Continuing with the series of blogs on Authentication, let's see the details on how we can configure IBM Spectrum Scale™ with Active Directory.
Configuring IBM Spectrum Scale™ Authentication using Active Directory
You can configure authentication using Active Directory to enable read and write access to the files and directories. AD-based authentication can be configured with the following ID mapping methods: Automatic RFC2307 LDAP
We will see AD + Automatic ID mapping in detail and the command details to configure the same. Just to recap, here is the Authentication Support Matrix. You can see here the protocols we support with AD depending on the different ID Mapping techniques you choose.IMPORTANT:
I highly recommend that you understand the matrix thoroughly during the planning phase so that you choose the right authentication method depending on the protocols you will be using, not just for today, but also considering the future. We do not support migration of authentication and cleaning up authentication to reconfigure, may lead to loss of data access. Once authentication is configured, it needs to remain the same till the life of the product.
So, if you plan to have mixed protocols ever, plan for it today itself and configure authentication accordingly.
Active Directory with Automatic ID Mapping
In this case, the Active directory is used as the authentication server while the UID and GID for each user and group is stored within the IBM Spectrum Scale™ system. The UID and GIDs are generated automatically. For more information on how the IDs are generated you can refer to the article "IBM Spectrum Scale™ Authentication for File Access - Overview
AD + Automatic ID Mapping is used when you have ONLY SMB
Access and you do not use multiprotocol access. This is usually a good choice when you have ONLY Windows clients
in your environment.
If tomorrow you decide to have NFS clients too, or NFS Access, you will NOT
be able to add RFC2307 or LDAP. It is not as simple as cleaning up authentication and re-configuring AD + RFC2307 or AD + LDAP. The UIDs and GIDs generated for users and groups in automatic ID Mapping needs to match the user's UID or group's GID on UNIX in order to work smoothly.
Command to Configure Plain AD with Automatic ID Mapping
Issue the mmuserauth service create command as shown in the following example:
# mmuserauth service create --type ad --data-access-method file --netbios-name specscale --user-name administrator --idmap-role master --servers myADserver --password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999
Here, --type - Type of Authentication, so its AD. --data-access-method - In this case we use File. --netbios-name - It should be a unique identifier on a network. The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. --user-name - This is the user name to be used to perform operations against the authentication server. The user specified must have sufficient permissions to read user and group attributes from the authentication server and create a machine account for the join between the domain and IBM Spectrum Scale™. This user need not be an administrator user only. --idmap-role-master - If you have only a single stand along deployment, this value will remain "master". If you plan to have two or more in AFM relationship, then the primary system will be a "master" while on the secondary system or DR site, you will have the role as "subordinate".
Important: ID Mappings are always created only on the "master" system. On the "subordinate" system, these ID Mappings have to be imported from the "master" system. --servers - The Server name or the IP Address of the Domain Controller is specified here. You can specify only a single server. For other domains that you want to authenticate, they must be in two way trust with the server that you pass with the command. --password - This is the password for the user specified in --user-name. --idmap-range-size - This is the size of the bucket of UIDs and GIDs to allocate for idmap-range assigned to each of domains that can authenticate successfully. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, each domain is assigned with a bucket consisting of 1000000 IDs. The next domain gets the next bucket of 1000000 IDs. A total of 290 domains can be mapped. If a domain has more than 1000000 users, then the next idmap-range is assigned containing another 1000000 IDs.
Important: Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale™ system. --idmap-range - This is the range of values from which UIDs and GIDs are automatically generated and assigned by the system to the Active Directory users and groups.
Check Manpage of mmuserauth
for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:File Authentication configuration completed successfully.
Verify the authentication configuration by issuing the command as shown below: # mmuserauth service list
The system displays the following output:
FILE access configuration : AD
OBJECT access not configured
So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the ID Map Role of the system.
FAQ on AD Based Authentication with Automatic ID Mapping:
Check out the article, "10 Frequently asked Questions on configuring Authentication using AD + AUTO ID mapping on IBM Spectrum Scale™.
" for list of commonly asked questions and their answers.#ibmstorage#IBMCloudstorage#softwaredefinedstorage#IBMSpectrumScale#SpectrumScaleAuthentication#Softwaredefinedstorage