Re: Loading user and netgroup files

trever417 · ‎2025-01-09

We utilize an authentication source that produces passwd and netgroup files for unix based authentication. We are currently manually importing the files via the following commands from the ontapp console:

vserver services name-service unix-user load-from-uri -vserver <vserver> -uri <path to file>
vserver services name-service unix-group load-from-uri -vserver <vserver> -uri <path to file>

I would like to automate this process in some form, but so far I have not been able to comeup with a solution. Looking for any thoughts. REST, local scripts that can be scheduled...etc.....

AlexDawson · ‎2025-01-10

Hi there! There is an API endpoint, detailed at https://docs.netapp.com/us-en/ontap-restapi/ontap/name-services_unix-users_endpoint_overview.html#creating-a-unix-user-configuration-with-all-fields-s...- however it looks like you'd need to develop something to retrieve a list of users and then update/delete as necessary.

Another option would be to just CLI passthrough to the same command you're using now - https://docs.netapp.com/us-en/ontap-restapi//ontap/getting_started_with_the_ontap_rest_api.html#Tagging_Resources_for_Tracking_Purposes:~:text=4d37%2D... - but it is not the recommended way to do things.

And finally, the most old-school way would be to setup SSH key authentication and run the command whenever the passwd/group file is detected as updated - https://docs.netapp.com/us-en/ontap/system-admin/access-cluster-ssh-task.html - but there are security risks inherent here

Hope this helps!

trever417 · ‎2025-01-10

Thank you for the information. I should have been a little more discriptive. We are not using local accounts, but loading them from a file:

Option 1: API Endpoint: Call: https://XXX/api/name-services/unix-users/<UID of SVM>

Returns:

"error": {
"message": "Cannot display the UNIX users because file-only configuration is enabled. Use the CLI to view the UNIX user file.",
"code": "1264685"
}
B: CLI passthough. Same thing, no opttion for the file loaded users: error:
Cannot display the UNIX users because file-only configuration is enabled. "Use the CLI to view the UNIX user file"

Looks like Passthrough might be the only option.

AlexDawson · ‎2025-01-12

Quite likely. Or you could look at setting up NIS or NIS+.. although it's now 2025 and I can't believe I'm suggesting that 😉

trever417 · ‎2025-01-13

I agree, our security department went back in time on an authentication provider.