Skip to main content

vserver services name-service ldap client create

Contributors
Suggest changes

Create an LDAP client configuration

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver services name-service ldap client create command creates an LDAP client configuration. A client configuration is associated with a Vserver using the vserver services name-service ldap commands.

Parameters

-vserver <Vserver Name> - Vserver

This parameter specifies the Vserver for which configuration is created. A data Vserver or admin Vserver can be specified.

-client-config <text> - Client Configuration Name

This parameter specifies the name that you would like to use to refer to the new LDAP client configuration.

{ -ldap-servers <text>,…​ - LDAP Server List

This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the -servers , -ad-domain or -preferred-ad-servers parameters. This parameter takes both FQDNs and IP addresses.

| -servers <IP Address>,…​ - (DEPRECATED)-LDAP Server List

(DEPRECATED)This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the -ldap-servers , -ad-domain , -preferred-ad-servers or -bind-as-cifs-server parameters. This parameter is deprecated 9.1.0 and onwards. Use -ldap-servers instead.

| -ad-domain <TextNoCase> - Active Directory Domain

This parameter specifies the name of the Active Directory domain used to discover LDAP servers for use by this client. This assumes that the Active Directory schema has been extended to act as a NIS replacement. If you use this parameter, you cannot specify the -ldap-servers and -servers parameter. However, you can specify a list of preferred servers using the -preferred-ad-servers parameter.

[-preferred-ad-servers <IP Address>,…​] - Preferred Active Directory Servers

This parameter specifies a list of LDAP servers that are preferred over those that are discovered in the domain specified in the -ad-domain parameter.

[-restrict-discovery-to-site {true|false}] - Restrict discovery to site scope }

This parameter specifies whether to restrict LDAP server discovery to site-scope only. The default value is false . The restriction only applies when the -ad-domain parameter is specified as part of the create command. This can be enabled only if -default-site parameter is specified in the CIFS server configuration.

[-bind-as-cifs-server {true|false}] - Bind Using the Vserver's CIFS Credentials

This parameter specifies whether LDAP binds made using this client configuration use the Vserver's CIFS server credentials. If you do not specify this parameter, and -ad-domain is configured, the default is true , otherwise the default is false . Note that the LDAP client always uses only sasl bind, if -bind-as-cifs-server is set to true . The -min-bind-level parameter is ignored in this case.

-schema <text> - Schema Template

This parameter specifies the name of the schema template the Vserver uses when making LDAP queries. You can view and modify the templates using the vserver services name-service ldap client schema commands.

[-port <integer>] - LDAP Server Port

This parameter specifies the port the LDAP client uses to connect to LDAP servers. Default value for port is 636 , if -ldaps-enabled parameter is specified as true . Otherwise, default value for port is 389 .

[-query-timeout <integer>] - Query Timeout (sec)

This parameter specifies the amount of time (in seconds) that the LDAP client waits for a query to complete. If you do not specify this parameter, the default is 3 seconds.

[-min-bind-level {anonymous|simple|sasl}] - Minimum Bind Authentication Level

This parameter specifies the lowest acceptable level of security the LDAP client uses to bind to an LDAP server. If you do not specify this parameter, the default is sasl bind in case -ad-domain is configured, simple bind in case -bind-dn is configured, otherwise anonymous bind. Note that regardless of the -min-bind-level configured, LDAP client would always start bind mechanism in the order of sasl , then simple and lastly anonymous . Also, if -bind-as-cifs-server is set, then -min-bind-level is ignored, and only sasl will be used.

[-bind-dn <ldap_dn>] - Bind DN (User)

This parameter specifies the user that binds to the LDAP servers. For Active Directory servers, specify the user in the account (DOMAIN\user) or principal (user@domain.com) form. Otherwise, specify the user in distinguished name form, like "CN=user,DC=domain,DC=com" or "CN=administrator,CN=users,DC=domain,DC=com". This parameter is ignored if -bind-as-cifs-server is set.

[-base-dn <ldap_dn>] - Base DN

This parameter specifies the default base DN for all searches, including user, group, and netgroup searches. For example, "DC=example,DC=com". If you do not specify this parameter, the default is the root, specified by an empty ("" ) set.

[-base-scope {base|onelevel|subtree}] - Base Search Scope

This parameter specifies the default search scope for LDAP queries. Specify base to search just the named entry, onelevel to search entries immediately below the DN, or subtree to search the named DN entry and the entire subtree below the DN. If you do not specify this parameter, the scope is set to subtree by default.

[-user-dn <ldap_dn>] - User DN (privilege: advanced)

This parameter specifies the user DN, which overrides the base DN for user lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-user-scope {base|onelevel|subtree}] - User Search Scope (privilege: advanced)

This parameter specifies the user search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-group-dn <ldap_dn>] - Group DN (privilege: advanced)

This parameter specifies the group DN, which overrides the base DN for group lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-group-scope {base|onelevel|subtree}] - Group Search Scope (privilege: advanced)

This parameter specifies the group search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-netgroup-dn <ldap_dn>] - Netgroup DN (privilege: advanced)

This parameter specifies the netgroup DN, which overrides the base DN netgroup lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-netgroup-scope {base|onelevel|subtree}] - Netgroup Search Scope (privilege: advanced)

This parameter specifies the netgroup search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-use-start-tls {true|false}] - Use start-tls Over LDAP Connections

This parameter specifies whether or not to use Start TLS over LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using Start TLS. Start TLS is a mechanism to provide secure communication by using the TLS/SSL protocols. If you do not specify this parameter, the default is false .

[-is-netgroup-byhost-enabled {true|false}] - Enable Netgroup-By-Host Lookup (privilege: advanced)

Use this parameter to enable or disable netgroup-by-host lookup. If your LDAP directory contains map structures equivalent to the netgroup.byhost map in NIS, enabling this feature greatly speeds up netgroup resolution queries over LDAP. By default this parameter is set to false.

[-netgroup-byhost-dn <ldap_dn>] - Netgroup-By-Host DN (privilege: advanced)

This parameter specifies the netgroup-by-host DN, which overrides the base DN for netgroup-by-host lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-netgroup-byhost-scope {base|onelevel|subtree}] - Netgroup-By-Host Scope (privilege: advanced)

This parameter specifies the netgroup-by-host search scope for LDAP queries. If you do not specify this parameter, the scope is set to subtree by default.

[-session-security {none|sign|seal}] - Client Session Security

This parameter specifies the level of security to be used for LDAP communications. If you do not specify this parameter, the default is none .

LDAP Client Session Security can be one of the following:

  • none - No Signing or Sealing.

  • sign - Sign LDAP traffic.

  • seal - Seal and Sign LDAP traffic.

[-referral-enabled {true|false}] - LDAP Referral Chasing

This parameter specifies whether LDAP referral is enabled or not.

[-group-membership-filter <text>] - Group Membership Filter (privilege: advanced)

This parameter specifies the custom LDAP search filter to be used when looking up group membership from an LDAP server. Examples of valid filters are "(cn=99)", "(cn=1)", "(|(cn=*22)(cn=*33))".

[-ldaps-enabled {true|false}] - Is LDAPS Enabled

This parameter specifies whether or not to use LDAPS over LDAP connections. If you do not specify this parameter, the value will be based on port . If port is mentioned as 636 , then the value will be true , otherwise the value will be false .

[-try-channel-binding {true|false}] - Try Channel Binding

This parameter specifies whether channel binding will be tried in case of LDAP connections to the LDAP server. If you do not specify this parameter, the default is true . Channel binding will be tried only if -use-start-tls or -ldaps-enabled is enabled along with -session-security set to either sign or seal .

Examples

The following example creates an LDAP client configuration named corp that makes anonymous binds to ldapserver.example.com for Vserver vs1 :

cluster1::> vserver services name-service ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com

The following example creates an LDAP client configuration named corp that makes binds to ldapserver.example.com for Vserver vs1 for bind-dn diag :

cluster1::> vserver services name-service ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com -bind-dn diag
   Please enter password:
   Confirm password:

The following example creates an LDAP client configuration with multiple user DNs.

Note The following commands are only available in advanced mode.
cluster1::*> vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com
   -user-dn "ou=People,dc=mypc,dc=example,dc=com; ou=People1,dc=mypc1,dc=example2,dc=com"

The following example creates an LDAP client configuration with multiple user DNs, one of them containing a semicolon

cluster1::*> vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com
   -user-dn "ou=People,dc=mypc,dc=example,dc=com; ou=People1,dc=mypc1,dc=example2,dc=com"

The following example creates an LDAP client configuration with multiple user DNs, one of them containing a semicolon and a backslash.

cluster1::*> vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com
   -user-dn "ou=People\;,dc=mypc,dc=example,dc=com\\; ou=People1,dc=mypc1,dc=example2,dc=com"

The following example creates an LDAP client configuration with netgroup by host DN.

cluster1::*>vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com
   -netgroup-byhost-dn nisMapName="netgroup.byhost",dc=rfcbis,dc=com

The following example creates an LDAP client configuration with ldap-servers as list of ip addresses.

cluster1::*>vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers 172.16.0.100,172.16.0.101
   -netgroup-byhost-dn nisMapName="netgroup.byhost",dc=rfcbis,dc=com

The following example creates an LDAP client configuration with ldap-servers as list of ip addresses and hostnames.

cluster1::*>vserver services ldap client create -vserver vs1 -client-config corp -ldap-servers ldapserver.example.com,172.16.0.100,172.16.0.101 -netgroup-byhost-dn nisMapName="netgroup.byhost",dc=rfcbis,dc=com