Skip to main content

Configure S3 access for external directory services

Contributors johnlantz netapp-aherbin netapp-lenida netapp-dbagwell netapp-ahibbard
PDFs

Beginning with ONTAP 9.14.1, services for external directories have been integrated with ONTAP S3 object storage. This integration simplifies user and access management through external directory services.

You can provide user groups belonging to an external directory service with access to your ONTAP object storage environment. Lightweight Directory Access Protocol (LDAP) is an interface for communicating with directory services, such as Active Directory, that provide a database and services for identity and access management (IAM). To provide access, you need to configure LDAP groups in your ONTAP S3 environment. After you have configured access, the group members have permissions to ONTAP S3 buckets. For information about LDAP, see Overview of using LDAP.

You can also configure Active Directory user groups for fast bind mode, so that user credentials can be validated and third-party and open-source S3 applications can be authenticated over LDAP connections.

Before you begin

Ensure the following before configuring LDAP groups and enabling the fast bind mode for group access:

  1. An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.

  2. A bucket has been created in that storage VM. See Create a bucket.

  3. DNS is configured on the storage VM. See Configure DNS services.

  4. A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.

  5. An LDAP client is configured with TLS enabled on the SVM. See Create an LDAP client configuration and Associate the LDAP client configuration with SVMs for information.

Configure S3 access for external directory services

  1. Specify LDAP as the name service database of the SVM for the group and password to LDAP:

    ns-switch modify -vserver <vserver-name> -database group -sources files,ldap
ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap

    For more information about this command, see the vserver services name-service ns-switch modify command.

  2. Create an object store bucket policy statement with the principal set to the LDAP group to which you want to grant access:

    object-store-server bucket policy statement create -bucket <bucket-name> -effect allow -principal nasgroup/<ldap-group-name> -resource <bucket-name>, <bucket-name>/*

    Example: The following example creates a bucket policy statement for buck1. The policy allows access for the LDAP group group1 to the resource (bucket and its objects) buck1.

    vserver object-store-server bucket policy add-statement -bucket buck1 -effect allow -action
GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts, ListBucketVersions,GetObjectTagging,PutObjectTagging,DeleteObjectTagging,GetBucketVersioning,PutBucketVersioning -principal nasgroup/group1 -resource buck1, buck1/*

  3. Verify that a user from the LDAP group group1 is able to the perform S3 operations from the S3 client.

Use LDAP fast bind mode for authentication

  1. Specify LDAP as the name service database of the SVM for the group and password to LDAP:

    ns-switch modify -vserver <vserver-name> -database group -sources files,ldap
ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap

    For more information about this command, see the vserver services name-service ns-switch modify command.

  2. Ensure that an LDAP user accessing the S3 bucket has permissions defined in the bucket-policies. For more information, see Modify a bucket policy.

  3. Verify that a user from the LDAP group can perform the following operations:

    1. Configure the access key on the S3 client in this format:
      "NTAPFASTBIND" + base64-encode(user-name:password)
      Example: "NTAPFASTBIND" + base64-encode(ldapuser:password), which results in
      NTAPFASTBINDbGRhcHVzZXI6cGFzc3dvcmQ=

      Note The S3 client might prompt for a secret key. In the absence of a secret key, any password of at least 16 characters can be entered.

    2. Perform basic S3 operations from the S3 client for which the user has permissions.

Resource authentication for Active Directory for users without UID and GID

If the nasgroup specified in bucket-policy statement or the users who are part of the nasgroup do not have UID and GID set, lookups will fail when these attributes are not found.

To avoid lookup failures, NetApp recommends using trusted domains for resource authorization in UPN format: nasgroup/group@trusted_domain.com

To generate the user access keys for trusted domain users when LDAP fast bind is not used

Use the s3/services/<svm_uuid>/users endpoint with users specified in UPN format. Example:

$curl -siku FQDN\\user:<user_name> -X POST https://<LIF_IP_Address>/api/protocols/s3/services/<SVM_UUID>/users -d {"comment":"<S3_user_name>", "name":<user[@fqdn](https://github.com/fqdn)>,"<key_time_to_live>":"PT6H3M"}'