Create the LDAP configuration for an SVM
POST /name-services/ldap
Introduced In: 9.6
Creates an LDAP configuration for an SVM.
Important notes
-
Each SVM can have one LDAP configuration.
-
The LDAP servers and Active Directory domain are mutually exclusive fields. These fields cannot be empty. At any point in time, either the LDAP servers or Active Directory domain must be populated.
-
LDAP configuration with Active Directory domain cannot be created on an admin SVM.
-
IPv6 must be enabled if IPv6 family addresses are specified.
The following parameters are optional:
-
preferred AD servers
-
schema
-
port
-
ldaps_enabled
-
min_bind_level
-
bind_password
-
base_scope
-
use_start_tls
-
session_security
-
referral_enabled
-
bind_as_cifs_server
-
query_timeout
-
user_dn
-
user_scope
-
group_dn
-
group_scope
-
netgroup_dn
-
netgroup_scope
-
netgroup_byhost_dn
-
netgroup_byhost_scope
-
is_netgroup_byhost_enabled
-
group_membership_filter
-
skip_config_validation
-
try_channel_binding
-
restrict_discovery_to_site
Configuring more than one LDAP server is recommended to avoid a single point of failure. Both FQDNs and IP addresses are supported for the "servers" field. The Acitve Directory domain or LDAP servers are validated as part of this operation.
LDAP validation fails in the following scenarios:
-
The server does not have LDAP installed.
-
The server or Active Directory domain is invalid.
-
The server or Active Directory domain is unreachable.
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
Name | Type | Description |
---|---|---|
_links |
||
ad_domain |
string |
This parameter specifies the name of the Active Directory domain
used to discover LDAP servers for use by this client.
This is mutually exclusive with |
base_dn |
string |
Specifies the default base DN for all searches. |
base_scope |
string |
Specifies the default search scope for LDAP queries:
|
bind_as_cifs_server |
boolean |
Specifies whether or not CIFS server's credentials are used to bind to the LDAP server. |
bind_dn |
string |
Specifies the user that binds to the LDAP servers. |
bind_password |
string |
Specifies the bind password for the LDAP servers. |
group_dn |
string |
Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups. |
group_membership_filter |
string |
Specifies the custom filter used for group membership lookups from an LDAP server. |
group_scope |
string |
Specifies the default search scope for LDAP for group lookups:
|
is_netgroup_byhost_enabled |
boolean |
Specifies whether or not netgroup by host querying is enabled. |
is_owner |
boolean |
Specifies whether or not the SVM owns the LDAP client configuration. |
ldaps_enabled |
boolean |
Specifies whether or not LDAPS is enabled. |
min_bind_level |
string |
The minimum bind authentication level. Possible values are:
|
netgroup_byhost_dn |
string |
Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup by host lookups. |
netgroup_byhost_scope |
string |
Specifies the default search scope for LDAP for netgroup by host lookups:
|
netgroup_dn |
string |
Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup lookups. |
netgroup_scope |
string |
Specifies the default search scope for LDAP for netgroup lookups:
|
port |
integer |
The port used to connect to the LDAP Servers. |
preferred_ad_servers |
array[string] |
|
query_timeout |
integer |
Specifies the maximum time to wait for a query response from the LDAP server, in seconds. |
referral_enabled |
boolean |
Specifies whether or not LDAP referral is enabled. |
restrict_discovery_to_site |
boolean |
Specifies whether or not LDAP server discovery is restricted to site-scope. |
schema |
string |
The name of the schema template used by the SVM.
|
servers |
array[string] |
|
session_security |
string |
Specifies the level of security to be used for LDAP communications:
|
skip_config_validation |
boolean |
Indicates whether or not the validation for the specified LDAP configuration is disabled. |
status |
||
svm |
SVM, applies only to SVM-scoped objects. |
|
try_channel_binding |
boolean |
Specifies whether or not channel binding is attempted in the case of TLS/LDAPS. |
use_start_tls |
boolean |
Specifies whether or not to use Start TLS over LDAP connections. |
user_dn |
string |
Specifies the user Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for user lookups. |
user_scope |
string |
Specifies the default search scope for LDAP for user lookups:
|
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"ad_domain": "example.com",
"base_dn": "dc=domainB,dc=example,dc=com",
"base_scope": "string",
"bind_dn": "cn=Administrators,cn=users,dc=domainB,dc=example,dc=com",
"bind_password": "abc",
"group_dn": "cn=abc,users,dc=com",
"group_membership_filter": "",
"group_scope": "string",
"min_bind_level": "string",
"netgroup_byhost_dn": "cn=abc,users,dc=com",
"netgroup_byhost_scope": "string",
"netgroup_dn": "cn=abc,users,dc=com",
"netgroup_scope": "string",
"port": 389,
"preferred_ad_servers": [
"11.11.11.11"
],
"schema": "ad_idmu",
"servers": [
[
"10.10.10.10",
"domainB.example.com"
]
],
"session_security": "string",
"status": {
"code": 65537300,
"dn_message": [
"string"
],
"ipv4": {
"code": 65537300,
"dn_messages": [
"string"
],
"message": "string",
"state": "string"
},
"ipv4_state": "string",
"ipv6": {
"code": 65537300,
"dn_messages": [
"string"
],
"message": "string",
"state": "string"
},
"ipv6_state": "string",
"message": "string",
"state": "string"
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"user_dn": "cn=abc,users,dc=com",
"user_scope": "string"
}
Response
Status: 201, Created
Name | Type | Description |
---|---|---|
_links |
||
num_records |
integer |
Number of LDAP records. |
records |
array[ldap_service] |
Example response
{
"_links": {
"next": {
"href": "/api/resourcelink"
},
"self": {
"href": "/api/resourcelink"
}
},
"num_records": 1,
"records": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"ad_domain": "example.com",
"base_dn": "dc=domainB,dc=example,dc=com",
"base_scope": "string",
"bind_dn": "cn=Administrators,cn=users,dc=domainB,dc=example,dc=com",
"bind_password": "abc",
"group_dn": "cn=abc,users,dc=com",
"group_membership_filter": "",
"group_scope": "string",
"min_bind_level": "string",
"netgroup_byhost_dn": "cn=abc,users,dc=com",
"netgroup_byhost_scope": "string",
"netgroup_dn": "cn=abc,users,dc=com",
"netgroup_scope": "string",
"port": 389,
"preferred_ad_servers": [
"11.11.11.11"
],
"schema": "ad_idmu",
"servers": [
[
"10.10.10.10",
"domainB.example.com"
]
],
"session_security": "string",
"status": {
"code": 65537300,
"dn_message": [
"string"
],
"ipv4": {
"code": 65537300,
"dn_messages": [
"string"
],
"message": "string",
"state": "string"
},
"ipv4_state": "string",
"ipv6": {
"code": 65537300,
"dn_messages": [
"string"
],
"message": "string",
"state": "string"
},
"ipv6_state": "string",
"message": "string",
"state": "string"
},
"svm": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"user_dn": "cn=abc,users,dc=com",
"user_scope": "string"
}
]
}
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
262186 |
LDAP Servers cannot be used with Active Directory domain and/or preferred Acti Directory servers |
2621488 |
Invalid SVM context |
2621706 |
The specified SVM UUID is incorrect for the specified SVM name |
4915203 |
The specified LDAP schema does not exist |
262222 |
The specified LDAP servers or preferred Active Directory servers contain duplicate server entries |
4915229 |
DNS resolution failed due to an internal error. Contact technical support if this issue persists |
4915231 |
DNS resolution failed for one or more of the specified LDAP servers. Verify that a valid DNS server is configured |
23724132 |
DNS resolution failed for all the specified LDAP servers. Verify that a valid DNS server is configured |
4915234 |
The specified LDAP server or preferred Active Directory server is not supported because it is one of the following: multicast, loopback, 0.0.0.0, or broadcast |
4915248 |
LDAP servers cannot be empty or "-". Specified Active Directory domain is invalid because it is empty or "-" or it contains either the special characters or "-" at the start or end of the domain) |
4915251 |
STARTTLS and LDAPS cannot be used together |
4915257 |
The LDAP configuration is invalid. Verify that bind-dn and bind password are correct |
4915258 |
The LDAP configuration is invalid. Verify that the Active Directory domain or servers are reachable and that the network configuration is correct |
4915259 |
LDAP configurations with Active Directory domains are not supported on admin SVM. |
4915265 |
The specified bind password or bind DN is invalid |
4915264 |
Certificate verification failed. Verify that a valid certificate is installed |
13434916 |
The SVM is in the process of being created. Wait a few minutes, and then try the command again. |
23724130 |
Cannot use an IPv6 name server address because there are no IPv6 LIFs |
4915252 |
LDAP Referral is not supported with STARTTLS, with session security levels sign, seal or with LDAPS. |
4915266 |
LDAP site discovery restriction cannot be applied to a mixed version cluster. |
656477 |
Need default site to be specified to enable site restriction. |
4915206 |
CIFS server is not configured for the vserver. LDAP client configuration requires CIFS server for binding. |
4915261 |
Cannot use port "389" when "ldaps_enabled" is "true". |
4915255 |
Base DN specified in the LDAP client configuration is not available. |
4915268 |
The bind_as_cifs_server field cannot be set to true when the CIFS server is in workgroup mode. |
4915269 |
The bind_as_cifs_server field cannot be set to true when the CIFS server is in realm mode. |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
ipv4
Name | Type | Description |
---|---|---|
code |
integer |
Code corresponding to the error message. If there is no error, it is 0 to indicate success. |
dn_messages |
array[string] |
|
message |
string |
Provides additional details on the error. |
state |
string |
Status of the LDAP service. |
ipv6
Name | Type | Description |
---|---|---|
code |
integer |
Code corresponding to the error message. If there is no error, it is 0 to indicate success. |
dn_messages |
array[string] |
|
message |
string |
Provides additional details on the error. |
state |
string |
Status of the LDAP service. |
status
Name | Type | Description |
---|---|---|
code |
integer |
This field is no longer supported. Use ipv4.code or ipv6.code instead. |
dn_message |
array[string] |
|
ipv4 |
||
ipv4_state |
string |
This field is no longer supported. Use ipv4.state instead. |
ipv6 |
||
ipv6_state |
string |
This field is no longer supported. Use ipv6.state instead. |
message |
string |
This field is no longer supported. Use ipv4.message or ipv6.message instead. |
state |
string |
The status of the LDAP service for the SVM. The LDAP service is up if either |
svm
SVM, applies only to SVM-scoped objects.
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
ldap_service
Name | Type | Description |
---|---|---|
_links |
||
ad_domain |
string |
This parameter specifies the name of the Active Directory domain
used to discover LDAP servers for use by this client.
This is mutually exclusive with |
base_dn |
string |
Specifies the default base DN for all searches. |
base_scope |
string |
Specifies the default search scope for LDAP queries:
|
bind_as_cifs_server |
boolean |
Specifies whether or not CIFS server's credentials are used to bind to the LDAP server. |
bind_dn |
string |
Specifies the user that binds to the LDAP servers. |
bind_password |
string |
Specifies the bind password for the LDAP servers. |
group_dn |
string |
Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups. |
group_membership_filter |
string |
Specifies the custom filter used for group membership lookups from an LDAP server. |
group_scope |
string |
Specifies the default search scope for LDAP for group lookups:
|
is_netgroup_byhost_enabled |
boolean |
Specifies whether or not netgroup by host querying is enabled. |
is_owner |
boolean |
Specifies whether or not the SVM owns the LDAP client configuration. |
l |