security login create
Add a login method
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security login create
command creates a login method for the management utility. A login method consists of a user name, an application (access method), and an authentication method. A user name can be associated with multiple applications. It can optionally include an access-control role name. If an Active Directory, LDAP, or NIS group name is used, then the login method gives access to users belonging to the specified group. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.
Parameters
-vserver <vserver name>
- Vserver-
This specifies the Vserver name of the login method.
-user-or-group-name <text>
- User Name or Group Name-
This specifies the user name or Active Directory, LDAP, or NIS group name of the login method. The Active Directory, LDAP, or NIS group name can be specified only with the
domain
ornsswitch
authentication method andontapi
andssh
application. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups. -application <text>
- Application-
This specifies the application of the login method. Possible values include amqp, console, http, ontapi, rsh, snmp, service-processor, ssh, and telnet.
Setting this parameter to
service-processor
grants the user access to the Service Processor (SP). Because the SP supports only password as the first factor of authentication, when you set this parameter toservice-processor
, you must also set the -authentication-method parameter topassword
. Vserver user accounts cannot access the SP. Therefore, you cannot use the -vserver parameter when you set this parameter toservice-processor
. -authentication-method <text>
- Authentication Method-
This specifies the authentication method for login. Possible values include the following:
-
cert - SSL certificate authentication
-
community - SNMP community strings
-
domain - Active Directory authentication
-
nsswitch - LDAP or NIS authentication
-
password - Password
-
publickey - Public-key authentication
-
usm - SNMP user security model
-
saml - SAML authentication
-
[-remote-switch-ipaddress <IP Address>]
- Remote Switch IP Address-
This specifies the IP address of the remote switch. The remote switch could be a cluster switch monitored by cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by MetroCluster health monitor (MCC-HM). This parameter is applicable only when the application is
snmp
and authentication method isusm
(SNMP user security model). -role <text>
- Role Name-
This specifies an access-control role name for the login method.
[-comment <text>]
- Comment Text-
This specifies comment text for the user account, for example, "Guest account". The maximum length is 128 characters.
[-is-ns-switch-group {yes|no}]
- Whether Ns-switch Group-
This specifies whether
user-or-group-name
is an LDAP or NIS group. Possible values are yes or no. Default value is no. [-second-authentication-method {none|publickey|password|nsswitch|domain|totp}]
- Second Authentication Method-
This specifies the authentication method for the login. It will be used as the second factor for authentication. This parameter can be specified for
ssh
,http
andservice-processor
applications only. Forssh
application, possible values include the following:-
password - Password
-
publickey - Public-key authentication
-
nsswitch - NIS or LDAP authentication
-
domain - Active Directory authentication
-
totp - TOTP authentication
-
none - default value
For the
http
andservice-processor
applications, possible values include the following:-
publickey - Public-key authentication
-
none - default value
-
[-is-ldap-fastbind {yes|no}]
- LDAP Fastbind Authentication-
This flag specifies whether the authentication is LDAP fastbind or Not. Default:false
Examples
The following example illustrates how to create a login that has the user name monitor
, the application ssh
, the authentication method password
, and the access-control role guest
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application ssh -authentication-method password -role guest
The following example illustrates how to create a login that has the user name monitor
, the application ontapi
, the authentication method password
, and the access-control role vsadmin
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application ontapi -authentication-method password -role vsadmin
The following example illustrates how to create a login that has the user name monitor
, the application ssh
, the authentication method publickey
, and the access-control role guest
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application ssh -authentication-method publickey -role guest
The following example illustrates how to create a login that has the user name monitor
, the application http
, the authentication method cert
, and the access-control role admin
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application http -authentication-method cert -role admin
The following example illustrates how to create a login that has the Active Directory group name adgroup
in DOMAIN1
, the application ssh
, the authentication method domain
, and the access-control role vsadmin
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name DOMAIN1\adgroup -application ssh -authentication-method domain -role vsadmin
The following example illustrates how to create a login that has a group name nssgroup
in the LDAP or NIS server, the application ontapi
, the authentication method nsswitch
, and the access-control role vsadmin
for Vserver vs1.netapp.com
. Here is-ns-switch-group
must be set to yes
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name nssgroup -application ontapi -authentication-method nsswitch -role vsadmin -is-ns-switch-group yes
The following example illustrates how to create a login that has the user name monitor
, the application ssh
, the authentication method password
, the second authentication method publickey
and the access-control role vsadmin
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application ssh -authentication-method password -second-authentication-method publickey -role vsadmin
The following example illustrates how to create a login that has the user name monitor
, the application ssh
, the authentication method password
, the second authentication method none
and the access-control role vsadmin
for Vserver vs1.netapp.com
:
cluster1::> security login create -vserver vs1.netapp.com -user-or-group-name monitor -application ssh -authentication-method password -second-authentication-method none -role vsadmin
The following example illustrates how to create a login that has the user name spuser
, the application service-processor
, the authentication method password
, the second authentication method publickey
and the access-control role admin
for the Administrative Vserver cluster1
:
cluster1::> security login create -vserver cluster1 -user-or-group-name spuser -application service-processor -authentication-method password -second-authentication-method publickey -role admin