Input Name	Range	Type	Description
ad-domain		string optional	The Active Directory Domain Name for this LDAP configuration. The option is ONLY applicable for configurations using Active Directory LDAP servers.
base-dn		ldap-dn optional	Indicates the starting point for searches within the LDAP directory tree. If omitted, searches will start at the root of the directory tree.
base-scope		ldap-search-scope optional	This indicates the scope for LDAP search. If omitted, this parameter defaults to 'subtree'. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
bind-as-cifs-server		boolean optional	If set, the cluster will use the CIFS server's credentials to bind to the LDAP server. If omitted, this parameter defaults to 'true' if the configuration uses Active Directory LDAP and defaults to 'false' otherwise.
bind-dn		ldap-dn optional	The Bind Distinguished Name (DN) is the LDAP identity used during the authentication process by the clients. This is required if the LDAP server does not support anonymous binds. This field is not used if 'bind-as-cfs-server' is set to 'true'. Example : cn=username,cn=Users,dc=example,dc=com
bind-password		string optional	The password to be used with the bind-dn.
group-dn		ldap-dn optional	The Group Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for group lookups. If not specified, group lookups will start at the base-dn.
group-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing group lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
ldap-client-config		string	The name of the LDAP client configuration.
min-bind-level		ldap-auth-method optional	The minimum authentication level that can be used to authenticate with the LDAP server. If omitted, this parameter defaults to 'sasl' if the configuration uses Active Directory LDAP. For configurations that use LDAP servers from other vendors, this parameter defaults to 'simple' if a 'bind-dn' is specified and 'anonymous' otherwise. Possible values: "anonymous" - Anonymous bind, "simple" - Simple bind, "sasl" - Simple Authentication and Security Layer (SASL) bind
netgroup-dn		ldap-dn optional	The Netgoup Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for netgroup lookups. If not specified, netgroup lookups will start at the base-dn.
netgroup-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing netgroup lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
preferred-ad-servers		ip-address[] optional	Preferred Active Directory (AD) Domain controllers to use for this configuration. This option is ONLY applicable for configurations using Active Directory LDAP servers
query-timeout	[0..10]	integer optional	Maximum time in seconds to wait for a query response from the LDAP server. The default for this parameter is 3 seconds.
return-record		boolean optional	If set to true, returns the ldap-client on successful creation. Default: false
schema		string	LDAP schema to use for this configuration. The list of possible schemas can be obtained using the ldap-client-schema-get-iter API.
servers		ip-address[] optional	List of LDAP Server IP addresses to use for this configuration. The option is NOT applicable for configurations using Active Directory LDAP servers.
tcp-port	[1..65535]	integer optional	The TCP port on the LDAP server to use for this configuration. If omitted, this parameter defaults to 389.
user-dn		ldap-dn optional	The User Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for user lookups. If this parameter is omitted, user lookups will start at the base-dn.
user-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing user lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
Output Name	Range	Type	Description
result		ldap-client optional	The ldap-client created (keys or the entire object if requested)

Errno	Description
EINTERNALERROR

Delete an existing Lightweight Directory Access Protocol (LDAP) client configuration from the cluster.

Input Name	Range	Type	Description
ldap-client-config		string	The name of the LDAP client configuration.

Errno	Description
EOBJECTNOTFOUND
EINTERNALERROR

Retrieve the list of Lightweight Directory Access Protocol (LDAP) client configurations for the cluster.

Input Name	Range	Type	Description
desired-attributes		ldap-client optional	Specify the attributes that should be returned. If not present, all attributes for which information is available will be returned. If present, only the desired attributes for which information is available will be returned.
max-records	[1..100]	integer optional	The maximum number of records to return in this call. Default: 20
query		ldap-client optional	A query that specifies which objects to return. A query could be specified on any number of attributes in the ldap-client object. All ldap-client objects matching this query up to 'max-records' will be returned.
tag		string optional	Specify the tag from the last call. It is usually not specified for the first call. For subsequent calls, copy values from the 'next-tag' obtained from the previous call.
Output Name	Range	Type	Description
attributes-list		ldap-client[] optional	The list of attributes of ldap-client objects.
next-tag		string optional	Tag for the next call. Not present when there are no more ldap-client objects to return.
num-records	[0..100]	integer	The number of records returned in this call.

Errno	Description
EINTERNALERROR

Modify an existing Lightweight Directory Access Protocol (LDAP) client configuration.

Input Name	Range	Type	Description
ad-domain		string optional	The Active Directory Domain Name for this LDAP configuration. The option is ONLY applicable for configurations using Active Directory LDAP servers.
base-dn		ldap-dn optional	Indicates the starting point for searches within the LDAP directory tree. If omitted, searches will start at the root of the directory tree.
base-scope		ldap-search-scope optional	This indicates the scope for LDAP search. If omitted, this parameter defaults to 'subtree'. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
bind-as-cifs-server		boolean optional	If set, the cluster will use the CIFS server's credentials to bind to the LDAP server. If omitted, this parameter defaults to 'true' if the configuration uses Active Directory LDAP and defaults to 'false' otherwise.
bind-dn		ldap-dn optional	The Bind Distinguished Name (DN) is the LDAP identity used during the authentication process by the clients. This is required if the LDAP server does not support anonymous binds. This field is not used if 'bind-as-cfs-server' is set to 'true'. Example : cn=username,cn=Users,dc=example,dc=com
bind-password		string optional	The password to be used with the bind-dn.
group-dn		ldap-dn optional	The Group Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for group lookups. If not specified, group lookups will start at the base-dn.
group-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing group lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
ldap-client-config		string	The name of the LDAP client configuration.
min-bind-level		ldap-auth-method optional	The minimum authentication level that can be used to authenticate with the LDAP server. If omitted, this parameter defaults to 'sasl' if the configuration uses Active Directory LDAP. For configurations that use LDAP servers from other vendors, this parameter defaults to 'simple' if a 'bind-dn' is specified and 'anonymous' otherwise. Possible values: "anonymous" - Anonymous bind, "simple" - Simple bind, "sasl" - Simple Authentication and Security Layer (SASL) bind
netgroup-dn		ldap-dn optional	The Netgoup Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for netgroup lookups. If not specified, netgroup lookups will start at the base-dn.
netgroup-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing netgroup lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
preferred-ad-servers		ip-address[] optional	Preferred Active Directory (AD) Domain controllers to use for this configuration. This option is ONLY applicable for configurations using Active Directory LDAP servers
query-timeout	[0..10]	integer optional	Maximum time in seconds to wait for a query response from the LDAP server. The default for this parameter is 3 seconds.
schema		string optional	LDAP schema to use for this configuration. The list of possible schemas can be obtained using the ldap-client-schema-get-iter API.
servers		ip-address[] optional	List of LDAP Server IP addresses to use for this configuration. The option is NOT applicable for configurations using Active Directory LDAP servers.
tcp-port	[1..65535]	integer optional	The TCP port on the LDAP server to use for this configuration. If omitted, this parameter defaults to 389.
user-dn		ldap-dn optional	The User Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for user lookups. If this parameter is omitted, user lookups will start at the base-dn.
user-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing user lookups. Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants

Errno	Description
EOBJECTNOTFOUND
EINTERNALERROR

Copy an existing LDAP schema. If the LDAP server that the storage system needs to query does not support any of the default read-only schemas, this API can be used to create an editable copy of an existing read-only schema. After copying the schema, the copy can be modified using the ldap-client-schema-modify API.

Input Name	Range	Type	Description
new-schema-name		string	New Schema Template Name
schema		string	A name for the schema.

Errno	Description
EOBJECTNOTFOUND
EINTERNALERROR

Delete an existing Lightweight Directory Access Protocol (LDAP) schema configuration. Only the schemas that are defined using the ldap-client-schema-copy API can be deleted using this API.

Input Name	Range	Type	Description
schema		string	A name for the schema.

Errno	Description
EOBJECTNOTFOUND
EINTERNALERROR

Retrieve the list of Lightweight Directory Access Protocol (LDAP) client schema configurations that are defined for the cluster.

Input Name	Range	Type	Description
desired-attributes		ldap-client-schema optional	Specify the attributes that should be returned. If not present, all attributes for which information is available will be returned. If present, only the desired attributes for which information is available will be returned.
max-records	[1..100]	integer optional	The maximum number of records to return in this call. Default: 20
query		ldap-client-schema optional	A query that specifies which objects to return. A query could be specified on any number of attributes in the ldap-client-schema object. All ldap-client-schema objects matching this query up to 'max-records' will be returned.
tag		string optional	Specify the tag from the last call. It is usually not specified for the first call. For subsequent calls, copy values from the 'next-tag' obtained from the previous call.
Output Name	Range	Type	Description
attributes-list		ldap-client-schema[] optional	The list of attributes of ldap-client-schema objects.
next-tag		string optional	Tag for the next call. Not present when there are no more ldap-client-schema objects to return.
num-records	[0..100]	integer	The number of records returned in this call.

Errno	Description
EINTERNALERROR

Modify an existing Lightweight Directory Access Protocol (LDAP) schema configuration. If the LDAP server that the storage system needs to query does not support any of the default read-only schemas, the ldap-client-schema-copy API can be used to create a editable copy of an existing read-only schema. After copying the schema, the copy can be modified using this API to support the target schema.

Input Name	Range	Type	Description
cn-group-attribute		string optional	Name that represents the RFC 2256 cn attribute used by RFC 2307 when working with groups.
cn-netgroup-attribute		string optional	Name that represents the RFC 2256 cn attribute used by RFC 2307 when working with netgroups.
comment		string optional	A comment that can be associated with the schema.
gecos-attribute		string optional	Name that represents the RFC 2307 gecos attribute.
gid-number-attribute		string optional	Name that represents the RFC 2307 gidNumber attribute.
home-directory-attribute		string optional	Name that represents the RFC 2307 homeDirectory attribute.
login-shell-attribute		string optional	Name that represents the RFC 2307 loginShell attribute.
member-nis-netgroup-attribute		string optional	Name that represents the RFC 2307 memberNisNetgroup attribute.
member-uid-attribute		string optional	Name that represents the RFC 2307 memberUid attribute.
nis-netgroup-object-class		string optional	Name that represents the RFC 2307 nisNetgroup object class.
nis-netgroup-triple-attribute		string optional	Name that represents the RFC 2307 nisNetgroupTriple attribute.
posix-account-object-class		string optional	Name that represents the RFC 2307 posixAccount object class.
posix-group-object-class		string optional	Name that represents the RFC 2307 posixGroup object class.
schema		string	A name for the schema.
uid-attribute		string optional	Name that represents the RFC 1274 userid attribute used by RFC 2307 as uid.
uid-number-attribute		string optional	Name that represents the RFC 2307 uidNumber attribute.
user-password-attribute		string optional	Name that represents the RFC 2256 userPassword attribute used by RFC 2307.
windows-account-attribute		string optional	Attribute name to be used to get the windows account information for a unix user account.

Errno	Description
EOBJECTNOTFOUND
EINTERNALERROR

Retrieve the list of Lightweight Directory Access Protocol (LDAP) configurations in the cluster.

Input Name	Range	Type	Description
desired-attributes		ldap-config optional	Specify the attributes that should be returned. If not present, all attributes for which information is available will be returned. If present, only the desired attributes for which information is available will be returned.
max-records	[1..100]	integer optional	The maximum number of records to return in this call. Default: 20
query		ldap-config optional	A query that specifies which objects to return. A query could be specified on any number of attributes in the ldap-config object. All ldap-config objects matching this query up to 'max-records' will be returned.
tag		string optional	Specify the tag from the last call. It is usually not specified for the first call. For subsequent calls, copy values from the 'next-tag' obtained from the previous call.
Output Name	Range	Type	Description
attributes-list		ldap-config[] optional	The list of attributes of ldap-config objects.
next-tag		string optional	Tag for the next call. Not present when there are no more ldap-config objects to return.
num-records	[0..100]	integer	The number of records returned in this call.

Errno	Description
EINTERNALERROR

IPv4 address in dotted notation as '192.168.125.123'

[none]

anonymous|simple|sasl Possible values: "anonymous" - Anonymous bind, "simple" - Simple bind, "sasl" - Simple Authentication and Security Layer (SASL) bind

[none]

LDAP Client Information. Each entry specifies an LDAP client configuration that can be associated with a Vserver using the ldap-config-create API. When returned as part of the output, all elements of this typedef are reported, unless limited by a set of desired attributes specified by the caller. When used as input to specify desired attributes to return, omitting a given element indicates that it shall not be returned in the output. In contrast, by providing an element (even with no value) the caller ensures that a value for that element will be returned, given that the value can be retrieved. When used as input to specify queries, any element can be omitted in which case the resulting set of objects is not constrained by any specific value of that attribute.

Name	Range	Type	Description
ad-domain		string optional	The Active Directory Domain Name for this LDAP configuration. The option is ONLY applicable for configurations using Active Directory LDAP servers. Attributes: optional-for-create, modifiable
base-dn		ldap-dn optional	Indicates the starting point for searches within the LDAP directory tree. If omitted, searches will start at the root of the directory tree. Attributes: optional-for-create, modifiable
base-scope		ldap-search-scope optional	This indicates the scope for LDAP search. If omitted, this parameter defaults to 'subtree'. Attributes: optional-for-create, modifiable Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
bind-as-cifs-server		boolean optional	If set, the cluster will use the CIFS server's credentials to bind to the LDAP server. If omitted, this parameter defaults to 'true' if the configuration uses Active Directory LDAP and defaults to 'false' otherwise. Attributes: optional-for-create, modifiable
bind-dn		ldap-dn optional	The Bind Distinguished Name (DN) is the LDAP identity used during the authentication process by the clients. This is required if the LDAP server does not support anonymous binds. This field is not used if 'bind-as-cfs-server' is set to 'true'. Example : cn=username,cn=Users,dc=example,dc=com Attributes: optional-for-create, modifiable
bind-password		string optional	The password to be used with the bind-dn. Attributes: optional-for-create, modifiable
group-dn		ldap-dn optional	The Group Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for group lookups. If not specified, group lookups will start at the base-dn. Attributes: optional-for-create, modifiable
group-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing group lookups. Attributes: optional-for-create, modifiable Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
ldap-client-config		string optional	The name of the LDAP client configuration. Attributes: key, required-for-create, non-modifiable
min-bind-level		ldap-auth-method optional	The minimum authentication level that can be used to authenticate with the LDAP server. If omitted, this parameter defaults to 'sasl' if the configuration uses Active Directory LDAP. For configurations that use LDAP servers from other vendors, this parameter defaults to 'simple' if a 'bind-dn' is specified and 'anonymous' otherwise. Attributes: optional-for-create, modifiable Possible values: "anonymous" - Anonymous bind, "simple" - Simple bind, "sasl" - Simple Authentication and Security Layer (SASL) bind
netgroup-dn		ldap-dn optional	The Netgoup Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for netgroup lookups. If not specified, netgroup lookups will start at the base-dn. Attributes: optional-for-create, modifiable
netgroup-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing netgroup lookups. Attributes: optional-for-create, modifiable Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants
preferred-ad-servers		ip-address[] optional	Preferred Active Directory (AD) Domain controllers to use for this configuration. This option is ONLY applicable for configurations using Active Directory LDAP servers Attributes: optional-for-create, modifiable
query-timeout	[0..10]	integer optional	Maximum time in seconds to wait for a query response from the LDAP server. The default for this parameter is 3 seconds. Attributes: optional-for-create, modifiable
schema		string optional	LDAP schema to use for this configuration. The list of possible schemas can be obtained using the ldap-client-schema-get-iter API. Attributes: required-for-create, modifiable
servers		ip-address[] optional	List of LDAP Server IP addresses to use for this configuration. The option is NOT applicable for configurations using Active Directory LDAP servers. Attributes: optional-for-create, modifiable
tcp-port	[1..65535]	integer optional	The TCP port on the LDAP server to use for this configuration. If omitted, this parameter defaults to 389. Attributes: optional-for-create, modifiable
user-dn		ldap-dn optional	The User Distinguished Name (DN), if specified, is used as the starting point in the LDAP directory tree for user lookups. If this parameter is omitted, user lookups will start at the base-dn. Attributes: optional-for-create, modifiable
user-scope		ldap-search-scope optional	This indicates the scope for LDAP search when doing user lookups. Attributes: optional-for-create, modifiable Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants

An LDAP Client Schema Definition. A schema definition is a way of defining what attribute names are to be used in LDAP queries to get information that the storage system needs for its operation. This will depend on the schema that the LDAP server supports. For example, to query for user account information, the LDAP query should ask for the 'posixAccount' class if the LDAP server is compatible with RFC-2307 and it should ask for 'User' class if the LDAP server is an Active Directory LDAP Server. The default LDAP configuration has two schemas defined namely 'RFC-2307' and 'AD-SFU'. The 'RFC-2307' schema is the default schema that should be used to query servers that support RFC-2307. The 'AD-SFU' schema is the default schema that should be used to query Active Directory LDAP servers. These schemas are read-only and cannot be modified. The default schemas will work with most common LDAP configurations. If it is required to support other schema configurations, one of the existing schemas can be copied using the 'ldap-client-schema-copy' API and modified using the 'ldap-client-schema-modify' API to work for the new configuration. When returned as part of the output, all elements of this typedef are reported, unless limited by a set of desired attributes specified by the caller. When used as input to specify desired attributes to return, omitting a given element indicates that it shall not be returned in the output. In contrast, by providing an element (even with no value) the caller ensures that a value for that element will be returned, given that the value can be retrieved. When used as input to specify queries, any element can be omitted in which case the resulting set of objects is not constrained by any specific value of that attribute.

Name	Range	Type	Description
cn-group-attribute		string optional	Name that represents the RFC 2256 cn attribute used by RFC 2307 when working with groups. Attributes: optional-for-create, modifiable
cn-netgroup-attribute		string optional	Name that represents the RFC 2256 cn attribute used by RFC 2307 when working with netgroups. Attributes: optional-for-create, modifiable
comment		string optional	A comment that can be associated with the schema. Attributes: optional-for-create, modifiable
gecos-attribute		string optional	Name that represents the RFC 2307 gecos attribute. Attributes: optional-for-create, modifiable
gid-number-attribute		string optional	Name that represents the RFC 2307 gidNumber attribute. Attributes: optional-for-create, modifiable
home-directory-attribute		string optional	Name that represents the RFC 2307 homeDirectory attribute. Attributes: optional-for-create, modifiable
login-shell-attribute		string optional	Name that represents the RFC 2307 loginShell attribute. Attributes: optional-for-create, modifiable
member-nis-netgroup-attribute		string optional	Name that represents the RFC 2307 memberNisNetgroup attribute. Attributes: optional-for-create, modifiable
member-uid-attribute		string optional	Name that represents the RFC 2307 memberUid attribute. Attributes: optional-for-create, modifiable
nis-netgroup-object-class		string optional	Name that represents the RFC 2307 nisNetgroup object class. Attributes: optional-for-create, modifiable
nis-netgroup-triple-attribute		string optional	Name that represents the RFC 2307 nisNetgroupTriple attribute. Attributes: optional-for-create, modifiable
posix-account-object-class		string optional	Name that represents the RFC 2307 posixAccount object class. Attributes: optional-for-create, modifiable
posix-group-object-class		string optional	Name that represents the RFC 2307 posixGroup object class. Attributes: optional-for-create, modifiable
schema		string optional	A name for the schema. Attributes: key, required-for-create, non-modifiable
uid-attribute		string optional	Name that represents the RFC 1274 userid attribute used by RFC 2307 as uid. Attributes: optional-for-create, modifiable
uid-number-attribute		string optional	Name that represents the RFC 2307 uidNumber attribute. Attributes: optional-for-create, modifiable
user-password-attribute		string optional	Name that represents the RFC 2256 userPassword attribute used by RFC 2307. Attributes: optional-for-create, modifiable
windows-account-attribute		string optional	Attribute name to be used to get the windows account information for a unix user account. Attributes: optional-for-create, modifiable

Lightweight Directory Access Protocol (LDAP) configuration. Specifies the LDAP client configuration that is associated with this Vserver and whether the configuration is enabled. When returned as part of the output, all elements of this typedef are reported, unless limited by a set of desired attributes specified by the caller. When used as input to specify desired attributes to return, omitting a given element indicates that it shall not be returned in the output. In contrast, by providing an element (even with no value) the caller ensures that a value for that element will be returned, given that the value can be retrieved. When used as input to specify queries, any element can be omitted in which case the resulting set of objects is not constrained by any specific value of that attribute.

Name	Range	Type	Description
client-config		string optional	The name of an existing Lightweight Directory Access Protocol (LDAP) client configuration. The LDAP client configuration can be created using the ldap-client-create API. The ldap-client-get-iter API can be used to retrieve the list of available LDAP client configurations for the cluster. Attributes: required-for-create, modifiable
client-enabled		boolean optional	If true, the corresponding Lightweight Directory Access Protocol (LDAP) configuration is enabled for this Vserver. Attributes: required-for-create, modifiable

LDAP Distinguished Name

[none]

base|onelevel|subtree Possible values: "base" - Search only the base directory entry, "onelevel" - Search the base directory entry and the children of the base entry, "subtree" - Search the base directory entry and all its decendants

[none]

IPv4 address in dotted notation as '192.168.125.123'

[none]

anonymous|simple|sasl Possible values: "anonymous" - Anonymous bind, "simple" - Simple bind, "sasl" - Simple Authentication and Security Layer (SASL) bind

[none]