Merge pull request #302080 from b-ahibbard/openldap

Support for other LDAP servers (OpenLDAP, FreeIPA, Red Hat)

Author: denrea

articles/azure-netapp-files/TOC.yml

@@ -311,6 +311,8 @@
         href: configure-kerberos-encryption.md
       - name: Configure AD DS LDAP with extended groups for NFS
         href: configure-ldap-extended-groups.md
+      - name: Configure LDAP server 
+        href: configure-directory-server.md
       - name: Configure an NFS client for Azure NetApp Files
         href: configure-nfs-clients.md
       - name: Convert an NFS volume between NFSv3 and NFSv4.1

articles/azure-netapp-files/azure-netapp-files-create-volumes.md

@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-hchen
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 06/10/2025
+ms.date: 10/07/2025
 ms.author: anfdocs
 # Customer intent: As a cloud architect, I want to create an NFS volume in Azure NetApp Files, so that I can support my application’s data management requirements and ensure optimized performance through proper version selection and configuration.
 ---
@@ -23,6 +23,11 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
     See [Create a capacity pool](azure-netapp-files-set-up-capacity-pool.md).   
 * A subnet must be delegated to Azure NetApp Files.  
     See [Delegate a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md).
+* Plan your lightweight directory access protocol (LDAP) server.
+    If you're using FreeIPA, OpenLDAP, or Red Hat Directory Server, you must create the server before creating the NFS volumes. For other considerations, see [Configure LDAP directory servers](configure-directory-server.md).
+
+    >[!NOTE]
+    >[!INCLUDE [Note about Kerberos non-support for other LDAP services](includes/kerberos-other-servers.md)]
 
 ## Considerations 
 
@@ -33,9 +38,9 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
   Support for UNIX mode bits (read, write, and execute) is available for NFSv3 and NFSv4.1. Root-level access is required on the NFS client to mount NFS volumes.
 
 * User ID mapping in NFSv4.1 for LDAP-enabled and non-LDAP volumes  
-  To avoid permission issues, including access for a root user, when using NFSv4.1, the ID domain configuration on the NFS client and Azure NetApp Files must match. User ID mapping can use centralized user management with LDAP or use local users for non-LDAP volumes. To configure the ID Domain in Azure NetApp Files for non-LDAP volumes, see [Configure NFSv4.1 ID domain for Azure NetApp Files](azure-netapp-files-configure-nfsv41-domain.md). 
+  To avoid permission issues including access for a root user when using NFSv4.1, the ID domain configuration on the NFS client and Azure NetApp Files must match. User ID mapping can use centralized user management with LDAP or use local users for non-LDAP volumes. To configure the ID Domain in Azure NetApp Files for non-LDAP volumes, see [Configure NFSv4.1 ID domain for Azure NetApp Files](azure-netapp-files-configure-nfsv41-domain.md). 
 
-## Best practice
+## Best practices
 
 * Ensure that you’re using the proper mount instructions for the volume. See [Mount a volume for Windows or Linux VMs](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md).
 
@@ -124,7 +129,13 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
 
         Additional configurations are required if you use Kerberos with NFSv4.1. Follow the instructions in [Configure NFSv4.1 Kerberos encryption](configure-kerberos-encryption.md).
 
-    * If you want to enable Active Directory LDAP users and extended groups (up to 1024 groups) to access the volume, select the **LDAP** option. Follow instructions in [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) to complete the required configurations. 
+    * Select **LDAP** to enable LDAP users and extended groups (up to 1,024 groups) to access the volume.
+        * For Active Directory servers, follow instructions in [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) to complete the required configurations. 
+        * For other servers, you must have created the server before you can create the volume. Follow instructions in [Configure LDAP directory servers](configure-directory-server.md).
+
+    * **LDAP server type**: If you've selected **LDAP**, choose the server connection type:
+        - For Active Directory, select **Active Directory connections**.
+        - For all other servers, select **LDAP connection**.
 
     *  Customize **Unix Permissions** as needed to specify change permissions for the mount path. The setting does not apply to the files under the mount path. The default setting is `0770`. This default setting grants read, write, and execute permissions to the owner and the group, but no permissions are granted to other users.     
         Registration requirement and considerations apply for setting **Unix Permissions**. Follow instructions in [Configure Unix permissions and change ownership mode](configure-unix-permissions-change-ownership-mode.md).   

articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md

@@ -292,7 +292,7 @@ The following code snippet shows how to create a NetApp capacity pool using [Ter
     * Select **NFS** as the protocol type for the volume.
     * Enter **myfilepath1** for the file path used to create the export path for the volume.
     * Select the NFS version (**NFSv3** or **NFSv4.1**) for the volume.
-      See [considerations](azure-netapp-files-create-volumes.md#considerations) and [best practice](azure-netapp-files-create-volumes.md#best-practice) about NFS versions.
+      See [considerations](azure-netapp-files-create-volumes.md#considerations) and [best practice](azure-netapp-files-create-volumes.md#best-practices) about NFS versions.
 
     ![Screenshot of NFS protocol for selection.](./media/azure-netapp-files-quickstart-set-up-account-create-volumes/azure-netapp-files-quickstart-protocol-nfs.png)
 

articles/azure-netapp-files/configure-directory-server.md

@@ -0,0 +1,144 @@
+---
+title: Configure LDAP directory servers for Azure NetApp Files NFS volumes
+description: Azure NetApp Files NFS volumes support FreeIPA, OpenLDAP, and Red Hat Directory Server as alternative directory services in Azure NetApp Files.
+services: azure-netapp-files
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.topic: how-to
+ms.date: 10/07/2025
+ms.author: anfdocs
+---
+# Configure LDAP directory services for Azure NetApp Files NFS volumes (preview)
+
+In addition to native Active Directory support, Azure NetApp Files supports native integration with directory services including FreeIPA, OpenLDAP, and Red Hat Directory Server for lightweight directory access protocol (LDAP) directory servers. With native LDAP directory server support, you can achieve secure and scalable identity-based access control for NFS volumes in Linux environments.
+
+Azure NetApp Files' LDAP integration simplifies file share access management by leveraging trusted directory services. It supports NFSv3 and NFSv4.1 protocols and uses DNS SRV record-based discovery for high availability and load balancing across LDAP servers. From a business perspective, this feature enhances: 
+
+- **Compliance**: Centralized identity management supports auditability and policy enforcement
+- **Efficiency**: Reduces administrative overhead by unifying identity controls across Linux and NTFS systems
+- **Security**: Supports LDAP over TLS, symmetric/asymmetric name mapping, and extended group memberships
+- **Seamless integration**: Works with existing LDAP infrastructure
+- **Scalability**: Supports large user and group directories
+- **Flexibility**: Compatible with multiple LDAP implementations
+
+## Supported directory services 
+
+* **FreeIPA**: Ideal for secure, centralized identity management in Linux environments
+* **OpenLDAP**: Lightweight and flexible directory service for custom deployments
+* **Red Hat Directory Server**: Enterprise-grade LDAP service with advanced scalability and security features
+
+>[!IMPORTANT]
+>To configure LDAP with Active Directory, see [Configure AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md).
+
+## Architecture 
+
+The following diagram outlines how Azure NetApp Files uses LDAP bind/search operations to authenticate users and enforce access control based on directory information.
+
+:::image type="content" source="./media/configure-directory-server/server-diagram.png" alt-text="Diagram of LDAP directory server in Azure NetApp Files." lightbox="./media/configure-directory-server/server-diagram.png":::
+
+The architecture involves the following components:
+
+- Linux VM client: initiates an NFS mount request to Azure NetApp Files
+- Azure NetApp Files volume: receives the mount request and performs LDAP queries
+- LDAP directory server: responds to bind/search requests with user and group information
+- Access control logic: enforces access decisions based on LDAP responses
+
+### Data flow 
+
+1.	Mount Request: The Linux VM sends an NFSv3 or NFSv4.1 mount request to Azure NetApp Files.
+2.	LDAP Bind/Search: Azure NetApp Files sends a bind/search request to the LDAP server (FreeIPA, OpenLDAP, or RHDS) using the UID/GID.
+3. LDAP Response: The directory server returns user and group attributes.
+4. Access Control Decision: Azure NetApp Files evaluates the response and grants or denies access.
+5.	Client Access: The decision is communicated back to the client.
+
+
+## Use cases 
+
+Each directory service appeals to different use cases in Azure NetApp Files. 
+
+### FreeIPA
+
+* **Hybrid Linux environments**: Ideal for enterprises using FreeIPA for centralized identity management across Linux systems in hybrid cloud deployments.
+* **HPC and analytics workloads**: Supports secure authentication for high-performance computing clusters and analytics platforms that rely on FreeIPA.
+* **Kerberos integration**: Enables environments that require Kerberos-based authentication for NFS workloads without Active Directory.
+
+### OpenLDAP
+
+* **Legacy application support**: Perfect for organizations running legacy or custom applications that depend on OpenLDAP for identity services.
+* **Multi-platform identity management**: Provides a lightweight, standards-based solution for managing access across Linux, UNIX, and containerized workloads.
+* **Cost-optimized deployments**: Suitable for businesses seeking an open-source, flexible directory solution without the overhead of Active Directory.
+
+### Red Hat Directory Server
+ 
+* **Enterprise-grade security and compliance**: Designed for organizations that require hardened, enterprise-supported LDAP services with strong security controls.
+* **Regulated industries**: Ideal for financial, healthcare, and government sectors where compliance and vendor support are critical.
+* **Integration with Red Hat Ecosystem**: Seamlessly fits into environments leveraging Red Hat Enterprise Linux and related solutions.
+
+## Considerations 
+
+* FreeIPA, OpenLDAP, and Red Hat Directory Server are supported with NFSv3 and NFSv4.1 volumes; they aren't currently supported with dual-protocol volumes. 
+* These directory services aren't currently supported with large volumes. 
+* You must configure the LDAP server before creating the volume. 
+* You can only configure FreeIPA, OpenLDAP, or Red Hat Directory Server on _new_ NFS volumes. You can't convert existing volumes to use these directory services. 
+* [!INCLUDE [Kerberos support limitation](includes/kerberos-other-servers.md)]
+
+## Register the feature
+
+Support for FreeIPA, OpenLDAP, and Red Hat Directory Server is currently in preview. Before connecting your NFS volumes to one of these directory servers, you must register the feature: 
+
+1.  Register the feature:
+
+    ```azurepowershell-interactive
+    Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFOpenLDAP
+    ```
+
+2. Check the status of the feature registration: 
+
+    > [!NOTE]
+    > The **RegistrationState** can remain in the `Registering` state for up to 60 minutes before changing to `Registered`. Wait until the status is `Registered` before continuing.
+
+    ```azurepowershell-interactive
+    Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFOpenLDAP
+    ```
+
+You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status. 
+
+## Create the LDAP server 
+
+You must first create the LDAP server before you can connect it to Azure NetApp Files. Follow the instructions for the relevant server: 
+
+* To configure FreeIPA, see the [FreeIPA QuickStart Guide](https://www.freeipa.org/page/Quick_Start_Guide) then follow [Red Hat's guidance](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-install#client-install-non-interactive).
+* For OpenLDAP, see [OpenLDAP documentation](https://www.openldap.org/doc/).
+* For Red Hat Directory Server, follow the [Red Hat documentation](https://docs.redhat.com/en/documentation/red_hat_fuse/6.3/html/security_guide/esbldaptutorialinstallds#ESBLDAPTutorialInstallDS). 
+    For more information, see the [install guide for 389 Directory Server](https://www.port389.org/docs/389ds/howto/howto-install-389.html). 
+
+## Configure the LDAP connection in Azure NetApp Files 
+
+1. In the Azure portal, navigate to LDAP connections under Azure NetApp Files. 
+1. Create the new LDAP connection. 
+1. In the new menu, provide: 
+
+    * **Domain:** The domain name serves as the base DN. 
+    * **LDAP servers:** The IP address of the LDAP server. 
+    * **LDAP over TLS:** Optionally, check the box to enable LDAP over TLS for secure communication. For more information, see [Configure LDAP over TLS](configure-ldap-over-tls.md).
+    * **Server CA certificate:** The certification authority certificate. This option is required if you use LDAP over TLS. 
+    * **Certificate CN Host:** The common name server of the host, for example contoso.server.com. 
+
+    :::image type="content" source="./media/configure-directory-server/configure-connection.png" alt-text="Screenshot of Configure LDAP connection options." lightbox="./media/configure-directory-server/configure-connection.png":::
+
+1. Select **Save**. 
+1. Once you configure the LDAP connection, you can create an [NFS volume](azure-netapp-files-create-volumes.md).
+
+## Validate the LDAP connection 
+
+1. To validate the connection, navigate to the volume overview for the volume using the LDAP connection.
+1. Select **LDAP connection** then **LDAP Group ID List**.  
+1. In the Username field, enter the username provided when you configured the LDAP server. Select **Get Group IDs**. Ensure the group IDs match the client and server.
+
+## Next steps
+
+- [Understand LDAP](lightweight-directory-access-protocol.md)
+- [Understand name mapping using LDAP](lightweight-directory-access-protocol-name-mapping.md)
+- [Understand allow local NFS users with LDAP option](lightweight-directory-access-protocol-local-users.md)
+- [Understand LDAP schemas](lightweight-directory-access-protocol-schemas.md)
+- [Create an NFS volume](azure-netapp-files-create-volumes.md)

articles/azure-netapp-files/configure-ldap-extended-groups.md

@@ -12,7 +12,7 @@ ms.custom: sfi-image-nochange
 ---
 # Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS 
 
-When you [create an NFS volume](azure-netapp-files-create-volumes.md), you can enable the LDAP with extended groups feature (the **LDAP** option) for the volume. This feature enables Active Directory LDAP users and extended groups (up to 1024 groups) to access files and directories in the volume. You can use the LDAP with extended groups feature with both NFSv4.1 and NFSv3 volumes. 
+When you [create an NFS volume](azure-netapp-files-create-volumes.md), you can enable the LDAP with extended groups feature (the **LDAP** option) for the volume. This feature enables Active Directory LDAP users and extended groups (up to 1,024 groups) to access files and directories in the volume. You can use the LDAP with extended groups feature with both NFSv4.1 and NFSv3 volumes. 
 
 > [!NOTE]
 > By default, in Active Directory LDAP servers, the `MaxPageSize` attribute is set to a default of 1,000. This setting means that groups beyond 1,000 are truncated in LDAP queries. To enable full support with the 1,024 value for extended groups, the `MaxPageSize` attribute must be modified to reflect the 1,024 value. For information about how to change that value, see [How to view and set LDAP policy in Active Directory by using Ntdsutil.exe](/troubleshoot/windows-server/identity/view-set-ldap-policy-using-ntdsutil).
@@ -33,6 +33,9 @@ The following information is passed to the server in the query:
 1. If the user or group isn’t found, the request fails, and access is denied.
 1. If the request is successful, then user and group attributes are [cached for future use](configure-ldap-extended-groups.md#considerations). This operation improves the performance of subsequent LDAP queries associated with the cached user or group attributes. It also reduces the load on the AD DS or Microsoft Entra Domain Services LDAP server.
 
+>[!IMPORTANT]
+>To configure LDAP with an alternative server, see [Configure an LDAP server](configure-directory-server.md).
+
 ## Considerations
 
 * You can enable the LDAP with extended groups feature only during volume creation. This feature can't be retroactively enabled on existing volumes.  

articles/azure-netapp-files/includes/kerberos-other-servers.md

@@ -0,0 +1,13 @@
+---
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.topic: include
+ms.date: 10/07/2025
+ms.author: anfdocs
+ms.custom: include file
+
+# azure-netapp-files-create-volumes.md
+# configure-directory-server.md
+---
+
+Kerberos isn't currently supported with FreeIPA, OpenLDAP, or Red Hat Directory Server. 

articles/azure-netapp-files/lightweight-directory-access-protocol.md

@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: whyistheinternetbroken
 ms.service: azure-netapp-files
 ms.topic: concept-article
-ms.date: 02/18/2025
+ms.date: 10/07/2025
 ms.author: anfdocs
 ms.custom: sfi-image-nochange
 # Customer intent: As a cloud storage administrator, I want to understand how lightweight directory access protocol (LDAP) integrates with Azure NetApp Files, so that I can effectively manage user identities and permissions for optimal security and performance in a dual-protocol environment.
@@ -51,8 +51,8 @@ LDAP offers various benefits for your UNIX users and groups as an identity sourc
     NIS, NIS+, and local files offer basic information such UID, GID, password, home directories, and so on. However, LDAP offers those attributes and many more. The additional attributes that LDAP uses makes dual-protocol management much more integrated with LDAP versus NIS. Only LDAP is supported as an external name service for identity management with Azure NetApp Files. 
 * **Microsoft Active Directory is built on LDAP.**  
     By default, Microsoft Active Directory uses an LDAP back-end for its user and group entries. However, this LDAP database doesn't contain UNIX style attributes. These attributes are added when the LDAP schema is extended through Identity Management for UNIX (Windows 2003R2 and later), Service for UNIX (Windows 2003 and earlier), or third-party LDAP tools such as *Centrify*. Because Microsoft uses LDAP as a back-end, it makes LDAP the perfect solution for environments that choose to leverage dual-protocol volumes in Azure NetApp Files. 
-    > [!NOTE]
-    > Azure NetApp Files currently only supports native Microsoft Active Directory for LDAP services.
+    >[!NOTE]
+    >In addition to native Active Directory, Azure NetApp Files [supports FreeIPA, OpenLDAP, and Red Hat Directory Server](configure-directory-server.md).
 
 ## LDAP basics in Azure NetApp Files 
 
@@ -123,6 +123,7 @@ The following section discusses the basics of LDAP as it pertains to Azure NetAp
 - [Understand allow local NFS users with LDAP option](lightweight-directory-access-protocol-local-users.md)
 - [Understand LDAP schemas](lightweight-directory-access-protocol-schemas.md)
 * [Configure AD DS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md) 
+* [Configure LDAP directory servers](configure-directory-server.md)
 * [Understand NFS group memberships and supplemental groups](network-file-system-group-memberships.md)
 * [Azure NetApp Files NFS FAQ](faq-nfs.md)
 * [Azure NetApp Files SMB FAQ](faq-smb.md)