Skip to main content

security login create

Contributors
Suggest changes

Add a login method

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login create command creates a login method for the management utility. A login method consists of a user name, an application (access method), and an authentication method. A user name can be associated with multiple applications. It can optionally include an access-control role name. If an Active Directory, LDAP, or NIS group name is used, then the login method gives access to users belonging to the specified group. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

Parameters

-vserver <vserver name> - Vserver

This specifies the Vserver name of the login method.

-user-or-group-name <text> - User Name or Group Name

This specifies the user name or Active Directory, LDAP, or NIS group name of the login method. The Active Directory, LDAP, or NIS group name can be specified only with the domain or nsswitch authentication method and ontapi and ssh application. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

-application <text> - Application

This specifies the application of the login method. Possible values include amqp, console, http, ontapi, rsh, snmp, service-processor, ssh, and telnet.

Setting this parameter to service-processor grants the user access to the Service Processor (SP). Because the SP supports only password as the first factor of authentication, when you set this parameter to service-processor , you must also set the -authentication-method parameter to password . Vserver user accounts cannot access the SP. Therefore, you cannot use the -vserver parameter when you set this parameter to service-processor .

-authentication-method <text> - Authentication Method

This specifies the authentication method for login. Possible values include the following:

  • cert - SSL certificate authentication

  • community - SNMP community strings

  • domain - Active Directory authentication

  • nsswitch - LDAP or NIS authentication

  • password - Password

  • publickey - Public-key authentication

  • usm - SNMP user security model

  • saml - SAML authentication

[-remote-switch-ipaddress <IP Address>] - Remote Switch IP Address

This specifies the IP address of the remote switch. The remote switch could be a cluster switch monitored by cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by MetroCluster health monitor (MCC-HM). This parameter is applicable only when the application is snmp and authentication method is usm (SNMP user security model).

-role <text> - Role Name

This specifies an access-control role name for the login method.

[-comment <text>] - Comment Text

This specifies comment text for the user account, for example, "Guest account". The maximum length is 128 characters.

[-is-ns-switch-group {yes|no}] - Whether Ns-switch Group

This specifies whether user-or-group-name is an LDAP or NIS group. Possible values are yes or no. Default value is no.

[-second-authentication-method {none|publickey|password|nsswitch|domain|totp}] - Second Authentication Method

This specifies the authentication method for the login. It will be used as the second factor for authentication. This parameter can be specified for ssh , http and service-processor applications only. For ssh application, possible values include the following:

  • password - Password

  • publickey - Public-key authentication

  • nsswitch - NIS or LDAP authentication

  • domain - Active Directory authentication

  • totp - TOTP authentication

  • none - default value

For the http and service-processor applications, possible values include the following:

  • publickey - Public-key authentication

  • none - default value

[-is-ldap-fastbind {yes|no}] - LDAP Fastbind Authentication

This flag specifies whether the authentication is LDAP fastbind or Not. Default:false

Examples

The following example illustrates how to create a login that has the user name monitor , the application ssh , the authentication method password , and the access-control role guest for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application ssh -authentication-method password -role guest

The following example illustrates how to create a login that has the user name monitor , the application ontapi , the authentication method password , and the access-control role vsadmin for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application ontapi -authentication-method password -role vsadmin

The following example illustrates how to create a login that has the user name monitor , the application ssh , the authentication method publickey , and the access-control role guest for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application ssh -authentication-method publickey -role guest

The following example illustrates how to create a login that has the user name monitor , the application http , the authentication method cert , and the access-control role admin for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application http -authentication-method cert -role admin

The following example illustrates how to create a login that has the Active Directory group name adgroup in DOMAIN1 , the application ssh , the authentication method domain , and the access-control role vsadmin for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com
  -user-or-group-name DOMAIN1\adgroup -application ssh
  -authentication-method domain -role vsadmin

The following example illustrates how to create a login that has a group name nssgroup in the LDAP or NIS server, the application ontapi , the authentication method nsswitch , and the access-control role vsadmin for Vserver vs1.netapp.com . Here is-ns-switch-group must be set to yes :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name nssgroup
  -application ontapi -authentication-method nsswitch -role vsadmin
  -is-ns-switch-group yes

The following example illustrates how to create a login that has the user name monitor , the application ssh , the authentication method password , the second authentication method publickey and the access-control role vsadmin for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application ssh -authentication-method password
  -second-authentication-method publickey -role vsadmin

The following example illustrates how to create a login that has the user name monitor , the application ssh , the authentication method password , the second authentication method none and the access-control role vsadmin for Vserver vs1.netapp.com :

cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor
  -application ssh -authentication-method password
  -second-authentication-method none -role vsadmin

The following example illustrates how to create a login that has the user name spuser , the application service-processor , the authentication method password , the second authentication method publickey and the access-control role admin for the Administrative Vserver cluster1 :

cluster1::> security login create -vserver cluster1 -user-or-group-name spuser
  -application service-processor -authentication-method password
  -second-authentication-method publickey -role admin