activedirectory modify

This command enables you to modify the Active Directory configuration and to make the cluster join or leave an Active Directory domain.

Usage (Configuration)

activedirectory modify  --id ID            
                       [--allow-smb|--disallow-smb]
                       [--enable-ntlm|--disable-ntlm]
                       [--enable-auto-discovery|--disable-auto-discovery]
                       [--enable-use-ldaps|--disable-use-ldaps]
                       [--urls URI_LIST]
                       [--port PORT]
                       [--binddn BIND_DN]
                       [--bindpw BIND_PASSWORD]
                       [--basedn BASE_DN]
                       [--group-basedn GROUP_BASE_DN]
                       [--method anonymous|simple|sasl]
                       [--gid-number ATTRIBUTE_NAME]
                       [--uid ATTRIBUTE_NAME]
                       [--uid-number ATTRIBUTE_NAME]
                       [--member-uid ATTRIBUTE_NAME]
                       [--posix-account ATTRIBUTE_NAME]
                       [--posix-group ATTRIBUTE_NAME]
                       [--match-user ATTRIBUTE_NAME]
                       [--uid-member-value-property-name ATTRIBUTE_NAME]
                       [--query-groups-mode COMPATIBLE|RFC2307BIS_ONLY|RFC2307_ONLY|NONE]
                       [--username-property-name ATTRIBUTE_NAME]
                       [--use-tls|--no-tls]
                       [--domain-name DOMAIN_NAME]
                       [--user-login-name ATTRIBUTE_NAME]
                       [--group-login-name ATTRIBUTE_NAME]
                       [--mail-property-name ATTRIBUTE_NAME]
                       [--vms-auth|--no-vms-auth]
                       [--posix-attributes-source JOINED_DOMAIN|ALL_DOMAINS|SPECIFIC_DOMAINS|GC]
                       [--domains-with-posix-attributes DOMAINS]
                       [--abac-read-only-value-name KEYWORD]
                       [--abac-read-write-value-name KEYWORD]
                       [--reverse-lookup|--no-reverse-lookup]
                       [--enable-multi-forest|--disable-multi-forest]

Usage (Joining and Leaving)

activedirectory modify  --id ID
                       [--admin-username USERNAME]
                       [--admin-passwd PASSWORD]
                       [--join|--leave]

Required Parameters

--id ID

Identifies the Active Directory configuration. To obtain the ID of an Active Directory configuration record, run activedirectory list.

Options (Configuration)

`--allow-smb`	Allows VAST Cluster to use this Active Directory provider to authenticate and authorize clients accessing the cluster via the SMB storage protocol. Tip Before allowing use of this Active Directory provider for SMB access, leave the cluster's joined Active Directory domain. After SMB is allowed, rejoin the domain.
`--disallow-smb`	Disables use of this Active Directory provider for SMB client access. Tip Before disabling use of this Active Directory provider for SMB access, leave the cluster's joined Active Directory domain. After SMB is disallowed, rejoin the domain.
`--enable-ntlm`	When this option is specified, SMB clients accessing the cluster are allowed to use NTLM authentication to get authenticated via this Active Directory provider. This is the default behavior. Note NTLM authentication is not FIPS-compliant. Tip Before enabling NTLM, leave the cluster's joined Active Directory domain. After NTLM is enabled, rejoin the domain.
`--disable-ntlm`	Prohibits use of NTLM authentication on this Active Directory provider. Tip Before disabling NTLM, leave the cluster's joined Active Directory domain. After NTLM is disabled, rejoin the domain.
`--enable-auto-discovery`	Enables Active Directory domain auto-discovery. (Enabled by default). When auto-discovery is enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the forest of the cluster's joined domain and, if multi-forest authentication is enabled by the `--enable-multi-forest` flag, in other trusted forests.Active Directory Overview
`--disable-auto-discovery`	Disables Active Directory domain auto-discovery. When auto-discovery is disabled, the LDAP URI (`--urls`) and search base DN (`--basedn`) must be specified manually. VAST Cluster contacts only the domain controller configured using the `--urls` option and does not process requests from users in other domains, neither in the forest of the cluster's joined domain nor in other trusted forests.
`--enable-use-ldaps`	Enables use of LDAPS for Active Directory domain auto-discovery. When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.
`--disable-use-ldaps`	Disables use of LDAPS for Active Directory domain auto-discovery.
`--urls URI_LIST`	Use this option only if you choose to disable auto discovery (see `--disable-auto-discovery`). Enter URIs of LDAP servers (domain controllers in the Active Directory joined domain). The order of listing defines the priority order. The URI with highest priority that has a good health status is used. Specify `URI_LIST` as a comma-separated list of URIs in the format `<scheme>://<address>`. The domain controllers should all be in the same Active Directory domain which VAST Cluster joins. Examples: `--urls ldap://company-ad.com` `--urls ldaps://company-ad.com` `--urls ldap://company-ad.com,ldap://company-ad2.com` `--urls ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2`
`--port PORT`	Sets the port of the remote LDAP server. Recommended values: `389` for LDAP (with or without TLS), `636` for LDAPS.
`--binddn BIND_DN` (required if `--method simple` or `--method sasl` is specified)	Sets the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory. Enter the bind DN for authenticating to the LDAP domain. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory. You can specify any user account that has read access to the domain. The format is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component is a cn attribute component specifying the user object, the next component is its container and so on up the tree, with the last component representing the top level domain. The following attributes can be specified: cn: common name ou: organizational unit o: organization c: country dc: domain For example, `cn=admin,ou=users,dc=mydomain,dc=local` specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'. If multi-forest authentication is enabled and/or SASL authentication method is used, specify the bind DN in one of the following formats:Active Directory Overview `username@domain` `DOMAIN\username`
`--bindpw BIND_PASSWORD` (required if `--method simple` or `--method sasl` is specified)	Sets the password used with the bind DN to authenticate to the LDAP server.
`--basedn BASE_DN`	Specifies the entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the group base DN on `--group-searchbase`. To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster. Specify `BASE_DN` as a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain. The following attributes can be specified: cn: common name ou: organizational unit o: organization c: country dc: domain
`--group-basedn GROUP_BASE_DN`	Sets the entry in the LDAP directory tree to use as a starting point for group queries. If not specified, the base DN is used.
`--method anonymous\|simple\|sasl`	The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. When multi-forest authentication is enabled, VAST Cluster uses SASL for the LDAP bind to domain controllers in other trusted forests, and this setting is only honored for the LDAP bind to domain controllers in the forest of the cluster's joined domain. Active Directory Overview Set the method according to how the LDAP server is configured to authenticate clients: `anonymous`. The LDAP server accepts queries without any authentication. `simple`. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set the bind DN on `--binddn` and password on `--bindpw`. `sasl`. The LDAP server performs the Simple Authentication and Security Layer (SASL) authentication process. If the SASL bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set the bind DN on `--binddn` and password on `--bindpw`, with the bind DN in the `username@domain` or `DOMAIN\username` format.
`--gid-number ATTRIBUTE_NAME`	The attribute of a group entry that contains the GID number of a group. Default: gidNumber
`--uid ATTRIBUTE_NAME`	The attribute of a user entry that contains the user name. Default: uid
`--uid-number ATTRIBUTE_NAME`	The attribute of a user entry that contains the UID number. Default: uidNumber
`--member-uid ATTRIBUTE_NAME`	The attribute of the group entry that contains names of group members. Default: member
`--posix-account ATTRIBUTE_NAME`	The object class that defines a user entry. Default: user
`--posix-group ATTRIBUTE_NAME`	The object class that defines a group entry. Default: group
`--match-user ATTRIBUTE_NAME`	Use this option to specify which attribute to use for matching users across providers during user refresh and user authentication. When querying a provider for a user that matches a user that was already retrieved from another provider, a user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved. Default: sAMAccountName
`--uid-member-value-property-name ATTRIBUTE_NAME`	Specifies the attribute which represents the value of the LDAP group's `member` property. Default: sAMAccountName
`--query-groups-mode COMPATIBLE\|RFC2307BIS_ONLY\|RFC2307_ONLY\|NONE`	The mode for querying a user's auxiliary group memberships, when the auth provider is set as the source for group membership in the view policy: COMPATIBLE (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode. RFC2307BIS_ONLY. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a members attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions. RFC2307_ONLY. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers. NONE. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
`--username-property-name ATTRIBUTE_NAME`	Overrides 'name' as the attribute to use for querying users in VMS user-initiated user queries. Default: name
`--use-tls`	Enables TLS (StartTLS) to secure communication between VAST Cluster and the LDAP server. When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513. Important Use VAST Web UI to provide a TLS certificate.
`--no-tls`	Disables TLS (STARTTLS) secure communication between VAST Cluster and the LDAP server.
`--domain-name DOMAIN_NAME`	Sets the fully qualified domain name (FQDN) of the domain to join. For example: -`-domain-name company-ad.com`
`--user-login-name ATTRIBUTE_NAME`	Specifies the attribute used to query Active Directory for the user login name in NFS ID mapping. Applicable only with Active Directory and NFSv4.1. Default: sAMAccountName
`--group-login-name ATTRIBUTE_NAME`	Specifies the attribute used to query Active Directory for the group login name in NFS ID mapping. Applicable only with Active Directory and NFSv4.1. Default: sAMAccountName
`--mail-property-name ATTRIBUTE_NAME`	Specifies the attribute to use for the user's email address. Default: mail
`--vms-auth`	If this option is specified, the LDAP configuration being created will be the one used for VMS authentication.
`--no-vms-auth`	If this option is specified, the LDAP configuration being created will not be used for VMS authentication. This is the default setting.
`--posix-attributes-source JOINED_DOMAIN\|ALL_DOMAINS\| SPECIFIC_DOMAINS\|GC`	Determines domains from which VAST Cluster queries POSIX attributes. Options include: `JOINED_DOMAIN`. The domain which VAST Cluster has joined. `ALL_DOMAINS`. All domains in the Active Directory forest of the cluster's joined domain and, if multi-forest authentication is enabled, from other trusted forests.Active Directory Overview `SPECIFIC_DOMAINS`. One or more domains specified on the `--domains-with-posix-attributes` option. `GC`. All domains included in the Active Directory global catalog of the cluster's joined domain forest. When this option is specified, the global catalog must be configured with POSIX attributes.
`--domains-with-posix-attributes DOMAINS`	Provides a comma-separated list of the specific domains when `--posix-attributes-source SPECIFIC_DOMAINS` is specified. The domains can be in the forest of the cluster's joined domain, or in other trusted forests. For example: `ad.example.com,domain.com`
`--abac-read-only-value-name KEYWORD`	Sets the ABAC attribute value that grants read-only access to a view tagged with this ABAC attribute. The default is `ro`.
`--abac-read-write-value-name KEYWORD`	Sets the ABAC attribute value that grants read/write access to a view tagged with this ABAC attribute. The default is `rw`.

Options (Joining and Leaving)

`--admin-username USERNAME`	Specify an Active Directory admin user with permission to join the Active Directory domain.
`--admin-passwd PASSWORD`	Specify the password for the specified user. If not supplied, you are prompted for the password. Note VAST Cluster does not store this password.
`--join`	Include this option to join the Active Directory domain.
`--leave`	Include this option to leave the Active Directory domain.

Example

This example shows the cluster joining to an Active Directory domain.

vcli: admin> activedirectory modify --id 1 --join --admin-username myuser
Are you sure you want to modify the Active directory? [y/N] y
Enter admin password:
Password:

Waiting ...

[2020-03-31 10:18:39] waiting for active directory AD enabled state to change to True ...\

[2020-03-31 10:19:45] modify active directory completed successfully .../