 Views

VMHi JGPSHNTAP,

       This is now working thanks.  I guess what I wasn't clear about is that the tunnel has to be attached to a data SVM but then this allows domain authentication to work on any SVM on that cluster.  I thought that if you set the tunnel up, on SVM01 then it only enabled domain authentication on that SVM.

 

 

Cheers

 

Chris

Public