Configure external directory services for ONTAP S3 access
Beginning with ONTAP 9.14.1, services for external directories have been integrated with ONTAP S3 object storage. This integration simplifies user and access management through external directory services.
You can provide user groups belonging to an external directory service with access to your ONTAP object storage environment. Lightweight Directory Access Protocol (LDAP) is an interface for communicating with directory services, such as Active Directory, that provide a database and services for identity and access management (IAM). To provide access, you need to configure LDAP groups in your ONTAP S3 environment. After you have configured access, the group members have permissions to ONTAP S3 buckets. For information about LDAP, see Overview of using LDAP.
You can also configure Active Directory user groups for fast bind mode, so that user credentials can be validated and third-party and open-source S3 applications can be authenticated over LDAP connections.
Ensure the following before configuring LDAP groups and enabling the fast bind mode for group access:
-
An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.
-
A bucket has been created in that storage VM. See Create a bucket.
-
DNS is configured on the storage VM. See Configure DNS services.
-
A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.
-
An LDAP client is configured with TLS enabled on the SVM. See Create an LDAP client configuration and Associate the LDAP client configuration with SVMs for information.
Configure S3 access for external directory services
-
Specify LDAP as the name service database of the SVM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
Learn more about the
vserver services name-service ns-switch modify
command in the ONTAP command reference. -
Create an object store bucket policy statement with the
principal
set to the LDAP group to which you want to grant access:object-store-server bucket policy statement create -bucket <bucket-name> -effect allow -principal nasgroup/<ldap-group-name> -resource <bucket-name>, <bucket-name>/*
Example: The following example creates a bucket policy statement for
buck1
. The policy allows access for the LDAP groupgroup1
to the resource (bucket and its objects)buck1
.vserver object-store-server bucket policy add-statement -bucket buck1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts, ListBucketVersions,GetObjectTagging,PutObjectTagging,DeleteObjectTagging,GetBucketVersioning,PutBucketVersioning -principal nasgroup/group1 -resource buck1, buck1/*
-
Verify that a user from the LDAP group
group1
is able to the perform S3 operations from the S3 client.
Use LDAP fast bind mode for authentication
-
Specify LDAP as the name service database of the SVM for the group and password to LDAP:
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
Learn more about the
vserver services name-service ns-switch modify
command in the ONTAP command reference. -
Ensure that an LDAP user accessing the S3 bucket has permissions defined in the bucket-policies. For more information, see Modify a bucket policy.
-
Verify that a user from the LDAP group can perform the following operations:
-
Configure the access key on the S3 client in this format:
"NTAPFASTBIND" + base64-encode(user-name:password)
Example:"NTAPFASTBIND"
+ base64-encode(ldapuser:password), which results in
NTAPFASTBINDbGRhcHVzZXI6cGFzc3dvcmQ=
The S3 client might prompt for a secret key. In the absence of a secret key, any password of at least 16 characters can be entered. -
Perform basic S3 operations from the S3 client for which the user has permissions.
-
Resource authentication for Active Directory for users without UID and GID
If the nasgroup specified in bucket-policy statement or the users who are part of the nasgroup do not have UID and GID set, lookups will fail when these attributes are not found.
To avoid lookup failures, NetApp recommends using trusted domains for resource authorization in UPN format: nasgroup/group@trusted_domain.com
To generate the user access keys for trusted domain users when LDAP fast bind is not used
Use the s3/services/<svm_uuid>/users
endpoint with users specified in UPN format. Example:
$curl -siku FQDN\\user:<user_name> -X POST https://<LIF_IP_Address>/api/protocols/s3/services/<SVM_UUID>/users -d {"comment":"<S3_user_name>", "name":<user[@fqdn](https://github.com/fqdn)>,"<key_time_to_live>":"PT6H3M"}'