Configure AD DS LDAP over TLS for Azure NetApp Files
You can use LDAP over TLS to secure communication between an Azure NetApp Files volume and the Active Directory LDAP server. You can enable LDAP over TLS for NFS, SMB, and dual-protocol volumes of Azure NetApp Files.
- DNS PTR records must exist for each AD DS domain controller assigned to the AD Site Name specified in the Azure NetApp Files Active Directory connection.
- PTR records must exist for all domain controllers in the site for AD DS LDAP over TLS to function properly.
Generate and export root CA certificate
If you do not have a root CA certificate, you need to generate one and export it for use with LDAP over TLS authentication.
Follow Install the Certification Authority to install and configure AD DS Certificate Authority.
Follow View certificates with the MMC snap-in to use the MMC snap-in and the Certificate Manager tool.
Use the Certificate Manager snap-in to locate the root or issuing certificate for the local device. You should run the Certificate Management snap-in commands from one of the following settings:
- A Windows-based client that has joined the domain and has the root certificate installed
- Another machine in the domain containing the root certificate
Export the root CA certificate.
Root CA certificates can be exported from the Personal or Trusted Root Certification Authorities directory, as shown in the following examples:
Ensure that the certificate is exported in the Base-64 encoded X.509 (.CER) format:
Enable LDAP over TLS and upload root CA certificate
Go to the NetApp account used for the volume, and select Active Directory connections. Then, select Join to create a new AD connection or Edit to edit an existing AD connection.
In the Join Active Directory or Edit Active Directory window that appears, select the LDAP over TLS checkbox to enable LDAP over TLS for the volume. Then select Server root CA Certificate and upload the generated root CA certificate to use for LDAP over TLS.
Ensure that the certificate authority name can be resolved by DNS. This name is the "Issued By" or "Issuer" field on the certificate:
If you uploaded an invalid certificate, and you have existing AD configurations, SMB volumes, or Kerberos volumes, an error similar to the following occurs:
Error updating Active Directory settings The LDAP client configuration "ldapUserMappingConfig" for Vservers is an invalid configuration.
To resolve the error condition, upload a valid root CA certificate to your NetApp account as required by the Windows Active Directory LDAP server for LDAP authentication.
Disable LDAP over TLS
Disabling LDAP over TLS stops encrypting LDAP queries to Active Directory (LDAP server). There are no other precautions or impact on existing ANF volumes.
Go to the NetApp account that is used for the volume and select Active Directory connections. Then select Edit to edit the existing AD connection.
In the Edit Active Directory window that appears, deselect the LDAP over TLS checkbox and select Save to disable LDAP over TLS for the volume.