EnableLdapAuthentication
You can use the EnableLdapAuthentication
method to configure an LDAP directory connection for LDAP authentication to a cluster. Users that are members of the LDAP directory can then log in to the storage system using their LDAP credentials.
Parameters
This method has the following input parameters:
Name | Description | Type | Default value | Required |
---|---|---|---|---|
authType |
Identifies which user authentication method to use. Possible values:
|
string |
SearchAndBind |
No |
groupSearchBaseDN |
The base DN of the tree to start the group subtree search. |
string |
None |
No |
groupSearchType |
Controls the default group search filter used. Possible values:
|
string |
ActiveDirectory |
No |
serverURIs |
A comma-separated list of LDAP or LDAPS server URIs. You can add a custom port to the end of an LDAP or LDAPS URI by using a colon followed by the port number. For example, the URI "ldap://1.2.3.4" uses the default port and the URI "ldaps://1.2.3.4:123" uses the custom port 123. |
string array |
None |
Yes |
userSearchBaseDN |
The base DN of the tree to start the subtree search. This parameter is required when using an authType of SearchAndBind. |
string |
None |
No |
searchBindDN |
A fully qualified DN to log in with to perform an LDAP search for the user. The DN requires read access to the LDAP directory. This parameter is required when using an authType of SearchAndBind. |
string |
None |
Yes |
searchBindPassword |
The password for the searchBindDN account used for searching. This parameter is required when using an authType of SearchAndBind. |
string |
None |
Yes |
userSearchFilter |
The LDAP search filter to use when querying the LDAP server. The string should have the placeholder text "%USERNAME%" which is replaced with the username of the authenticating user. For example, (&(objectClass=person)(sAMAccountName=%USERNAME%)) will use the sAMAccountName field in Active Directory to match the username entered at cluster login. This parameter is required when using an authType of SearchAndBind. |
string |
None |
Yes |
userDNTemplate |
A string template used to define a pattern for constructing a full user distinguished name (DN). The string should have the placeholder text "%USERNAME%" which is replaced with the username of the authenticating user. This parameter is required when using an authType of DirectBind. |
string |
None |
Yes |
groupSearchCustomFilter |
For use with the CustomFilter search type, an LDAP filter to use to return the DNs of a user's groups. The string can have placeholder text of %USERNAME% and %USERDN% to be replaced with their username and full userDN as needed. |
string |
None |
Yes |
Return values
This method has no return values.
Request example
Requests for this method are similar to the following example:
{ "method": "EnableLdapAuthentication", "params": { "authType": "SearchAndBind", "groupSearchBaseDN": "dc=prodtest,dc=solidfire,dc=net", "groupSearchType": "ActiveDirectory", "searchBindDN": "SFReadOnly@prodtest.solidfire.net", "searchBindPassword": "zsw@#edcASD12", "sslCert": "", "userSearchBaseDN": "dc=prodtest,dc=solidfire,dc=net", "userSearchFilter": "(&(objectClass=person)(sAMAccountName=%USERNAME%))", "serverURIs":[ "ldaps://111.22.333.444", "ldap://555.66.777.888" ] }, "id": 1 }
Response example
This method returns a response similar to the following example:
{ "id": 1, "result": { } }
New since version
9.6