Configure LDAP server access

Contributors

You must configure LDAP server access to an SVM before LDAP accounts can access the SVM. You can use the vserver services name-service ldap client create command to create an LDAP client configuration on the SVM. You can then use the vserver services name-service ldap create command to associate the LDAP client configuration with the SVM.

What you’ll need
About this task

Most LDAP servers can use the default schemas provided by ONTAP:

  • MS-AD-BIS (the preferred schema for most Windows 2012 and later AD servers)

  • AD-IDMU (Windows 2008, Windows 2012 and later AD servers)

  • AD-SFU (Windows 2003 and earlier AD servers)

  • RFC-2307 (UNIX LDAP servers)

It is best to use the default schemas unless there is a requirement to do otherwise. If so, you can create your own schema by copying a default schema and modifying the copy. For more information, see the following documents.

Steps
  1. Create an LDAP client configuration on an SVM: vserver services name-service ldap client create -vserver SVM_name -client-config client_configuration -servers LDAP_server_IPs -schema schema -use-start-tls true|false

    Note

    Start TLS is supported for access to data SVMs only. It is not supported for access to admin SVMs.

    For complete command syntax, see the worksheet.

    The following command creates an LDAP client configuration named corp on the SVMengData. The client makes anonymous binds to the LDAP servers with the IP addresses 172.160.0.100 and 172.16.0.101. The client uses the RFC-2307 schema to make LDAP queries. Communication between the client and server is encrypted using Start TLS.

    cluster1::>vserver services name-service ldap client create
    -vserver engData -client-config corp -servers 172.16.0.100,172.16.0.101 -schema RFC-2307 -use-start-tls true
    Note

    Starting in ONTAP 9.2, the field -ldap-servers replaces the field -servers. This new field can take either a hostname or an IP address for the LDAP server.

  2. Associate the LDAP client configuration with the SVM: vserver services name-service ldap create -vserver SVM_name -client-config client_configuration -client-enabled true|false

    For complete command syntax, see the worksheet.

    The following command associates the LDAP client configuration corp with the SVMengData, and enables the LDAP client on the SVM.

    cluster1::>vserver services name-service ldap create -vserver engData -client-config corp -client-enabled true
    Note

    Starting in ONTAP 9.2, the vserver services name-service ldap create command performs an automatic configuration validation and reports an error message if ONTAP is unable to contact the name server.

  3. Validate the status of the name servers by using the vserver services name-service ldap check command.

    The following command validates LDAP servers on the SVM vs0.

    cluster1::> vserver services name-service ldap check -vserver vs0
    
    | Vserver: vs0                                                |
    | Client Configuration Name: c1                               |
    | LDAP Status: up                                             |
    | LDAP Status Details: Successfully connected to LDAP server "10.11.12.13".                                              |

    The name service check command is available starting in ONTAP 9.2.