Release notes
Configure S3 access for external directory services
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.14.1, services for external directories have been integrated with ONTAP S3 object storage. This integration simplifies user and access management through external directory services.
You can provide user groups belonging to an external directory service with access to your ONTAP object storage environment. Lightweight Directory Access Protocol (LDAP) is an interface for communicating with directory services, such as Active Directory, that provide a database and services for identity and access management (IAM). To provide access, you need to configure LDAP groups in your ONTAP S3 environment. After you have configured access, the group members have permissions to ONTAP S3 buckets. For information about LDAP, see Overview of using LDAP.
You can also configure Active Directory user groups for fast bind mode, so that user credentials can be validated and third-party and open-source S3 applications can be authenticated over LDAP connections.
Ensure the following before configuring LDAP groups and enabling the fast bind mode for group access:
-
An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.
-
A bucket has been created in that storage VM. See Create a bucket.
-
DNS is configured on the storage VM. See Configure DNS services.
-
A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.
-
An LDAP client is configured with TLS enabled on the SVM. See Create an LDAP client configuration and Associate the LDAP client configuration with SVMs for information.
Configure S3 access for external directory services
-
Specify LDAP as the name service database of the SVM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
For more information about this command, see the vserver services name-service ns-switch modify command.
-
Create an object store bucket policy statement with the
principalset to the LDAP group to which you want to grant access:object-store-server bucket policy statement create -bucket <bucket-name> -effect allow -principal nasgroup/<ldap-group-name> -resource <bucket-name>, <bucket-name>/*
Example: The following example creates a bucket policy statement for
buck1. The policy allows access for the LDAP groupgroup1to the resource (bucket and its objects)buck1.vserver object-store-server bucket policy add-statement -bucket buck1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts, ListBucketVersions,GetObjectTagging,PutObjectTagging,DeleteObjectTagging,GetBucketVersioning,PutBucketVersioning -principal nasgroup/group1 -resource buck1, buck1/*
-
Verify that a user from the LDAP group
group1is able to the perform S3 operations from the S3 client.
Use LDAP fast bind mode for authentication
-
Specify LDAP as the name service database of the SVM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
For more information about this command, see the vserver services name-service ns-switch modify command.
-
Ensure that an LDAP user accessing the S3 bucket has permissions defined in the bucket-policies. For more information, see Modify a bucket policy.
-
Verify that a user from the LDAP group can perform the following operations:
-
Configure the access key on the S3 client in this format:
"NTAPFASTBIND" + base64-encode(user-name:password)
Example:"NTAPFASTBIND"+ base64-encode(ldapuser:password), which results in
NTAPFASTBINDbGRhcHVzZXI6cGFzc3dvcmQ=
The S3 client might prompt for a secret key. In the absence of a secret key, any password of at least 16 characters can be entered. -
Perform basic S3 operations from the S3 client for which the user has permissions.
-