Enable Active Directory ONTAP account access
Suggest changes
PDFs
You can use the security login create command to enable Active Directory (AD) user or group accounts to access an admin or data SVM. Any user in the AD group can access the SVM with the role that is assigned to the group.
-
You must configure AD domain controller access to the cluster or SVM before the account can access the SVM.
You can perform this task before or after you enable account access.
-
Beginning with ONTAP 9.13.1, you can use an SSH public key as either your primary or secondary authentication method with an AD user password.
If you choose to use an SSH public key as your primary authentication, no AD authentication takes place.
-
Beginning with ONTAP 9.11.1, you can use Use LDAP fast bind for nsswitch authentication for ONTAP NFS SVMs if it is supported by the AD LDAP server.
-
If you are unsure of the access control role that you want to assign to the login account, you can use the
security login modifycommand to add the role later.Learn more about
security login modifyin the ONTAP command reference.
|
AD group account access is supported only with the SSH, ontapi, and rest applications. AD groups are not supported with SSH public key authentication which is commonly used for multifactor authentication.
|
-
The cluster time must be synchronized to within five minutes of the time on the AD domain controller.
-
You must be a cluster administrator to perform this task.
-
Enable AD user or group administrator accounts to access an SVM:
For AD users:
ONTAP Version Primary authentication Secondary authentication Command 9.13.1 and later
Public key
None
security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method publickey -role <role>
9.13.1 and later
Domain
Public key
For a new user
security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method domain -second-authentication-method publickey -role <role>
For an existing user
security login modify -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method domain -second-authentication-method publickey -role <role>
9.0 and later
Domain
None
security login create -vserver <svm_name> -user-or-group-name <user_name> -application <application> -authentication-method domain -role <role> -comment <comment> [-is-ldap-fastbind true]
For AD groups:
ONTAP version Primary authentication Secondary authentication Command 9.0 and later
Domain
None
security login create -vserver <svm_name> -user-or-group-name <user_name> -application <application> -authentication-method domain -role <role> -comment <comment> [-is-ldap-fastbind true]
If you have not configured AD domain controller access to the cluster or SVM, you must do so before the account can access the SVM.