Skip to content

Enable LDAPS for AD-Integrated Netapp SVM's

AD-Integrated SVMs are using LDAP for fetching/verification/resolving of Users/Groups from Active Directory. This behavior is independent from authentication protocols -> NTLM/Kerberos.

To fulfill security requirements or some compliance stuff we can enable LDAPS within two steps. The benefits we get through this change are:

  • LDAP through SSL/TLS encryption
  • Preventing Man-in-the-Middle Attacks
  • Compliance/Security Standards
  • Best Practice

So basically information would not be sent as plain text.

So our goal is to harden our SVMs communication with AD. On the 4. Layer of the OSI Model we are switching from default LDAP Port 389 to LDAPS 636.

For this process we don't need any LDAP Client if our SVMs only providing CIFS/SMB Shares.

1. Install Root Certificate on your SVMs

First of all we need to install our RootCa's certificate on our SVMs (export the certificate as PEM file, we will need its content). Therefore connect to your management ONTAP appliance via SSH:

Bash
security certificate install -vserver %yourvserver% -type server-ca

The Console will display this message awaiting for your .PEM content: "Please enter Certificate:" Copy your .PEM content and paste it like:

-----BEGIN CERTIFICATE-----
your ca information
-----END CERTIFICATE-----

Now you can verify if the certificate is installed:

Bash
security certificate show -vserver %yourvserver%

2. Enable LDAPS on your SMVs

Now we are going to enable LDAPS:

Bash
vserver cifs security modify -vserver %yourvserver% use-ldaps-for-ad-ldap true

3. Verify Changes

The easiest way to check the changes is through your firewall. Open your Firewall, setup your filter for example:

Source: Your SVMs IP
Port: 636

--> To trigger LDAPS query:
Open a share on your source SMV, go through properties, select NTFS Security and grant a user permissions.

--> Best practice is to user start TLS rather then ldaps, but its your choice.
I chose LDAPS because start TLS initials the connection always with ldap and "upgrades" the connection afterwards by TLS. It more flexible and maybe more compatible with your environment but in my case a encrypted connection is due compliance always required.

Some references:
LDAPS concepts
Installing the self-signed root CA certificate on the SVM
Configure Active Directory domain controller access overview

Cheers!