An LDAP server enables you to centrally maintain user information. If you store your user database on an LDAP server in your environment, you can configure your storage system to look up user information in your existing LDAP database.
Using LDAP over SSL/TLS to secure communication
You can use LDAP over SSL/TLS to secure communication between the Storage Virtual Machine (SVM) LDAP client and the LDAP server. This allows LDAP to encrypt all traffic to and from the LDAP server.
LDAP over SSL/TLS concepts
You must understand certain terms and concepts about how Data ONTAP uses SSL/TLS to secure LDAP communication. Data ONTAP can use LDAP over SSL/TLS for setting up authenticated sessions between Active Directory-integrated LDAP servers or UNIX-based LDAP servers.
Terminology
There are certain terms that you should understand about how Data ONTAP uses LDAP over SSL to secure LDAP communication.
LDAP
(Lightweight Directory Access Protocol) A protocol for accessing and managing
information directories. LDAP is used as an information directory for storing objects such as users, groups, and netgroups. LDAP also provides directory services that manage these objects and fulfill LDAP requests from LDAP clients.
SSL
(Secure Sockets Layer) A secure protocol developed for sending information securely over the Internet. SSL is used to provide either server or mutual (server and client) authentication. SSL provides encryption only. If a method to ensure data integrity is needed, it must be provided by the application using SSL.
TLS
(Transport Layer Security) An IETF standards track protocol that is based on the earlier SSL specifications. It is the successor to SSL.
LDAP over SSL/TLS
(Also known as LDAPS) A protocol that uses SSL or TLS to secure communication between LDAP clients and LDAP servers. The terms SSL and TLS are often used interchangeably unless referring to a specific version of the protocol.
Start TLS
(Also known as start_tls, STARTTLS, and StartTLS) A mechanism to provide secure communication by using the TLS/SSL protocols.
How Data ONTAP uses LDAP over SSL/TLS
By default, LDAP communications between client and server applications are not encrypted. This means that it is possible to use a network monitoring device or software and view the
communications between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because the credentials (user name and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted.
The SSL and TLS protocols run above TCP/IP and below higher-level protocols, such as LDAP.
They use TCP/IP on behalf of the higher-level protocols, and in the process, permit an SSL-enabled server to authenticate itself to an SSL-enabled client and permit both machines to establish an encrypted connection. These capabilities address fundamental security concerns about communication over the Internet and other TCP/IP networks.
Data ONTAP supports SSL server authentication, which enables the Storage Virtual Machine (SVM) LDAP client to confirm the LDAP server's identity during the bind operation. SSL/TLS-enabled LDAP clients can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs.
This version of Data ONTAP supports the following:
• LDAP over SSL/TLS for SMB-related traffic between the Active Directory-integrated LDAP servers and the SVM
• LDAP over SSL/TLS for LDAP traffic for name mapping
Either Active Directory-integrated LDAP servers or UNIX-based LDAP servers can be used to store information for LDAP name mapping.
• Self-signed root CA certificates
When using an Active-Directory integrated LDAP, the self-signed root certificate is generated when the Windows Server Certificate Service is installed in the domain. When using an UNIX-based LDAP server for LDAP name mapping, the self-signed root certificate is generated and saved by using means appropriate to that LDAP application.
Data ONTAP does not support signing (integrity protection) and sealing (encryption) of the data.
By default, LDAP over SSL/TLS is disabled.
Data ONTAP uses port 389 for LDAP over SSL/TLS
LDAP supports two methods to encrypt communications using SSL/TLS: traditional LDAPS and STARTTLS. LDAPS communication usually occurs over a special port, commonly 636. However, STARTTLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to SSL/TLS.
Data ONTAP uses STARTTLS for securing LDAP communication, and uses the default LDAP port (389) to communicate with the LDAP server. LDAP over SSL/TLS on the SVM should not be configured to use port 636 because this causes LDAP connections to fail. The LDAP server must be configured to allow connections over LDAP port 389; otherwise, LDAP SSL/TLS connections from the SVM to the LDAP server fail.
Installing the self-signed root CA certificate on the SVM
Before you can use secure LDAP authentication when binding to LDAP servers, you must install the self-signed root CA certificate on the Storage Virtual Machine (SVM).
About this task
When LDAP over SSL/TLS is enabled, the Data ONTAP LDAP client on the SVM does not support revoked certificates. The LDAP client treats revoked certificates as if they are not revoked.
Steps
1. Install the self-signed root CA certificate:
a. Begin the certificate installation:
security certificate install -vserver vserver_name -type server-ca The console output displays the following message:
Please enter Certificate: Press <Enter> when done
b. Open the certificate .pem file with a text editor, copy the certificate, including the lines beginning with ---BEGIN CERTIFICATE--- and ending with ---END CERTIFICATE---, and then paste the certificate on the console.
c. Verify that the certificate is displayed after the console prompt.
d. Complete the installation by pressing Enter.
2. Verify that the certificate is installed:
security certificate show -vserver vserver_name
Enabling LDAP over SSL/TLS
Before Storage Virtual Machines (SVMs) can use secure LDAP communication to LDAP servers, you must modify the LDAP client of the SVM to enable LDAP over SSL/TLS.
Before you begin
You must have installed the self-signed root CA certificate of the LDAP server on the SVM.
Steps
1. Configure the LDAP client to allow secure LDAP communication with LDAP servers:
vserver services nameservice ldap client modify vserver vserver_name -client-config ldap_client_config_name -use-start-tls true
2. Verify that the LDAP over SSL/TLS security setting is set to true:
vserver services name-service ldap client show -vserver vserver_name