Configuring AD-based authentication with LDAP ID mapping
This method provides a way for IBM Spectrum Scale™ to read ID mappings from an LDAP server as defined in RFC2307. Mappings must be provided in advance by the administrator by creating the user accounts in the AD server and the posixAccount and posixGroup objects in the LDAP server. The names in the AD server and in the LDAP server have to be the same. This ID mapping approach allows the continued use of existing LDAP authentication servers that store records in the RFC2307 format. The group memberships defined in the AD server are also be honored in the system.
Command to Configure Plain AD with LDAP
Issue the mmuserauth service create command as shown in the following example:
#mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name administrator --password Passw0rd --netbios-name specscale --idmap-role master --ldapmap-domains "DOMAIN1(type=stand-alone:range=1000-100000:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com:--type - Type of Authentication, so its AD. --data-access-method - In this case we use File. --netbios-name - It should be a unique identifier on a network. The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. --user-name - This is the user name to be used to perform operations against the authentication server. The user specified must have sufficient permissions to read user and group attributes from the authentication server and create a machine account for the join between the domain and IBM Spectrum Scale™. This user need not be an administrator user only. --idmap-role-master - If you have only a single stand along deployment, this value will remain "master". If you plan to have two or more in AFM relationship, then the primary system will be a "master" while on the secondary system or DR site, you will have the role as "subordinate".
Important: ID Mappings are always created only on the "master" system. On the "subordinate" system, these ID Mappings have to be imported from the "master" system. --servers - The Server name or the IP Address of the Domain Controller is specified here. You can specify only a single server. For other domains that you want to authenticate, they must be in two way trust with the server that you pass with the command. --password - This is the password for the user specified in --user-name. --ldapmap-domains - This list specifies the AD domains for which user ID and group ID should be fetched from the LDAP server. You also need to pass other parameters like Bind Tree details, Bind user and Password along with valid range. This option is only valid with --type AD and --data-access-method FILE.
Check Manpage of mmuserauth
for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:File Authentication configuration completed successfully.
Verify the authentication configuration by issuing the command as shown below: # mmuserauth service list
The system displays the following output:
FILE access configuration : AD
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone: range=1000-100000:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:
So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the LDAP Map Domains and their details.#IBMCloudstorage#Softwaredefinedstorage#ibmstorage#IBMSpectrumScale#IBMSpectrumScale