8 thoughts on “Configuring FreeIPA LDAP for ONTAP logins

  1. Hi. I’m the person that asked Kelly to look into this, who asked you to look into it. Any idea if ONTAP will ever support SSHA512? I’m not super-excited by the idea of having to check all of my existing IdM-connected systems to make sure that the password hash change won’t break anything there.

    Liked by 1 person

  2. Thanks, I did that. Is there any support for ONTAP trying to authenticating via LDAP by binding to the LDAP server with the provided credentials, rather than trying to interpret the hash on its own? That’s the way basically every other LDAP-authenticated service tries to authenticate a user, and doesn’t rely on the service knowing any hash algorithms at all.

    Liked by 1 person

      • The credentials provided by the person trying to log in.

        What’s apparently happening with the way you set it up is someone does “ssh user@ontap-cluster” and then provides a password, then ONTAP is logging into the LDAP database as the DN provided as “Bind DN” in the configuration with the password provided via “ldap client modify-bind-password”, searching for “user” in the LDAP database, finding him, grabbing his userPassword attribute, attempting to hash “user”‘s provided password with the same algorithm, and accepting the connection if all of that completes.

        An easier way to do that would be to just have ONTAP log into the LDAP database as “user” with the password that was provided at attempted login time. If the LDAP server accepts the connection, you’ve authenticated those credentials. This seems to be what happens with virtually every other LDAP-backed authentication scheme I’ve ever dealt with. (There has to be a little extra configuration in order to build a full bind DN from the bare username, but it’s trivial.)

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s