Configure external directory services for ONTAP S3 access

07/10/2025 Contributors

PDFs

Beginning with ONTAP 9.14.1, services for external directories have been integrated with ONTAP S3 object storage. This integration simplifies user and access management through external directory services.

You can provide user groups belonging to an external directory service with access to your ONTAP object storage environment. Lightweight Directory Access Protocol (LDAP) is an interface for communicating with directory services, such as Active Directory, that provide a database and services for identity and access management (IAM). To provide access, you need to configure LDAP groups in your ONTAP S3 environment. After you have configured access, the group members have permissions to ONTAP S3 buckets. For information about LDAP, see Learn about using LDAP name services on ONTAP NFS SVMs.

You can also configure Active Directory user groups for fast bind mode, so that user credentials can be validated and third-party and open-source S3 applications can be authenticated over LDAP connections.

Before you begin

Ensure the following before configuring LDAP groups and enabling the fast bind mode for group access:

An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.
A bucket has been created in that storage VM. See Create a bucket.
DNS is configured on the storage VM. See Configure DNS services.
A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install self-signed root CA certificates on the SVM.
An LDAP client is configured with TLS enabled on the SVM. See Create LDAP client configurations for ONTAP NFS access and Associate LDAP client configurations with ONTAP NFS SVMs for information.

Configure S3 access for LDAP

Specify LDAP as the name service database of the SVM for the group and password to LDAP:
```
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap
ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
```
Learn more about the vserver services name-service ns-switch modify command in the ONTAP command reference.

Create an object store bucket policy statement with the principal set to the LDAP group to which you want to grant access:

object-store-server bucket policy statement create -bucket <bucket-name> -effect allow -principal nasgroup/<ldap-group-name> -resource <bucket-name>, <bucket-name>/*

Example: The following example creates a bucket policy statement for buck1. The policy allows access for the LDAP group group1 to the resource (bucket and its objects) buck1.

vserver object-store-server bucket policy add-statement -bucket buck1 -effect allow -action
GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts, ListBucketVersions,GetObjectTagging,PutObjectTagging,DeleteObjectTagging,GetBucketVersioning,PutBucketVersioning -principal nasgroup/group1 -resource buck1, buck1/*

Verify that a user from the LDAP group group1 is able to the perform S3 operations from the S3 client.

Use LDAP fast bind mode for authentication

Specify LDAP as the name service database of the SVM for the group and password to LDAP:
```
ns-switch modify -vserver <vserver-name> -database group -sources files,ldap
ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap
```
Learn more about the vserver services name-service ns-switch modify command in the ONTAP command reference.
Ensure that an LDAP user accessing the S3 bucket has permissions defined in the bucket-policies. For more information, see Modify a bucket policy.
Verify that a user from the LDAP group can perform the following operations:
1. Configure the access key on the S3 client in this format:
  "NTAPFASTBIND" + base64-encode(user-name:password)
  Example: "NTAPFASTBIND" + base64-encode(ldapuser:password), which results in
  NTAPFASTBINDbGRhcHVzZXI6cGFzc3dvcmQ=
  
  The S3 client might prompt for a secret key. In the absence of a secret key, any password of at least 16 characters can be entered.
2. Perform basic S3 operations from the S3 client for which the user has permissions.

Base64 credentials

ONTAP S3's default configuration excludes HTTP and exclusively uses HTTPS and a Transport Layer Security (TLS) connection. ONTAP can generate self-signed certificates, but the recommended best practice is to use certificates from a third-party certificate authority (CA). When you use CA certificates, you create a trusted relationship between client applications and the ONTAP object store server.

Be aware that credentials encoded using Base64 are easily decoded. Using HTTPS will prevent encoded credentials from being captured by man-in-the-middle packet sniffers.

Do not use LDAP fast-bind mode for authentication when creating pre-signed URLs. Authentication is based exclusively on the Base64 access key that is included in the pre-signed URL. The user name and password will be revealed to anyone decoding the Base64 access key.

Authentication method is nsswitch and LDAP is enabled example

$curl -siku <user>:<user_password> -X POST https://<LIF_IP_Address>/api/protocols/s3/services/<SVM_UUID>/users -d {"comment":"<S3_user_name>", "name":<user>,"key_time_to_live":"PT6H3M"}

Configure S3 access for Active Directory or SMB servers

If the nasgroup specified in the bucket policy statement or the users who are part of the nasgroup do not have UID and GID set, lookups fail when these attributes are not found. Active Directory uses SID, not UID. If SID entries cannot be mapped to UID, the necessary data needs to be brought to ONTAP.

To do so, use vserver active-directory create so that the SVM can authenticate with Active Directory and get the necessary user and group information.

Alternatively, use vserver cifs create to create a SMB server in an Active Directory domain.

If you have different domain names for name servers and object stores, you might experience lookup failures. To avoid lookup failures, NetApp recommends using trusted domains for resource authorization in UPN format: nasgroup/group@trusted_domain.com
Trusted domains are those that have been added to the SMB server trusted domains list. Learn how to add, remove, and modify preferred trusted domains in the SMB server list.

Generate keys when the authentication method is domain and trusted domains are configured in Active Directory

Use the s3/services/<svm_uuid>/users endpoint with users specified in UPN format. Example:

$curl -siku FQDN\\user:<user_password> -X POST https://<LIF_IP_Address>/api/protocols/s3/services/<SVM_UUID>/users -d {"comment":"<S3_user_name>", "name":<user@fqdn>,"key_time_to_live":"PT6H3M"}

Generate keys when the authentication method is domain and there are no trusted domains

This action is possible when LDAP is disabled or when non-POSIX users have not configured UID and GID. Example:

$curl -siku FQDN\\user:<user_password> -X POST https://<LIF_IP_Address>/api/protocols/s3/services/<SVM_UUID>/users -d {"comment":"<S3_user_name>", "name":<user[@fqdn]>,"key_time_to_live":"PT6H3M"}

Direct the API to the cluster management LIF, not to the SVM's data LIF. If you want to allow users to generate their own keys, you must add HTTP permissions to their role to use curl. This permission is in addition to S3 API permissions. You only need to add the optional domain value (@fqdn) to a user name if there are no trusted domains.