Introduction to NetApp EF570 All-Flash Arrays:
Feature Overview with SANtricity 11.50.2
© 2019 NetApp, Inc. All Rights Reserved.
LDAP and RBAC
LDAP is a commonly used communication protocol that enables directory servers such as Microsoft
Active Directory to provide centralized identity control over user and group definitions. The directory
service is used by many devices in a network infrastructure to identify and authenticate users seeking
access to devices in the network.
RBAC is software on the E-Series array that defines standard user levels, each with a well-defined set of
access permissions. The combination of authenticating a user as a member of a group and then having
specific permissions set on the array side to define the type of access that user or group is allowed
enables SANtricity 11.40 and later versions to provide the granularity of access that customers require.
The permission level with each role is defined in Table 2.
Table 2) Built-in roles and associated permissions.
This role allows you to change the passwords of any local users and execute any
command supported by the array. The admin password is set at initial login or any
time after.
Security Admin
(security)
This role allows you to modify security configuration settings on the array. It allows
you to view audit logs, configure secure syslog server, LDAP or LDAPS server
connections, and manage certificates. This role provides read access but does not
provide write access to storage array properties such as pool or volume creation or
deletion. This role also has privileges to enable or disable SYMbol access to the
array.
This role allows full read and write access to the storage array properties and
maintenance/diagnostics functions. However, it does not include access to perform
any security configuration functions.
This role provides access to all hardware resources on the array, failure data,
MEL/Audit log and CFW upgrades. You can view the storage configuration but
cannot change it.
This role provides read-only access to all storage array properties. However, you
will not be able view the security configuration.
Note: See the SMcli command reference from the NetApp Support site for a detailed listing of SMcli
commands available with each user role.
Setting Up the Directory Server and Roles
Directory servers, like most data center devices, are complex and designed to fulfill many use cases.
However, the E-Series LDAP/RBAC implementation focuses on authentication and two main elements:
users and groups. As with most applications, you must understand a few acronyms and follow a few
conventions to set up communication between the E-Series array and the directory server. The most
critical acronyms to understand are:
• CN. Stands for commonName, used to identify group names as defined by the directory server tree
structure.
• DC. Stands for domainComponent, the network in which user and groups exist (for example,
netapp.com).
• DN. Stands for distinguishedName, the fully qualified domain name made up of one or more
comma-separate common names, followed by one or more comma-separated DCs (for example,
CN=functional_group_name,CN=Users,DC=netapp,DC=com).
To Next Page
Loading...
Need help?
General