Table of ContentsView in Frames

Enabling AD users and groups to access the cluster and SVMs

You can enable the Active Directory (AD) domain users and groups to access the cluster and SVMs. Granting an AD group the access enables all AD users in that group to access the cluster or the specified SVM.

Before you begin

Steps

  1. If you are setting up AD users or groups for cluster access, complete one of the following steps:
    • If the cluster already has a data SVM with a CIFS server created, you can use that data SVM as an authentication tunnel by using the security login domain-tunnel create command with the -vserver parameter set to that data SVM.

      The security login domain-tunnel show command displays the specified authentication tunnel.

    • If the cluster does not have a data SVM with a CIFS server created, you can use any data SVM in the cluster and join it to a domain by using the vserver active-directory create command with the -vserver parameter set to the data SVM.

      Joining a data SVM to a domain does not create a CIFS server or require a CIFS license. However, it enables the authentication of AD users and groups at the SVM or cluster level.

  2. Grant an AD user or group access to the cluster or SVM by using the security login create command with the -authmethod parameter set to domain.

    The value of the -user-or-group-name parameter must be specified in the format of domainname\username, where domainname is the name of the CIFS domain server and username is the AD user or group that you want to grant access.

    AD user authentication and AD group authentication support only ssh and ontapi for the -application parameter.

    If the authentication tunnel is deleted, AD login sessions cannot be authenticated by the cluster, and AD users and groups cannot access the cluster. Open sessions that were authenticated prior to the deletion of the authentication tunnel remain unaffected.

Examples of enabling an AD user or group to access the cluster or SVM

The following example specifies the "vs1" data SVM as the tunnel that the cluster will use for authenticating an AD user or group, and then displays the authentication tunnel:

cluster1::> security login domain-tunnel create -vserver vs1

cluster1::> security login domain-tunnel show
	Tunnel Vserver: vs1

The following command enables the "Administrator" AD user of the "DOMAIN1" domain to access the cluster through SSH:

cluster1::> security login create -vserver cluster1  
-user-or-group-name DOMAIN1\Administrator -application ssh 
-authmethod domain

The following command enables all users of the "group1" AD group in the "DOMAIN1" domain to access the cluster through SSH:

cluster1::> security login create -vserver cluster1 
-user-or-group-name DOMAIN1\group1 -application ssh 
-authmethod domain

The following command enables the "Administrator" AD user of the "DOMAIN1" domain to access the "vs1" SVM through SSH:

cluster1::> security login create -vserver vs1 
-user-or-group-name DOMAIN1\Administrator -application ssh 
-authmethod domain

The following command enables all users of the "group1" AD group in the "DOMAIN1" domain to access the "vs2" SVM through SSH:

cluster1::> security login create -vserver vs2 
-user-or-group-name DOMAIN1\group1 -application ssh 
-authmethod domain