Skip to main content
A newer release of this product is available.

Update the LDAP configuration for the cluster

Contributors
PDFs

PATCH /security/authentication/cluster/ldap

Introduced In: 9.6

Both mandatory and optional parameters of the LDAP configuration can be updated. IPv6 must be enabled if IPv6 family addresses are specified. Configuring more than one LDAP server is recommended to avoid a single point of failure. Both FQDNs and IP addresses are supported for the servers property. The LDAP servers are validated as part of this operation. LDAP validation fails in the following scenarios:

  1. The server does not have LDAP installed.

  2. The server is invalid.

  3. The server is unreachable.

Request Body

Name Type Description

_links

_links

base_dn

string

Specifies the default base DN for all searches.

base_scope

string

Specifies the default search scope for LDAP queries:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

bind_as_cifs_server

boolean

Specifies whether or not CIFS server's credentials are used to bind to the LDAP server.

bind_dn

string

Specifies the user that binds to the LDAP servers.

bind_password

string

Specifies the bind password for the LDAP servers.

group_dn

string

Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups.

group_membership_filter

string

Specifies the custom filter used for group membership lookups from an LDAP server.

group_scope

string

Specifies the default search scope for LDAP for group lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

is_netgroup_byhost_enabled

boolean

Specifies whether or not netgroup by host querying is enabled.

is_owner

boolean

Specifies whether or not the SVM owns the LDAP client configuration.

ldaps_enabled

boolean

Specifies whether or not LDAPS is enabled.

min_bind_level

string

The minimum bind authentication level. Possible values are:

  • anonymous - anonymous bind

  • simple - simple bind

  • sasl - Simple Authentication and Security Layer (SASL) bind

netgroup_byhost_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup by host lookups.

netgroup_byhost_scope

string

Specifies the default search scope for LDAP for netgroup by host lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

netgroup_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup lookups.

netgroup_scope

string

Specifies the default search scope for LDAP for netgroup lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

port

integer

The port used to connect to the LDAP Servers.

query_timeout

integer

Specifies the maximum time to wait for a query response from the LDAP server, in seconds.

schema

string

The name of the schema template used by the SVM.

  • AD-IDMU - Active Directory Identity Management for UNIX

  • AD-SFU - Active Directory Services for UNIX

  • MS-AD-BIS - Active Directory Identity Management for UNIX

  • RFC-2307 - Schema based on RFC 2307

  • Custom schema

servers

array[string]

session_security

string

Specifies the level of security to be used for LDAP communications:

  • none - no signing or sealing

  • sign - sign LDAP traffic

  • seal - seal and sign LDAP traffic

skip_config_validation

boolean

Indicates whether or not the validation for the specified LDAP configuration is disabled.

status

status

try_channel_binding

boolean

Specifies whether or not channel binding is attempted in the case of TLS/LDAPS.

use_start_tls

boolean

Specifies whether or not to use Start TLS over LDAP connections.

user_dn

string

Specifies the user Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for user lookups.

user_scope

string

Specifies the default search scope for LDAP for user lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN
Example request 
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "base_dn": "string",
  "base_scope": "string",
  "bind_dn": "string",
  "bind_password": "string",
  "group_dn": "string",
  "group_membership_filter": "string",
  "group_scope": "string",
  "min_bind_level": "string",
  "netgroup_byhost_dn": "string",
  "netgroup_byhost_scope": "string",
  "netgroup_dn": "string",
  "netgroup_scope": "string",
  "port": 389,
  "schema": "string",
  "servers": [
    "string"
  ],
  "session_security": "string",
  "status": {
    "code": 65537300,
    "dn_message": [
      "string"
    ],
    "message": "string",
    "state": "string"
  },
  "user_dn": "string",
  "user_scope": "string"
}

Response

Status: 200, Ok

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

4915203

The specified LDAP schema does not exist.

4915208

The specified LDAP servers contain duplicate server entries.

4915229

DNS resolution failed due to an internal error. Contact technical support if this issue persists.

4915231

DNS resolution failed for one or more of the specified LDAP servers. Verify that a valid DNS server is configured.

23724132

DNS resolution failed for all the specified LDAP servers. Verify that a valid DNS server is configured.

4915234

Specified LDAP server is not supported because it is one of the following: multicast, loopback, 0.0.0.0, or broadcast.

4915248

LDAP servers cannot be empty or "-". Specified FQDN is not valid because it is empty or "-" or it contains either special characters or "-" at the start or end of the domain.

4915251

STARTTLS and LDAPS cannot be used together

4915257

The LDAP configuration is not valid. Verify that the Distinguished Names and bind password are correct.

4915258

The LDAP configuration is not valid. Verify that the servers are reachable and that the network configuration is correct.

23724130

Cannot use an IPv6 name server address because there are no IPv6 interfaces.

4915252

LDAP referral is not supported with STARTTLS, with session security levels sign, seal or with LDAPS.
Name Type Description

error

error
Example error 
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

_links

Name Type Description

self

href

status

Name Type Description

code

integer

Code corresponding to the status message.

dn_message

array[string]

message

string

Provides additional details on the status of the LDAP service.

state

string

Specifies the status of the LDAP service.

cluster_ldap

Name Type Description

_links

_links

base_dn

string

Specifies the default base DN for all searches.

base_scope

string

Specifies the default search scope for LDAP queries:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

bind_as_cifs_server

boolean

Specifies whether or not CIFS server's credentials are used to bind to the LDAP server.

bind_dn

string

Specifies the user that binds to the LDAP servers.

bind_password

string

Specifies the bind password for the LDAP servers.

group_dn

string

Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups.

group_membership_filter

string

Specifies the custom filter used for group membership lookups from an LDAP server.

group_scope

string

Specifies the default search scope for LDAP for group lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

is_netgroup_byhost_enabled

boolean

Specifies whether or not netgroup by host querying is enabled.

is_owner

boolean

Specifies whether or not the SVM owns the LDAP client configuration.

ldaps_enabled

boolean

Specifies whether or not LDAPS is enabled.

min_bind_level

string

The minimum bind authentication level. Possible values are:

  • anonymous - anonymous bind

  • simple - simple bind

  • sasl - Simple Authentication and Security Layer (SASL) bind

netgroup_byhost_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup by host lookups.

netgroup_byhost_scope

string

Specifies the default search scope for LDAP for netgroup by host lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

netgroup_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup lookups.

netgroup_scope

string

Specifies the default search scope for LDAP for netgroup lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

port

integer

The port used to connect to the LDAP Servers.

query_timeout

integer

Specifies the maximum time to wait for a query response from the LDAP server, in seconds.

schema

string

The name of the schema template used by the SVM.

  • AD-IDMU - Active Directory Identity Management for UNIX

  • AD-SFU - Active Directory Services for UNIX

  • MS-AD-BIS - Active Directory Identity Management for UNIX

  • RFC-2307 - Schema based on RFC 2307

  • Custom schema

servers

array[string]

session_security

string

Specifies the level of security to be used for LDAP communications:

  • none - no signing or sealing

  • sign - sign LDAP traffic

  • seal - seal and sign LDAP traffic

skip_config_validation

boolean

Indicates whether or not the validation for the specified LDAP configuration is disabled.

status

status

try_channel_binding

boolean

Specifies whether or not channel binding is attempted in the case of TLS/LDAPS.

use_start_tls

boolean

Specifies whether or not to use Start TLS over LDAP connections.

user_dn

string

Specifies the user Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for user lookups.

user_scope

string

Specifies the default search scope for LDAP for user lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.