ONTAP 9.15.1 commands

security login modify

Modify a login method

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login modify command modifies the access-control role name of a login method. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

Parameters

-vserver <vserver name> - Vserver

This specifies the Vserver name of the login method.

-user-or-group-name <text> - User Name or Group Name

This specifies the user name, Active Directory, LDAP, or NIS group name of the login method that is to be modified. A user name can be associated with multiple applications. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

-application <text> - Application

This specifies the application of the login method. Possible values include amqp, console, http, ontapi, rsh, snmp, service-processor, ssh, and telnet.

-authentication-method <text> - Authentication Method

This specifies the authentication method of the login method. Possible values include the following:

  • cert - SSL certificate authentication

  • community - SNMP community strings

  • domain - Active Directory authentication

  • nsswitch - LDAP or NIS authentication

  • password - Password

  • publickey - Public-key authentication

  • usm - SNMP user security model

  • saml - SAML authentication

[-remote-switch-ipaddress <IP Address>] - Remote Switch IP Address

This specifies the IP address of the remote switch. The remote switch could be a cluster switch monitored by cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by MetroCluster health monitor (MCC-HM). This parameter is applicable only when the application is snmp and authentication method is usm (SNMP user security model).

[-role <text>] - Role Name

This modifies the access-control role name for the login method.

[-comment <text>] - Comment Text

This specifies comment text for the user account, for example, "Guest account". The maximum length is 128 characters.

[-is-ns-switch-group {yes|no}] - Whether Ns-switch Group

This specifies if user-or-group-name is an LDAP or NIS group. Possible values are yes or no. Default value is no.

[-second-authentication-method {none|publickey|password|nsswitch|domain|totp}] - Second Authentication Method2

This specifies the authentication method for the login method. It will be used as the second factor for authentication. This parameter can be specified for ssh and service-processor applications. For ssh application, possible values include the following:

  • password - Password

  • publickey - Public-key authentication

  • nsswitch - NIS or LDAP authentication

  • domain - Active Directory authentication

  • none - default value

For service-processor application, possible values include the following:

  • publickey - Public-key authentication

  • none - default value

[-is-ldap-fastbind {yes|no}] - LDAP Fastbind Authentication

This flag specifies whether modify is allowed or not when the authentication is LDAP fastbind.

Examples

The following example illustrates how to modify a login method that has the user name guest , the application ontapi , and the authentication method password to use the access-control role guest for Vserver vs1.fujitsu.com :

cluster1::> security login modify -user-or-group-name guest
  -application ontapi -authentication-method password -role guest
  -vserver vs1.fujitsu.com

The following example illustrates how to modify a login method that has the user name guest , the application ssh , and the authentication method publickey to use the access-control role vsadmin for Vserver vs1.fujitsu.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey -role vsadmin
  -vserver vs1.fujitsu.com

The following example illustrates how to modify a login method that has the group name nssgroup , the application ontapi , and the authentication method nsswitch to use the access-control role readonly for Vserver vs1.fujitsu.com . Here is-ns-switch-group must be set to yes :

cluster1::> security login modify -user-or-group-name nssgroup
  -application ontapi -authentication-method nsswitch -role readonly
  -vserver vs1.fujitsu.com -is-ns-switch-group yes

The following example illustrates how to modify a login method that has the user name guest , the application ssh , and the authentication method publickey to use the second-authentication-method password for Vserver vs1.fujitsu.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey
  -second-authentication-method password -vserver vs1.fujitsu.com

The following example illustrates how to modify a login method to have individual authentication methods that have the user name guest , the application ssh , and the authentication method publickey to use the second-authentication-method none for Vserver vs1.fujitsu.com :

cluster1::> security login modify -user-or-group-name guest
  -application ssh -authentication-method publickey
  -second-authentication-method none -vserver vs1.fujitsu.com

The following example illustrates how to modify a login method that has the user name spuser , the application service-processor , and the authentication method password to use the second-authentication-method publickey for the Administrative Vserver cluster1 :

cluster1::> security login modify -user-or-group-name spuser
  -application service-processor -authentication-method password
  -second-authentication-method publickey -vserver cluster1
Top of Page