EnableLdapAuthentication

You can use the EnableLdapAuthentication method to configure an LDAP directory connection for LDAP authentication to a cluster. Users that are members of the LDAP directory can then log in to the storage system using their LDAP credentials.

Parameters

This method has the following input parameters:

Name Description Type Default value Required
authType Identifies which user authentication method to use. Possible values:
  • DirectBind
  • SearchAndBind
string SearchAndBind No
groupSearchBaseDN The base DN of the tree to start the group subtree search. string None No
groupSearchType Controls the default group search filter used. Possible values:
  • NoGroups: No group support.
  • ActiveDirectory: Nested membership of all of a user’s active directory groups.
  • MemberDN: MemberDN style groups (single level).
string ActiveDirectory No
serverURIs A comma-separated list of LDAP server URIs. For example, "ldap://1.2.3.4" and ldaps://1.2.3.4:123". string array None Yes
userSearchBaseDN The base DN of the tree to start the subtree search. This parameter is required when using an authType of SearchAndBind. string None No
searchBindDN A fully qualified DN to log in with to perform an LDAP search for the user. The DN requires read access to the LDAP directory. This parameter is required when using an authType of SearchAndBind. string None Yes
searchBindPassword The password for the searchBindDN account used for searching. This parameter is required when using an authType of SearchAndBind. string None Yes
userSearchFilter The LDAP search filter to use when querying the LDAP server. The string should have the placeholder text "%USERNAME%" which is replaced with the username of the authenticating user. For example, (&(objectClass=person)(sAMAccountName=%USERNAME%)) will use the sAMAccountName field in Active Directory to match the username entered at cluster login. This parameter is required when using an authType of SearchAndBind. string None Yes
userDNTemplate A string template used to define a pattern for constructing a full user distinguished name (DN). The string should have the placeholder text "%USERNAME%" which is replaced with the username of the authenticating user. This parameter is required when using an authType of DirectBind. string None Yes
groupSearchCustomFilter For use with the CustomFilter search type, an LDAP filter to use to return the DNs of a user’s groups. The string can have placeholder text of %USERNAME% and %USERDN% to be replaced with their username and full userDN as needed. string None Yes

Return values

This method has no return values.

Request example

Requests for this method are similar to the following example:

{
  "method": "EnableLdapAuthentication",
  "params": {
     "authType": "SearchAndBind",
     "groupSearchBaseDN": "dc=prodtest,dc=solidfire,dc=net",
     "groupSearchType": "ActiveDirectory",
     "searchBindDN": "SFReadOnly@prodtest.solidfire.net",
     "searchBindPassword": "zsw@#edcASD12",
     "sslCert": "",
     "userSearchBaseDN": "dc=prodtest,dc=solidfire,dc=net",
     "userSearchFilter": "(&(objectClass=person)(sAMAccountName=%USERNAME%))",
     "serverURIs":[
           "ldaps://111.22.333.444",
           "ldap://555.66.777.888"
           ]
       },
  "id": 1
}

Response example

This method returns a response similar to the following example:

{
"id": 1,
"result": {
  }
}