Data ONTAP provides features for preventing or monitoring unauthorized use of NDMP connections to your storage system.
You can restrict the set of backup application hosts permitted to start NDMP sessions on a storage system. You can specify the authentication method to use (text or challenge) in order to allow NDMP requests. You can enable or disable monitoring of NDMP connection requests.
All non-root NDMP users on the root vFiler unit and all NDMP users on vFiler units are required to use NDMP passwords that are distinct from the password of the user. This password can be generated by using the ndmpd password userid command.
NDMP users must have the login-ndmp capability to be able to successfully authenticate NDMP sessions. A predefined role named backup, by default, has the login-ndmp capability. To provide a user with the login-ndmp capability, the backup role can be assigned to the group to which the user belongs. However, when a group is assigned the backup role, all users within the group get the login-ndmp capability. Therefore, it is best to group all NDMP users in a single group that has the backup role.
Data ONTAP also generates an NDMP-specific password for administrators who do not have root privilege on the target storage system.
Data ONTAP provides a set of commands that enable you to manage and monitor the security of NDMP connections to the storage system.
The following are the commands that monitor the security of NDMP connections to storage systems:
This password allows them to perform NDMP operations through an NDMP-compliant backup application. For the NDMP password to be generated, the NDMP user must have the login-ndmp capability.