ONTAP 9 Manuals ( CA08871-402 )

Enable Active Directory account access

You can use the security login create command to enable Active Directory (AD) user or group accounts to access an admin or data SVM. Any user in the AD group can access the SVM with the role that is assigned to the group.

About this task
  • You must configure AD domain controller access to the cluster or SVM before the account can access the SVM.

    You can perform this task before or after you enable account access.

  • Beginning with ONTAP 9.13.1, you can use an SSH public key as either your primary or secondary authentication method with an AD user password.

    If you choose to use an SSH public key as your primary authentication, no AD authentication takes place.

  • Beginning with ONTAP 9.11.1, you can use LDAP fast bind for nsswitch authentication if it is supported by the AD LDAP server.

  • If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.

AD group account access is supported only with the SSH, ontapi, and rest applications. AD groups are not supported with SSH public key authentication which is commonly used for multifactor authentication.
Before you begin
  • The cluster time must be synchronized to within five minutes of the time on the AD domain controller.

  • You must be a cluster administrator to perform this task.

Step
  1. Enable AD user or group administrator accounts to access an SVM:

    For AD users:

    ONTAP Version Primary authentication Secondary authentication Command

    9.13.1 and later

    Public key

    None

    security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method publickey -role <role>

    9.13.1 and later

    Domain

    Public key

    For a new user

    security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method domain -second-authentication-method publickey -role <role>

    For an existing user

    security login modify -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method domain -second-authentication-method publickey -role <role>

    9.7 and later

    Domain

    None

    security login create -vserver <svm_name> -user-or-group-name <user_name> -application <application> -authentication-method domain -role <role> -comment <comment> [-is-ldap-fastbind true]

    For AD groups:

    ONTAP version Primary authentication Secondary authentication Command

    9.7 and later

    Domain

    None

    security login create -vserver <svm_name> -user-or-group-name <user_name> -application <application> -authentication-method domain -role <role> -comment <comment> [-is-ldap-fastbind true]
After you finish

If you have not configured AD domain controller access to the cluster or SVM, you must do so before the account can access the SVM.

Top of Page