File and Object Storage

 View Only

A Complete Guide to Configure LDAP-based authentication with IBM Spectrum Scale™ for File Access.

By Archive User posted Thu September 21, 2017 05:31 PM

  
LDAP server can be used for both Authentication as well as ID Mapping. Ensure that the LDAP server is set up correctly with the required schemas to handle the authentication and ID mapping requests. Check out, Setting up LDAP server prerequisites for more on the prerequisites for integrating LDAP server with the IBM Spectrum Scale™ system. Also, If you need to support SMB data access, LDAP schema must be extended before configuring the authentication. For more information, check out Updating LDAP user information with Samba attributes.

Based on the level of security, the following configurations are possible:
  • LDAP

  • LDAP with TLS

  • LDAP with Kerberos

  • LDAP with TLS and Kerberos

    • LDAP


    In this method, IBM Spectrum Scale™ is configured with LDAP without Kerberos and TLS. This method is less secured compared with LDAP with TLS or LDAP with Kerberos or LDAP with TLS and Kerberos. We will see more about the others below. The basic command that you will need to configure basic LDAP is explained below.

    Command to Configure with LDAP


    Issue the "mmuserauth service create" command as shown in the following example:


    # mmuserauth service create --type ldap --data-access-method file --servers myLDAPServer --netbios-name specscale --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword
    Here,

  • --type - Type of Authentication, so its LDAP.

  • --data-access-method - In this case we use File.

  • --servers - Hostname or IP of the LDAP Server. Multiple LDAP servers can be specified.

  • --netbios-name - It should be a unique identifier on a network. The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
    The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly.

  • --base-dn - Specifies the LDAP base DN of the authentication server.

  • --user-name - This is the user name to be used to perform operations against the authentication server. The user specified must have sufficient permissions to read user and group attributes from the authentication server.

  • --password - This is the password for the user specified in --user-name.


    • Check Manpage of mmuserauth for more information on the different parameters that can be used and their details.

    If successful, the system displays the following output:


    File Authentication configuration completed successfully.

    Verify the authentication configuration by issuing the command as shown below:


    # mmuserauth service list

    The system displays the following output:



    FILE access configuration : LDAP
    PARAMETERS VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS false
    ENABLE_KERBEROS false
    USER_NAME cn=manager,dc=example,dc=com
    SERVERS myLdapServer
    NETBIOS_NAME specscale
    BASE_DN dc=example,dc=com
    USER_DN none
    GROUP_DN none
    NETGROUP_DN none
    USER_OBJECTCLASS posixAccount
    GROUP_OBJECTCLASS posixGroup
    USER_NAME_ATTRIB cn
    USER_ID_ATTRIB uid
    KERBEROS_SERVER none
    KERBEROS_REALM none

    OBJECT access not configured
    PARAMETERS VALUES
    -------------------------------------------------



    LDAP with TLS


    Using TLS with LDAP helps you to have a secure communication channel between the IBM Spectrum Scale™ system and LDAP server.
    Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable. LDAP Server uses the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in RFC4346. TLS uses certificates to carry client and server identities. All servers are required to have valid certificates, whereas client certificates are optional.

    IMPORTANT: Ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name ldap_cacert.pem; specifically, on the protocol node where the command is run.

    Perform validation of CA cert availability with desired name at required location as shown in the following example:


    # stat /var/mmfs/tmp/ldap_cacert.pem
    File: /var/mmfs/tmp/ldap_cacert.pem
    Size: 2130 Blocks: 8 IO Block: 4096 regular file
    Device: fd00h/64768d Inode: 103169903 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
    Context: unconfined_u:object_r:user_tmp_t:s0
    Access: 2015-01-23 12:37:34.088837381 +0530
    Modify: 2015-01-23 12:16:24.438837381 +0530
    Change: 2015-01-23 12:16:24.438837381 +0530

    Now issue "mmuserauth service create" command as shown in the following example:


    # mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name specscale --enable-server-tls
    Here,
  • --enable-server-tls flag configures LDAP with TLS provided the certificates are existing in required path and are valid.


    • "mmuserauth service list" command will confirm that TLS is enabled.



    # mmuserauth service list

    The system displays the following output:



    FILE access configuration : LDAP
    PARAMETERS VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS true
    ...
    ....
    -------------------------------------------------

    LDAP with Kerberos


    Using Kerberos with LDAP provides more security for the communication channel between the IBM Spectrum Scale™ system and LDAP server. Kerberos is a network authentication protocol that provides secured communication by ensuring passwords are not sent over the network to the system. LDAP with Kerberos is typically used where an MIT KDC infrastructure exists and you are using it for various Kerberized application or if you want to have NFS and SMB with Kerberized access for higher security reasons.

    It is assumed that LDAP server is set up with the required schemas installed in it to handle the authentication and ID mapping requests. If you need to support SMB data access, LDAP schema must be extended to enable storing of additional attributes such as SID, Windows password hash to the POSIX user object.
    Check the link for Understanding Prerequisite for configuring Kerberos-based SMB access

    IMPORTANT: Ensure that the keytab file is also placed under the /var/mmfs/tmp directory with the name as krb5.keytab on the node where the command is run. Perform validation of keytab file availability with desired name at required location:
    # stat /var/mmfs/tmp/krb5.keytab
    File: /var/mmfs/tmp/krb5.keytab
    Size: 502 Blocks: 8 IO Block: 4096 regular file
    Device: fd00h/64768d Inode: 103169898 Links: 1
    Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
    Context: unconfined_u:object_r:user_tmp_t:s0
    Access: 2015-01-23 14:31:18.244837381 +0530
    Modify: 2015-01-23 12:45:05.475837381 +0530
    Change: 2015-01-23 12:45:05.476837381 +0530
    Birth: -

    Now issue "mmuserauth service create" command as shown in the following example:


    # mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword--netbios-name specscale --enable-kerberos --kerberos-server myKerberosServer
    --kerberos-realm example.com
    Here,
  • --enable-kerberos flag configures LDAP with Kerberos.

  • --kerberos-server - provided the certificates are existing in required path and are valid.

    • "mmuserauth service list" command will confirm that Kerberos is enabled.



    # mmuserauth service list

    The system displays the following output:


    FILE access configuration : LDAP
    PARAMETERS VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS false
    ENABLE_KERBEROS true
    ...
    ....
    -------------------------------------------------


    LDAP with Kerberos and TLS


    Follow the steps of both LDAP with TLS and LDAP with Kerberos and ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory along with the keytab file is placed under /var/mmfs/tmp directory.

    Issue the "mmuserauth service create" command as shown in the following example:


    # mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword --netbios-name specscale --enable-server-tls --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm example.com

    To verify the authentication configuration, issue the "mmuserauth service list" command as shown in the following example:


    # mmuserauth service list
    FILE access configuration : LDAP
    PARAMETERS VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS true
    ENABLE_KERBEROS true
    USER_NAME cn=manager,dc=example,dc=com
    SERVERS myLDAPserver
    NETBIOS_NAME specscale
    BASE_DN dc=example,dc=com
    USER_DN none
    GROUP_DN none
    NETGROUP_DN none
    USER_OBJECTCLASS posixAccount
    GROUP_OBJECTCLASS posixGroup
    USER_NAME_ATTRIB cn
    USER_ID_ATTRIB uid
    KERBEROS_SERVER myKerberosServer
    KERBEROS_REALM example.com
    OBJECT access not configured
    PARAMETERS VALUES
    -------------------------------------------------

    #IBMSpectrumScale
    #LDAPAuthentication
    #Softwaredefinedstorage
    #softwaredefinedstorage
    #IBMSoftwareDefinedStorage
    #ibmstorage
    0 comments
    10 views

    Permalink