NetApp FAS AD User Authentication for Management

I recently worked for a task to enable the AD user authentication for NetApp FAS storage system. This is to allow the authorized AD user to access SSH and OnCommand System Manager. The below method is tested on ONTAP 9.3.

NetApp_AD01

Comparing to other storage systems from other vendors, NetApp AD/LDAP integration do not directly utilize the admin SVM and e0m management interface. Instead, it need to use a data SVM to communicate with AD/LDAP server. Then the FAS Cluster and other SVM can utilize this data SVM as a login domain-tunnel to perform the user authentication.

Personally I prefer to create a dedicated SVM to perform AD authentication task.

NetApp_AD02

The steps to setup the AD authentication on NetAPP FAS is as below:

  1. Create a data SVM (ADVSM in our example) with CIFS protocol enabled. There is no need CIFS to be fully configured and functional, only need SVM created.

 

  1. Create a LIF with data role and the protocol is set as none for ADSVM. This LIF interface need to talk to Domain server.
  • Network interface create -vserver adsvm -lif adlif -role data -data-protocol none -home-node Node01 -home-port e0a -address 192.168.0.100 -netmask 255.255.255.0 -status-admin up

 

  1. Add a static route (default gateway) for newly created SVM LIF.
  • network route create -vserver adsvm -destination 0.0.0.0/0 -gateway 192.168.0.1

 

  1. Join newly created SVM into domain, which will create an AD computer account for the newly created SVM. (You need an AD user with permission to join the domain.)
  • vserver active-directory create -vserver adsvm -account-name adsvm -domain xx.xx.com

 

  1. Create a login domain-tunnel, this will allow the cluster and other SVMs to utilize ADSVM to authenticate with AD server.
  • security login domain-tunnel create -vserver adsvm

 

Now, you can add AD user or group in Cluster or other SVM with SSH and HTTP roles.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s