vserver services name-service ldap client modify
Modify an LDAP client configuration
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver services name-service ldap client modify
command modifies an LDAP client configuration. A Vserver administrator can modify only configurations owned by the Vserver. Use the vserver services name-service ldap client modify-bind-password command to modify the bind password.
Parameters
[-vserver <Vserver Name>]
- Vserver-
This parameter specifies the name of the Vserver which owns the LDAP client you want to modify. A data Vserver or admin Vserver can be specified.
-client-config <text>
- Client Configuration Name-
This parameter specifies the name of the LDAP client configuration.
- {
[-ldap-servers <text>,…]
- LDAP Server List -
This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the
-servers
,-ad-domain
or-preferred-ad-servers
parameters. - |
[-servers <IP Address>,…]
- (DEPRECATED)-LDAP Server List -
(DEPRECATED)This parameter specifies the list of LDAP servers used when making LDAP connections using this client configuration. If you specify this parameter, you cannot specify the
-ldap-servers
,-ad-domain
,-preferred-ad-servers
or-bind-as-cifs-server
parameters. This parameter is deprecated 9.1.0 and later releases. Use-ldap-servers
instead. - |
[-ad-domain <TextNoCase>]
- Active Directory Domain -
This parameter specifies the name of the Active Directory domain used to discover LDAP servers for use by this client. This assumes that the Active Directory schema has been extended to act as a NIS replacement. If you use this parameter, you cannot specify the
-servers
,-ldap-servers
parameter. However, you can specify a list of preferred servers using the-preferred-ad-servers
parameter. [-preferred-ad-servers <IP Address>,…]
- Preferred Active Directory Servers-
This parameter specifies a list of LDAP servers that are preferred over those that are discovered in the domain specified in the
-ad-domain
parameter. [-restrict-discovery-to-site {true|false}]
- Restrict discovery to site scope }-
This parameter specifies whether to restrict server discovery to site-scope only. The default value is
false
. The restriction only applies when an-ad-domain
is configured. This can be enabled only if-default-site
parameter is specified in the CIFS server configuration. [-bind-as-cifs-server {true|false}]
- Bind Using the Vserver's CIFS Credentials-
This parameter specifies whether or not LDAP binds made using this client configuration use the Vserver's CIFS server credentials. Note that the LDAP client always uses only sasl bind, if
-bind-as-cifs-server
is set totrue
. The-min-bind-level
parameter is ignored in this case. [-schema <text>]
- Schema Template-
This parameter specifies the name of the schema template the Vserver uses when making LDAP queries. You can view and modify the templates using the
vserver services name-service ldap client schema
commands. [-port <integer>]
- LDAP Server Port-
This parameter specifies the port the LDAP client uses to connect to LDAP servers. Default value for port is
636
, if-ldaps-enabled
parameter is specified astrue
. Otherwise, default value for port is389
. [-query-timeout <integer>]
- Query Timeout (sec)-
This parameter specifies the amount of time (in seconds) that the LDAP client waits for a query to complete. If you do not specify this parameter, the default is
3
seconds. [-min-bind-level {anonymous|simple|sasl}]
- Minimum Bind Authentication Level-
This parameter specifies the lowest acceptable level of security the LDAP client uses to bind to an LDAP server. Note that regardless of the
-min-bind-level
configured, LDAP client would always start bind mechanism in the order ofsasl
, thensimple
and lastlyanonymous
. Also, if-bind-as-cifs-server
is set, then-min-bind-level
is ignored, and onlysasl
will be used. [-bind-dn <ldap_dn>]
- Bind DN (User)-
This parameter specifies the user that binds to the LDAP servers. For Active Directory servers, specify the user in the account (DOMAIN\user) or principal (user@domain.com) form. Otherwise, specify the user in distinguished name form, like "CN=user,DC=domain,DC=com" or "CN=administrator,CN=users,DC=domain,DC=com". This parameter is ignored if
-bind-as-cifs-server
is set. [-base-dn <ldap_dn>]
- Base DN-
This parameter specifies the default base DN for all searches, including user, group, and netgroup searches. For example, "DC=example,DC=com". If you do not specify this parameter, the default is the root, specified by an empty (
""
) set. [-base-scope {base|onelevel|subtree}]
- Base Search Scope-
This parameter specifies the default search scope for LDAP queries. Specify
base
to search just the named entry,onelevel
to search entries immediately below the DN, orsubtree
to search the named DN entry and the entire subtree below the DN. If you do not specify this parameter, the scope is set tosubtree
by default. [-user-dn <ldap_dn>]
- User DN (privilege: advanced)-
This parameter specifies the user DN, which overrides the base DN for user lookups.
To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks ("). [-user-scope {base|onelevel|subtree}]
- User Search Scope (privilege: advanced)-
This parameter specifies the user search scope. If you do not specify this parameter, the scope is set to
subtree
by default. [-group-dn <ldap_dn>]
- Group DN (privilege: advanced)-
This parameter specifies the group DN, which overrides the base DN for group lookups.
To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple user or group DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks ("). [-group-scope {base|onelevel|subtree}]
- Group Search Scope (privilege: advanced)-
This parameter specifies the group search scope. If you do not specify this parameter, the scope is set to
subtree
by default. [-netgroup-dn <ldap_dn>]
- Netgroup DN (privilege: advanced)-
This parameter specifies the netgroup DN, which overrides the base DN netgroup lookups.
To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks ("). [-netgroup-scope {base|onelevel|subtree}]
- Netgroup Search Scope (privilege: advanced)-
This parameter specifies the netgroup search scope. If you do not specify this parameter, the scope is set to
subtree
by default. [-use-start-tls {true|false}]
- Use start-tls Over LDAP Connections-
This parameter specifies whether or not to use Start TLS over LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using Start TLS. Start TLS is a mechanism to provide secure communication by using the TLS/SSL protocols. If you do not specify this parameter, the default is
false
. [-is-netgroup-byhost-enabled {true|false}]
- Enable Netgroup-By-Host Lookup (privilege: advanced)-
Use this parameter to enable or disable netgroup-by-host lookup. If your LDAP directory contains map structures equivalent to the netgroup.byhost map in NIS, enabling this feature greatly speeds up netgroup resolution over LDAP. By default this parameter is set to false.
[-netgroup-byhost-dn <ldap_dn>]
- Netgroup-By-Host DN (privilege: advanced)-
This parameter specifies the netgroup-by-host DN, which overrides the base DN for netgroup-by-host lookups.
To specify multiple DNs, separate multiple DN entries with semicolons (;). If you configure multiple netgroup DNs and a DN contains a semicolon, add an escape character (\) immediately before the semicolon or enclose the entire DN with quotation marks ("). [-netgroup-byhost-scope {base|onelevel|subtree}]
- Netgroup-By-Host Scope (privilege: advanced)-
This parameter specifies the netgroup-by-host search scope for LDAP queries. If you do not specify this parameter, the scope is set to
subtree
by default. [-session-security {none|sign|seal}]
- Client Session Security-
This parameter specifies the level of security to be used for LDAP communications. If you do not specify this parameter, the default is
none
.LDAP Client Session Security can be one of the following:
-
none - No Signing or Sealing.
-
sign - Sign LDAP traffic.
-
seal - Seal and Sign LDAP traffic.
-
[-skip-config-validation <true>]
- Skip Configuration Validation-
Use this parameter to skip the LDAP client configuration validation.
The LDAP client configuration specified with the
-client-config
parameter is validated to verify that all the Vservers associated with this LDAP client configuration has at least one of the LDAP servers reachable, and is providing LDAP services.The validation fails if ONTAP was unable to connect to any LDAP server with the specified
-client-config
. [-referral-enabled {true|false}]
- LDAP Referral Chasing-
This parameter specifies whether LDAP referral is enabled or not.
[-group-membership-filter <text>]
- Group Membership Filter (privilege: advanced)-
This parameter specifies the custom LDAP search filter to be used when looking up group membership from an LDAP server. Examples of valid filters are "(cn=99)", "(cn=1)", "(|(cn=*22)(cn=*33))".
[-ldaps-enabled {true|false}]
- Is LDAPS Enabled-
This parameter specifies whether or not to use LDAPS over LDAP connections. If you do not specify this parameter, the value will be based on
port
. Ifport
is mentioned as636
, then the value will betrue
, otherwise the value will befalse
. [-try-channel-binding {true|false}]
- Try Channel Binding-
This parameter specifies whether to use channel binding for LDAP connections to the LDAP server. If you do not specify this parameter, the default is
true
. Channel binding will be tried only if-use-start-tls
or-ldaps-enabled
is enabled along with-session-security
set to eithersign
orseal
.
Examples
The following example modifies an existing LDAP client configuration named corp
owned by Vserver vs1
to require simple binds using the administrator@example.com account:
cluster1::> vserver services name-service ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com -min-bind-level simple
The following example modifies the user DN of an existing LDAP client configuration to contain multiple DNs separated by a semicolon.
cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com -user-dn "ou=People,dc=mypc,dc=example,dc=in; ou=People1,dc=mypc,dc=example2,dc=com" -min-bind-level simple
The following example demonstrates how you can use a semicolon as a valid character in a DN instead of a separator.
cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com -user-dn "ou=People\;,dc=mypc,dc=example,dc=com; ou=People1,dc=mypc,dc=example2,dc=com"
The following example modifies an existing LDAP client configuration with multiple user DNs, one of them containing a semicolon and a backslash.
cluster1::> vserver services ldap client modify -client-config corp -vserver vs1 -bind-dn administrator@example.com -user-dn "ou=People\;,dc=mypc,dc=example,dc=com\\; ou=People1,dc=mypc,dc=example2,dc=com"
The following example modifies an existing LDAP client configuration with netgroup by host DN.
cluster1::*>vserver services ldap client modify -vserver vs1 -client-config corp -netgroup-byhost-dn nisMapName="netgroup.byhost",dc=rfcbis,dc=com