Skip to main content

security login modify

Contributors
Suggest changes

Modify a login method

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login modify command modifies the access-control role name of a login method. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

Parameters

-vserver <vserver name> - Vserver

This specifies the Vserver name of the login method.

-user-or-group-name <text> - User Name or Group Name

This specifies the user name, Active Directory, LDAP, or NIS group name of the login method that is to be modified. A user name can be associated with multiple applications. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

-application <text> - Application

This specifies the application of the login method. Possible values include amqp, console, http, ontapi, rsh, snmp, service-processor, ssh, and telnet.

-authentication-method <text> - Authentication Method

This specifies the authentication method of the login method. Possible values include the following:

  • cert - SSL certificate authentication

  • community - SNMP community strings

  • domain - Active Directory authentication

  • nsswitch - LDAP or NIS authentication

  • password - Password

  • publickey - Public-key authentication

  • usm - SNMP user security model

  • saml - SAML authentication

[-remote-switch-ipaddress <IP Address>] - Remote Switch IP Address

This specifies the IP address of the remote switch. The remote switch could be a cluster switch monitored by cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by MetroCluster health monitor (MCC-HM). This parameter is applicable only when the application is snmp and authentication method is usm (SNMP user security model).

[-role <text>] - Role Name

This modifies the access-control role name for the login method.

[-comment <text>] - Comment Text

This specifies comment text for the user account, for example, "Guest account". The maximum length is 128 characters.

[-is-ns-switch-group {yes|no}] - Whether Ns-switch Group

This specifies if user-or-group-name is an LDAP or NIS group. Possible values are yes or no. Default value is no.

[-second-authentication-method {none|publickey|password|nsswitch|domain|totp}] - Second Authentication Method

This specifies the authentication method for the login method. It will be used as the second factor for authentication. This parameter can be specified for ssh , http and service-processor applications. For ssh application, possible values include the following:

  • password - Password

  • publickey - Public-key authentication

  • nsswitch - NIS or LDAP authentication

  • domain - Active Directory authentication

  • totp - TOTP authentication

  • none - default value

For the http and service-processor applications, possible values include the following:

  • publickey - Public-key authentication

  • none - default value

[-is-ldap-fastbind {yes|no}] - LDAP Fastbind Authentication

This flag specifies whether modify is allowed or not when the authentication is LDAP fastbind.

Examples

The following example illustrates how to modify a login method that has the user name guest , the application ontapi , and the authentication method password to use the access-control role guest for Vserver vs1.netapp.com :

cluster1::> security login modify -user-or-group-name guest
  -application ontapi -authentication-method password -role guest
  -vserver vs1.netapp.com

The following example illustrates how to modify a login method that has the user name guest , the application ssh , and the authentication method publickey to use the access-control role vsadmin for Vserver vs1.netapp.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey -role vsadmin
  -vserver vs1.netapp.com

The following example illustrates how to modify a login method that has the group name nssgroup , the application ontapi , and the authentication method nsswitch to use the access-control role readonly for Vserver vs1.netapp.com . Here is-ns-switch-group must be set to yes :

cluster1::> security login modify -user-or-group-name nssgroup
  -application ontapi -authentication-method nsswitch -role readonly
  -vserver vs1.netapp.com -is-ns-switch-group yes

The following example illustrates how to modify a login method that has the user name guest , the application ssh , and the authentication method publickey to use the second-authentication-method password for Vserver vs1.netapp.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey
  -second-authentication-method password -vserver vs1.netapp.com

The following example illustrates how to modify a login method to have individual authentication methods that have the user name guest , the application ssh , and the authentication method publickey to use the second-authentication-method none for Vserver vs1.netapp.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey
  -second-authentication-method none -vserver vs1.netapp.com

The following example illustrates how to modify a login method that has the user name spuser , the application service-processor , and the authentication method password to use the second-authentication-method publickey for the Administrative Vserver cluster1 :

cluster1::> security login modify -user-or-group-name spuser
  -application service-processor -authentication-method password
  -second-authentication-method publickey -vserver cluster1