Skip to main content

vserver services name-service ldap client modify

Contributors
Suggest changes

Modify an LDAP client configuration

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver services name-service ldap client modify command modifies an LDAP client configuration. A Vserver administrator can modify only configurations owned by the Vserver. Use the vserver services name-service ldap client modify-bind-password command to modify the bind password.

Parameters

[-vserver <Vserver Name>] - Vserver

This parameter specifies the name of the Vserver which owns the LDAP client you want to modify. A data Vserver or admin Vserver can be specified.

-client-config <text> - Client Configuration Name

This parameter specifies the name of the LDAP client configuration.

{ [-ldap-servers <text>,…​] - LDAP Server List

This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the -servers , -ad-domain or -preferred-ad-servers parameters.

| [-servers <IP Address>,…​] - (DEPRECATED)-LDAP Server List

(DEPRECATED)This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the -ldap-servers , -ad-domain , -preferred-ad-servers or -bind-as-cifs-server parameters. This parameter is deprecated 9.1.0 and onwards. Use -ldap-servers instead.

| [-ad-domain <TextNoCase>] - Active Directory Domain

This parameter specifies the name of the Active Directory domain used to discover LDAP servers for use by this client. This assumes that the Active Directory schema has been extended to act as a NIS replacement. If you use this parameter, you cannot specify the -servers , -ldap-servers parameter. However, you can specify a list of preferred servers using the -preferred-ad-servers parameter.

[-preferred-ad-servers <IP Address>,…​] - Preferred Active Directory Servers

This parameter specifies a list of LDAP servers that are preferred over those that are discovered in the domain specified in the -ad-domain parameter.

[-restrict-discovery-to-site {true|false}] - Restrict discovery to site scope }

This parameter specifies whether to restrict server discovery to site-scope only. The default value is false . The restriction only applies when an -ad-domain is configured. This can be enabled only if -default-site parameter is specified in the CIFS server configuration.

[-bind-as-cifs-server {true|false}] - Bind Using the Vserver's CIFS Credentials

This parameter specifies whether or not LDAP binds made using this client configuration use the Vserver's CIFS server credentials. Note that the LDAP client always uses only sasl bind, if -bind-as-cifs-server is set to true . The -min-bind-level parameter is ignored in this case.

[-schema <text>] - Schema Template

This parameter specifies the name of the schema template the Vserver uses when making LDAP queries. You can view and modify the templates using the vserver services name-service ldap client schema commands.

[-port <integer>] - LDAP Server Port

This parameter specifies the port the LDAP client uses to connect to LDAP servers. Default value for port is 636 , if -ldaps-enabled parameter is specified as true . Otherwise, default value for port is 389 .

[-query-timeout <integer>] - Query Timeout (sec)

This parameter specifies the amount of time (in seconds) that the LDAP client waits for a query to complete. If you do not specify this parameter, the default is 3 seconds.

[-min-bind-level {anonymous|simple|sasl}] - Minimum Bind Authentication Level

This parameter specifies the lowest acceptable level of security the LDAP client uses to bind to an LDAP server. Note that regardless of the -min-bind-level configured, LDAP client would always start bind mechanism in the order of sasl , then simple and lastly anonymous . Also, if -bind-as-cifs-server is set, then -min-bind-level is ignored, and only sasl will be used.

[-bind-dn <ldap_dn>] - Bind DN (User)

This parameter specifies the user that binds to the LDAP servers. For Active Directory servers, specify the user in the account (DOMAIN\user) or principal (user@domain.com) form. Otherwise, specify the user in distinguished name form, like "CN=user,DC=domain,DC=com" or "CN=administrator,CN=users,DC=domain,DC=com". This parameter is ignored if -bind-as-cifs-server is set.

[-base-dn <ldap_dn>] - Base DN

This parameter specifies the default base DN for all searches, including user, group, and netgroup searches. For example, "DC=example,DC=com". If you do not specify this parameter, the default is the root, specified by an empty ("" ) set.

[-base-scope {base|onelevel|subtree}] - Base Search Scope

This parameter specifies the default search scope for LDAP queries. Specify base to search just the named entry, onelevel to search entries immediately below the DN, or subtree to search the named DN entry and the entire subtree below the DN. If you do not specify this parameter, the scope is set to subtree by default.

[-user-dn <ldap_dn>] - User DN (privilege: advanced)

This parameter specifies the user DN, which overrides the base DN for user lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-user-scope {base|onelevel|subtree}] - User Search Scope (privilege: advanced)

This parameter specifies the user search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-group-dn <ldap_dn>] - Group DN (privilege: advanced)

This parameter specifies the group DN, which overrides the base DN for group lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-group-scope {base|onelevel|subtree}] - Group Search Scope (privilege: advanced)

This parameter specifies the group search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-netgroup-dn <ldap_dn>] - Netgroup DN (privilege: advanced)

This parameter specifies the netgroup DN, which overrides the base DN netgroup lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-netgroup-scope {base|onelevel|subtree}] - Netgroup Search Scope (privilege: advanced)

This parameter specifies the netgroup search scope. If you do not specify this parameter, the scope is set to subtree by default.

[-use-start-tls {true|false}] - Use start-tls Over LDAP Connections

This parameter specifies whether or not to use Start TLS over LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using Start TLS. Start TLS is a mechanism to provide secure communication by using the TLS/SSL protocols. If you do not specify this parameter, the default is false .

[-is-netgroup-byhost-enabled {true|false}] - Enable Netgroup-By-Host Lookup (privilege: advanced)

Use this parameter to enable or disable netgroup-by-host lookup. If your LDAP directory contains map structures equivalent to the netgroup.byhost map in NIS, enabling this feature greatly speeds up netgroup resolution over LDAP. By default this parameter is set to false.

[-netgroup-byhost-dn <ldap_dn>] - Netgroup-By-Host DN (privilege: advanced)

This parameter specifies the netgroup-by-host DN, which overrides the base DN for netgroup-by-host lookups.

Note To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks (").
[-netgroup-byhost-scope {base|onelevel|subtree}] - Netgroup-By-Host Scope (privilege: advanced)

This parameter specifies the netgroup-by-host search scope for LDAP queries. If you do not specify this parameter, the scope is set to subtree by default.

[-session-security {none|sign|seal}] - Client Session Security

This parameter specifies the level of security to be used for LDAP communications. If you do not specify this parameter, the default is none .

LDAP Client Session Security can be one of the following:

  • none - No Signing or Sealing.

  • sign - Sign LDAP traffic.

  • seal - Seal and Sign LDAP traffic.

[-skip-config-validation <true>] - Skip Configuration Validation

Use this parameter to skip the LDAP client configuration validation.

The LDAP client configuration specified with the -client-config parameter is validated to verify that all the Vservers associated with this LDAP client configuration has at least one of the LDAP servers reachable, and is providing LDAP services.

The validation fails if ONTAP was unable to connect to any LDAP server with the specified -client-config .

[-referral-enabled {true|false}] - LDAP Referral Chasing

This parameter specifies whether LDAP referral is enabled or not.

[-group-membership-filter <text>] - Group Membership Filter (privilege: advanced)

This parameter specifies the custom LDAP search filter to be used when looking up group membership from an LDAP server. Examples of valid filters are "(cn=99)", "(cn=1)", "(|(cn=*22)(cn=*33))".

[-ldaps-enabled {true|false}] - Is LDAPS Enabled

This parameter specifies whether or not to use LDAPS over LDAP connections. If you do not specify this parameter, the value will be based on port . If port is mentioned as 636 , then the value will be true , otherwise the value will be false .

[-try-channel-binding {true|false}] - Try Channel Binding

This parameter specifies whether to use channel binding for LDAP connections to the LDAP server. If you do not specify this parameter, the default is true . Channel binding will be tried only if -use-start-tls or -ldaps-enabled is enabled along with -session-security set to either sign or seal .

Examples

The following example modifies an existing LDAP client configuration named corp owned by Vserver vs1 to require simple binds using the administrator@example.com account:

cluster1::> vserver services name-service ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com -min-bind-level simple

The following example modifies the user DN of an existing LDAP client configuration to contain multiple DNs separated by a semicolon.

cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com
            -user-dn "ou=People,dc=mypc,dc=example,dc=in; ou=People1,dc=mypc,dc=example2,dc=com" -min-bind-level simple

The following example demonstrates how you can use a semicolon as a valid character in a DN instead of a separator.

cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com
            -user-dn "ou=People\;,dc=mypc,dc=example,dc=com; ou=People1,dc=mypc,dc=example2,dc=com"

The following example modifies an existing LDAP client configuration with multiple user DNs, one of them containing a semicolon and a backslash.

cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com
            -user-dn "ou=People\;,dc=mypc,dc=example,dc=com\\; ou=People1,dc=mypc,dc=example2,dc=com"

The following example modifies an existing LDAP client configuration with netgroup by host DN.

cluster1::*>vserver services ldap client modify -vserver vs1 -client-config corp
            -netgroup-byhost-dn nisMapName="netgroup.byhost",dc=rfcbis,dc=com