Table of ContentsView in Frames

Granting users in LDAP groups access to the system and mapping them to specified roles

If you store your user database on an LDAP server, you can grant users in LDAP groups access to the storage system and map them to specified roles on the system to manage their access.

Steps

  1. If the value of the security.admin.authentication option does not include nsswitch, add nsswitch to the option by using one of the following formats:
    • options security.admin.authentication internal,nsswitch
    • options security.admin.authentication nsswitch,internal

    The security.admin.authentication option specifies where the system finds authentication information for administrative user accounts. By default, it includes internal, which means the system’s local administrative repository. Adding nsswitch to the option enables the system to also use the repositories found in the nsswitch.conf file.

    For more information about the security.admin.authentication option, see the na_options(1) man page. For information about configuring LDAP services and the nsswitch.conf file, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.

  2. To grant users in LDAP groups access to the storage system and map them to specified roles on the system, enter the following command:
    options security.admin.nsswitchgroup ldapgroup1:role1,ldapgroup2:role2,ldapgroup3:role3

    • The security.admin.nsswitchgroup option maps an LDAP group to the role that follows the colon (:) after the group name.

      For instance, ldapgroup1 is mapped to role1, ldapgroup2 to role2, and ldapgroup3 to role3.

    • Group names and role names must not contain commas (,) or colons (:).
    • Mapping an LDAP group to a role enables users in that group to have only the capabilities granted by the mapped role.

      The role can be a predefined role or one that you create by using the useradmin role add command.

    • If you use the option without specifying a role after an LDAP group, users in that group are granted capabilities of the admin role and have full administrative access to the storage system.
    • The security.admin.nsswitchgroup option supports up to 256 characters and ignores characters that exceed the length limit.

      For more information about the option, see the na_options(1) man page.

    Example

    The following example grants LDAP users in the ldapgrp1 group capabilities defined in the power role, LDAP users in the ldapgrp2 group full administrative capabilities, and LDAP users in the ldapgrp3 group capabilities defined in the audit role:

    system> options security.admin.nsswitchgroup ldapgrp1:power,ldapgrp2,
    ldapgrp3:audit