Use LDAP fast bind for nsswitch authentication

Contributors netapp-aoife netapp-forry

Beginning with ONTAP 9.11.1, you can take advantage of LDAP fast bind functionality (also known as concurrent bind) for faster and simpler client authentication requests. To use this functionality, the LDAP server must support fast bind functionality.

About this task

Without fast bind, ONTAP uses LDAP simple bind to authenticate admin users with the LDAP server. With this authentication method, ONTAP sends a user or group name to the LDAP server, receives the stored hash password, and compares the server hash code with the hash passcode generated locally from the user password. If they are identical, ONTAP grants login permission.

With fast bind functionality, ONTAP sends only user credentials (user name and password) to the LDAP server through a secure connection. The LDAP server then validates these credentials and instructs ONTAP to grant login permissions.

One advantage of fast bind is that there is no need for ONTAP to support every new hashing algorithm supported by LDAP servers, because password hashing is performed by the LDAP server.

You can use existing LDAP client configurations for LDAP fast bind. However, it is strongly recommended that the LDAP client be configured for TLS or LDAPs; otherwise, the password is sent over the wire in plain text.

To enable LDAP fast bind in an ONTAP environment, you must satisfy these requirements:

  • ONTAP admin users must be configured on an LDAP server that supports fast bind.

  • The ONTAP SVM must be configured for LDAP in the name services switch (nsswitch) database.

  • ONTAP admin user and group accounts must be configured for nsswitch authentication using fast bind.

Steps
  1. Confirm with your LDAP administrator that LDAP fast bind is supported on the LDAP server.

  2. Ensure that ONTAP admin user credentials are configured on the LDAP server.

  3. Verify that the admin or data SVM is configured correctly for LDAP fast bind.

    1. To confirm that the LDAP fast bind server is listed in the LDAP client configuration, enter:

      vserver services name-service ldap client show

    2. To confirm that ldap is one of the configured sources for the nsswitch passwd database, enter:

      vserver services name-service ns-switch show

  4. Ensure that admin users are authenticating with nsswitch and that LDAP fast bind authentication is enabled in their accounts.

    • For existing users, enter security login modify and verify the following parameter settings:

      -authentication-method nsswitch

      -is-ldap-fastbind true

    • For new admin users, see Enable LDAP or NIS account access.