Skip to main content
NetApp Knowledge Base

How to configure System Manager for authentication using domain user or group

Views:
23,496
Visibility:
Public
Votes:
11
Category:
ontap-system-manager
Specialty:
om
Last Updated:
5/14/2025, 7:08:57 AM

LDAPS (LDAP over SSL or TLS)

 

Applies to

Description

  • Active Directory users and groups can be used to authenticate into ONTAP System Manager.
  • When configuring a group, members of the group will be allowed to authenticate without having to create an entry for each group member.

Procedure

Prerequisites:
  • The cluster admin vserver must have a configured domain tunnel or LDAP client prior to adding users.

  • Review the domain tunnels and LDAP clients documentation for more information on how to configure them.

Steps:
  • To add a System Manager user for AD or LDAP authentication from within the System Manager UI

    1. In System Manager, navigate to Cluster > Settings, then click System Manager for authentication using domain user or group in the Users and Roles tile
    2. Click the Validate configured Domain or LDAP users/groups button
    3. Select System Manager as TARGET PRODUCT, HTTP as APPLICATION, and either Active Directory Domain (for AD) or Name Server Switch (for LDAP) as AUTHENTICATION method
  • To add a System Manager user for AD or LDAP authentication via ONTAP command line

    The following example demonstrates the security login create command for adding an entry that allows users to authenticate they are a member of the "test_group" LDAP group within the "ocdomain" domain, using the nsswitch (LDAP) method option.

    cluster1::> security login show  -user-or-group-name ocdomain\*
    Vserver: cluster1
                                                                     Second
    User/Group                 Authentication                 Acct   Authentication
    Name           Application Method        Role Name        Locked Method
    -------------- ----------- ------------- ---------------- ------ --------------
    ocdomain\test_group   http        nsswitch        admin            -      none

    1 entries were displayed.

    Figure 1: Login to System Manager via domain\username
    Login to System Manager via domain\username

    1. Use the security login create command to create a login method for the management utility

    • Specify http application type (for Web service requests)
    • Authentication method as "domain" for AD, or "nsswitch" for LDAP
    • security login create -user-or-group-name ocdomain\test_group -application http -authentication-method nsswitch -role admin -vserver admin_vserver

 

  • Validate configured Domain or LDAP users/groups:
    • Via CLI:
      • Run the security login show command to view the output
    • Via System manager:
      1. Log into System Manager using admin account
      2. To view the user or group entries in the UI, navigate to Cluster Settings, and then in the Security section, click the To view the user or group entries in the UI in the Users and Roles tile
      3. Figure 2: Settings > Users
  1. Validate configured Domain or LDAP users/groups

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.