Overview of using LDAP

Contributors

If LDAP is used in your environment for name services, you need to work with your LDAP administrator to determine requirements and appropriate storage system configurations, then enable the SVM as an LDAP client.

Beginning with ONTAP 9.10.1, LDAP channel binding is supported by default for both Active Directory and name services LDAP connections. ONTAP will try channel binding with LDAP connections only if Start-TLS or LDAPS is enabled along with session security set to either sign or seal. To disable or reenable LDAP channel binding with name servers, use the -try-channel-binding parameter with the ldap client modify command.

  • Before configuring LDAP for ONTAP, you should verify that your site deployment meets best practices for LDAP server and client configuration. In particular, the following conditions must be met:

    • The domain name of the LDAP server must match the entry on the LDAP client.

    • The LDAP user password hash types supported by the LDAP server must include those supported by ONTAP:

      • CRYPT (all types) and SHA-1 (SHA, SSHA).

      • Beginning with ONTAP 9.8, SHA-2 hashes (SHA-256, SSH-384, SHA-512, SSHA-256, SSHA-384, and SSHA-512) are also supported.

    • If the LDAP server requires session security measures, you must configure them in the LDAP client.

      The following session security options are available:

      • LDAP signing (provides data integrity checking) and LDAP signing and sealing (provides data integrity checking and encryption)

      • START TLS

      • LDAPS (LDAP over TLS or SSL)

    • To enable signed and sealed LDAP queries, the following services must be configured:

      • LDAP servers must support the GSSAPI (Kerberos) SASL mechanism.

      • LDAP servers must have DNS A/AAAA records as well as PTR records set up on the DNS server.

      • Kerberos servers must have SRV records present on the DNS server.

    • To enable START TLS or LDAPS, the following points should be considered.

      • It is a NetApp best practice to use Start TLS rather than LDAPS.

      • If LDAPS is used, the LDAP server must be enabled for TLS or for SSL in ONTAP 9.5 and later. SSL is not supported in ONTAP 9.0-9.4.

      • A certificate server must already be configured in the domain.

    • To enable LDAP referral chasing (in ONTAP 9.5 and later), the following conditions must be satisfied:

      • Both domains should be configured with one of the following trust relationships:

        • Two-way

        • One-way, where the primary trusts the referral domain

        • Parent-child

      • DNS must be configured to resolve all referred server names.

      • Domain passwords should be same to authenticate when --bind-as-cifs-server set to true.

    Note

    The following configurations are not supported with LDAP referral chasing.

    • For all ONTAP versions:

      • LDAP clients on an admin SVM

    • For ONTAP 9.8 and earlier (they are supported in 9.9.1 and later):

      • LDAP signing and sealing (the -session-security option)

      • Encrypted TLS connections (the -use-start-tls option)

      • Communications over LDAPS port 636 (the -use-ldaps-for-ad-ldap option)

  • You must enter an LDAP schema when configuring the LDAP client on the SVM.

    In most cases, one of the default ONTAP schemas will be appropriate. However, if the LDAP schema in your environment differs from these, you must create a new LDAP client schema for ONTAP before creating the LDAP client. Consult with your LDAP administrator about requirements for your environment.

  • Using LDAP for host name resolution is not supported.