Skip to main content

Create the LDAP configuration for an SVM

Contributors

POST /name-services/ldap

Introduced In: 9.6

Creates an LDAP configuration for an SVM.

Important notes

  • Each SVM can have one LDAP configuration.

  • The LDAP servers and Active Directory domain are mutually exclusive fields. These fields cannot be empty. At any point in time, either the LDAP servers or Active Directory domain must be populated.

  • LDAP configuration with Active Directory domain cannot be created on an admin SVM.

  • IPv6 must be enabled if IPv6 family addresses are specified.

The following parameters are optional:

  • preferred AD servers

  • schema

  • port

  • ldaps_enabled

  • min_bind_level

  • bind_password

  • base_scope

  • use_start_tls

  • session_security

  • referral_enabled

  • bind_as_cifs_server

  • query_timeout

  • user_dn

  • user_scope

  • group_dn

  • group_scope

  • netgroup_dn

  • netgroup_scope

  • netgroup_byhost_dn

  • netgroup_byhost_scope

  • is_netgroup_byhost_enabled

  • group_membership_filter

  • skip_config_validation

  • try_channel_binding

  • restrict_discovery_to_site

Configuring more than one LDAP server is recommended to avoid a single point of failure. Both FQDNs and IP addresses are supported for the "servers" field. The Acitve Directory domain or LDAP servers are validated as part of this operation.

LDAP validation fails in the following scenarios:

  1. The server does not have LDAP installed.

  2. The server or Active Directory domain is invalid.

  3. The server or Active Directory domain is unreachable.

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

ad_domain

string

This parameter specifies the name of the Active Directory domain used to discover LDAP servers for use by this client. This is mutually exclusive with servers during POST and PATCH.

base_dn

string

Specifies the default base DN for all searches.

base_scope

string

Specifies the default search scope for LDAP queries:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

bind_as_cifs_server

boolean

Specifies whether or not CIFS server's credentials are used to bind to the LDAP server.

bind_dn

string

Specifies the user that binds to the LDAP servers.

bind_password

string

Specifies the bind password for the LDAP servers.

group_dn

string

Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups.

group_membership_filter

string

Specifies the custom filter used for group membership lookups from an LDAP server.

group_scope

string

Specifies the default search scope for LDAP for group lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

is_netgroup_byhost_enabled

boolean

Specifies whether or not netgroup by host querying is enabled.

is_owner

boolean

Specifies whether or not the SVM owns the LDAP client configuration.

ldaps_enabled

boolean

Specifies whether or not LDAPS is enabled.

min_bind_level

string

The minimum bind authentication level. Possible values are:

  • anonymous - anonymous bind

  • simple - simple bind

  • sasl - Simple Authentication and Security Layer (SASL) bind

netgroup_byhost_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup by host lookups.

netgroup_byhost_scope

string

Specifies the default search scope for LDAP for netgroup by host lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

netgroup_dn

string

Specifies the netgroup Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for netgroup lookups.

netgroup_scope

string

Specifies the default search scope for LDAP for netgroup lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

port

integer

The port used to connect to the LDAP Servers.

preferred_ad_servers

array[string]

query_timeout

integer

Specifies the maximum time to wait for a query response from the LDAP server, in seconds.

referral_enabled

boolean

Specifies whether or not LDAP referral is enabled.

restrict_discovery_to_site

boolean

Specifies whether or not LDAP server discovery is restricted to site-scope.

schema

string

The name of the schema template used by the SVM.

  • AD-IDMU - Active Directory Identity Management for UNIX

  • AD-SFU - Active Directory Services for UNIX

  • MS-AD-BIS - Active Directory Identity Management for UNIX

  • RFC-2307 - Schema based on RFC 2307

  • Custom schema

servers

array[string]

session_security

string

Specifies the level of security to be used for LDAP communications:

  • none - no signing or sealing

  • sign - sign LDAP traffic

  • seal - seal and sign LDAP traffic

skip_config_validation

boolean

Indicates whether or not the validation for the specified LDAP configuration is disabled.

status

status

svm

svm

SVM, applies only to SVM-scoped objects.

try_channel_binding

boolean

Specifies whether or not channel binding is attempted in the case of TLS/LDAPS.

use_start_tls

boolean

Specifies whether or not to use Start TLS over LDAP connections.

user_dn

string

Specifies the user Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for user lookups.

user_scope

string

Specifies the default search scope for LDAP for user lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "ad_domain": "example.com",
  "base_dn": "dc=domainB,dc=example,dc=com",
  "base_scope": "string",
  "bind_dn": "cn=Administrators,cn=users,dc=domainB,dc=example,dc=com",
  "bind_password": "abc",
  "group_dn": "cn=abc,users,dc=com",
  "group_membership_filter": "",
  "group_scope": "string",
  "min_bind_level": "string",
  "netgroup_byhost_dn": "cn=abc,users,dc=com",
  "netgroup_byhost_scope": "string",
  "netgroup_dn": "cn=abc,users,dc=com",
  "netgroup_scope": "string",
  "port": 389,
  "preferred_ad_servers": [
    "11.11.11.11"
  ],
  "schema": "ad_idmu",
  "servers": [
    [
      "10.10.10.10",
      "domainB.example.com"
    ]
  ],
  "session_security": "string",
  "status": {
    "code": 65537300,
    "dn_message": [
      "string"
    ],
    "ipv4": {
      "code": 65537300,
      "dn_messages": [
        "string"
      ],
      "message": "string",
      "state": "string"
    },
    "ipv4_state": "string",
    "ipv6": {
      "code": 65537300,
      "dn_messages": [
        "string"
      ],
      "message": "string",
      "state": "string"
    },
    "ipv6_state": "string",
    "message": "string",
    "state": "string"
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "user_dn": "cn=abc,users,dc=com",
  "user_scope": "string"
}

Response

Status: 201, Created
Name Type Description

_links

_links

num_records

integer

Number of LDAP records.

records

array[ldap_service]

Example response
{
  "_links": {
    "next": {
      "href": "/api/resourcelink"
    },
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "num_records": 1,
  "records": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "ad_domain": "example.com",
      "base_dn": "dc=domainB,dc=example,dc=com",
      "base_scope": "string",
      "bind_dn": "cn=Administrators,cn=users,dc=domainB,dc=example,dc=com",
      "bind_password": "abc",
      "group_dn": "cn=abc,users,dc=com",
      "group_membership_filter": "",
      "group_scope": "string",
      "min_bind_level": "string",
      "netgroup_byhost_dn": "cn=abc,users,dc=com",
      "netgroup_byhost_scope": "string",
      "netgroup_dn": "cn=abc,users,dc=com",
      "netgroup_scope": "string",
      "port": 389,
      "preferred_ad_servers": [
        "11.11.11.11"
      ],
      "schema": "ad_idmu",
      "servers": [
        [
          "10.10.10.10",
          "domainB.example.com"
        ]
      ],
      "session_security": "string",
      "status": {
        "code": 65537300,
        "dn_message": [
          "string"
        ],
        "ipv4": {
          "code": 65537300,
          "dn_messages": [
            "string"
          ],
          "message": "string",
          "state": "string"
        },
        "ipv4_state": "string",
        "ipv6": {
          "code": 65537300,
          "dn_messages": [
            "string"
          ],
          "message": "string",
          "state": "string"
        },
        "ipv6_state": "string",
        "message": "string",
        "state": "string"
      },
      "svm": {
        "_links": {
          "self": {
            "href": "/api/resourcelink"
          }
        },
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      },
      "user_dn": "cn=abc,users,dc=com",
      "user_scope": "string"
    }
  ]
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

262186

LDAP Servers cannot be used with Active Directory domain and/or preferred Acti Directory servers

2621488

Invalid SVM context

2621706

The specified SVM UUID is incorrect for the specified SVM name

4915203

The specified LDAP schema does not exist

262222

The specified LDAP servers or preferred Active Directory servers contain duplicate server entries

4915229

DNS resolution failed due to an internal error. Contact technical support if this issue persists

4915231

DNS resolution failed for one or more of the specified LDAP servers. Verify that a valid DNS server is configured

23724132

DNS resolution failed for all the specified LDAP servers. Verify that a valid DNS server is configured

4915234

The specified LDAP server or preferred Active Directory server is not supported because it is one of the following: multicast, loopback, 0.0.0.0, or broadcast

4915248

LDAP servers cannot be empty or "-". Specified Active Directory domain is invalid because it is empty or "-" or it contains either the special characters or "-" at the start or end of the domain)

4915251

STARTTLS and LDAPS cannot be used together

4915257

The LDAP configuration is invalid. Verify that bind-dn and bind password are correct

4915258

The LDAP configuration is invalid. Verify that the Active Directory domain or servers are reachable and that the network configuration is correct

4915259

LDAP configurations with Active Directory domains are not supported on admin SVM.

4915265

The specified bind password or bind DN is invalid

4915264

Certificate verification failed. Verify that a valid certificate is installed

13434916

The SVM is in the process of being created. Wait a few minutes, and then try the command again.

23724130

Cannot use an IPv6 name server address because there are no IPv6 LIFs

4915252

LDAP Referral is not supported with STARTTLS, with session security levels sign, seal or with LDAPS.

4915266

LDAP site discovery restriction cannot be applied to a mixed version cluster.

656477

Need default site to be specified to enable site restriction.

4915206

CIFS server is not configured for the vserver. LDAP client configuration requires CIFS server for binding.

4915261

Cannot use port "389" when "ldaps_enabled" is "true".

4915255

Base DN specified in the LDAP client configuration is not available.

4915268

The bind_as_cifs_server field cannot be set to true when the CIFS server is in workgroup mode.

4915269

The bind_as_cifs_server field cannot be set to true when the CIFS server is in realm mode.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

ipv4

Name Type Description

code

integer

Code corresponding to the error message. If there is no error, it is 0 to indicate success.

dn_messages

array[string]

message

string

Provides additional details on the error.

state

string

Status of the LDAP service.

ipv6

Name Type Description

code

integer

Code corresponding to the error message. If there is no error, it is 0 to indicate success.

dn_messages

array[string]

message

string

Provides additional details on the error.

state

string

Status of the LDAP service.

status

Name Type Description

code

integer

This field is no longer supported. Use ipv4.code or ipv6.code instead.

dn_message

array[string]

ipv4

ipv4

ipv4_state

string

This field is no longer supported. Use ipv4.state instead.

ipv6

ipv6

ipv6_state

string

This field is no longer supported. Use ipv6.state instead.

message

string

This field is no longer supported. Use ipv4.message or ipv6.message instead.

state

string

The status of the LDAP service for the SVM. The LDAP service is up if either ipv4_state or ipv6_state is up. The LDAP service is down if both ipv4_state and ipv6_state are down.

svm

SVM, applies only to SVM-scoped objects.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

ldap_service

Name Type Description

_links

_links

ad_domain

string

This parameter specifies the name of the Active Directory domain used to discover LDAP servers for use by this client. This is mutually exclusive with servers during POST and PATCH.

base_dn

string

Specifies the default base DN for all searches.

base_scope

string

Specifies the default search scope for LDAP queries:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

bind_as_cifs_server

boolean

Specifies whether or not CIFS server's credentials are used to bind to the LDAP server.

bind_dn

string

Specifies the user that binds to the LDAP servers.

bind_password

string

Specifies the bind password for the LDAP servers.

group_dn

string

Specifies the group Distinguished Name (DN) that is used as the starting point in the LDAP directory tree for group lookups.

group_membership_filter

string

Specifies the custom filter used for group membership lookups from an LDAP server.

group_scope

string

Specifies the default search scope for LDAP for group lookups:

  • base - search the named entry only

  • onelevel - search all entries immediately below the DN

  • subtree - search the named DN entry and the entire subtree below the DN

is_netgroup_byhost_enabled

boolean

Specifies whether or not netgroup by host querying is enabled.

is_owner

boolean

Specifies whether or not the SVM owns the LDAP client configuration.

l