How to configure LDAP Authentication for Cluster (Admin) SVM
Applies to
ONTAP 9
Description
- This KB assumes that there is in place a mechanism for password replication between the Windows user database and the LDAP UNIX attributes.
- This is not the default configuration and since IDMU is deprecated, third-party software may be needed.
- Consider configuring domain-tunnel to use any SVM joined to a domain to authenticate domain users.
- With domain-tunnel, a native Windows authentication mechanism will be used.
- The below procedure lists the steps required in order to successfully configure LDAP Authentication for the Cluster (Admin) SVM in ONTAP 9.
- This will allow the use of UNIX credentials stored in Windows AD LDAP for an administrative authentication (ssh, ontapi, web) to ONTAP.
- Note: Microsoft deprecation of Identity Management for Unix
- Contact Microsoft for further details
- Note: Microsoft deprecation of Identity Management for Unix
- This will allow the use of UNIX credentials stored in Windows AD LDAP for an administrative authentication (ssh, ontapi, web) to ONTAP.
- As this is an example, make sure that the settings and values you use match your environment.
Prerequisite:
- On the ONTAP side, make sure the configured schema and its attributes reflects what is exactly configured in the Active Directory schema. Copy one of the read-only schemas and modify, appropriately.
- LDAP schema configuration examples: How to configure RFC 2307bis for Windows
- If you are not sure about the AD schema details, consult your Domain Admin.
- Alternatively, connect to Active Directory, open the "Active Directory Users and Groups" MMC Snap-In, enable the "Advanced Features" under the "View" menu and examine the attributes for a user - "Properties > Attribute Editor".
- For more information, best practices or troubleshooting steps, refer to: Secure Unified Authentication Kerberos, NFSv4, and LDAP in ONTAP