LDAP server can be used for both Authentication as well as ID Mapping. Ensure that the LDAP server is set up correctly with the required schemas to handle the authentication and ID mapping requests. Check out,
Setting up LDAP server prerequisites for more on the prerequisites for integrating LDAP server with the IBM Spectrum Scale™ system. Also, If you need to support SMB data access, LDAP schema must be extended before configuring the authentication. For more information, check out
Updating LDAP user information with Samba attributes.
Based on the level of security, the following configurations are possible:
LDAP LDAP with TLS LDAP with Kerberos LDAP with TLS and KerberosLDAP
In this method, IBM Spectrum Scale™ is configured with LDAP without Kerberos and TLS. This method is less secured compared with LDAP with TLS or LDAP with Kerberos or LDAP with TLS and Kerberos. We will see more about the others below. The basic command that you will need to configure basic LDAP is explained below.
Command to Configure with LDAP
Issue the "mmuserauth service create" command as shown in the following example:
# mmuserauth service create --type ldap --data-access-method file --servers myLDAPServer --netbios-name specscale --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword
Here,
--type - Type of Authentication, so its LDAP. --data-access-method - In this case we use File. --servers - Hostname or IP of the LDAP Server. Multiple LDAP servers can be specified. --netbios-name - It should be a unique identifier on a network. The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. --base-dn - Specifies the LDAP base DN of the authentication server. --user-name - This is the user name to be used to perform operations against the authentication server. The user specified must have sufficient permissions to read user and group attributes from the authentication server. --password - This is the password for the user specified in --user-name. Check
Manpage of mmuserauth for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:
File Authentication configuration completed successfully.Verify the authentication configuration by issuing the command as shown below:
# mmuserauth service listThe system displays the following output:
FILE access configuration : LDAP
PARAMETERS VALUES
-------------------------------------------------
ENABLE_SERVER_TLS false
ENABLE_KERBEROS false
USER_NAME cn=manager,dc=example,dc=com
SERVERS myLdapServer
NETBIOS_NAME specscale
BASE_DN dc=example,dc=com
USER_DN none
GROUP_DN none
NETGROUP_DN none
USER_OBJECTCLASS posixAccount
GROUP_OBJECTCLASS posixGroup
USER_NAME_ATTRIB cn
USER_ID_ATTRIB uid
KERBEROS_SERVER none
KERBEROS_REALM none
OBJECT access not configured
PARAMETERS VALUES
-------------------------------------------------
LDAP with TLS
Using TLS with LDAP helps you to have a secure communication channel between the IBM Spectrum Scale™ system and LDAP server.
Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable. LDAP Server uses the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in
RFC4346. TLS uses certificates to carry client and server identities. All servers are required to have valid certificates, whereas client certificates are optional.
IMPORTANT: Ensure that the CA certificate for LDAP server is placed under
/var/mmfs/tmp directory with the name
ldap_cacert.pem; specifically, on the protocol node where the command is run.
Perform validation of CA cert availability with desired name at required location as shown in the following example:
# stat /var/mmfs/tmp/ldap_cacert.pem
File: /var/mmfs/tmp/ldap_cacert.pem
Size: 2130 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169903 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 12:37:34.088837381 +0530
Modify: 2015-01-23 12:16:24.438837381 +0530
Change: 2015-01-23 12:16:24.438837381 +0530
Now issue "mmuserauth service create" command as shown in the following example:
# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name specscale --enable-server-tlsHere,
--enable-server-tls flag configures LDAP with TLS provided the certificates are existing in required path and are valid."mmuserauth service list" command will confirm that TLS is enabled.
# mmuserauth service listThe system displays the following output:
FILE access configuration : LDAP
PARAMETERS VALUES
-------------------------------------------------
ENABLE_SERVER_TLS true
...
....
-------------------------------------------------
Using Kerberos with LDAP provides more security for the communication channel between the IBM Spectrum Scale™ system and LDAP server. Kerberos is a network authentication protocol that provides secured communication by ensuring passwords are not sent over the network to the system. LDAP with Kerberos is typically used where an MIT KDC infrastructure exists and you are using it for various Kerberized application or if you want to have NFS and SMB with Kerberized access for higher security reasons.
It is assumed that LDAP server is set up with the required schemas installed in it to handle the authentication and ID mapping requests. If you need to support SMB data access, LDAP schema must be extended to enable storing of additional attributes such as SID, Windows password hash to the POSIX user object.
Check the link for
Understanding Prerequisite for configuring Kerberos-based SMB accessIMPORTANT: Ensure that the keytab file is also placed under the
/var/mmfs/tmp directory with the name as
krb5.keytab on the node where the command is run. Perform validation of keytab file availability with desired name at required location:
# stat /var/mmfs/tmp/krb5.keytab
File: /var/mmfs/tmp/krb5.keytab
Size: 502 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169898 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 14:31:18.244837381 +0530
Modify: 2015-01-23 12:45:05.475837381 +0530
Change: 2015-01-23 12:45:05.476837381 +0530
Birth: -
Now issue "mmuserauth service create" command as shown in the following example:
# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword--netbios-name specscale --enable-kerberos --kerberos-server myKerberosServer
--kerberos-realm example.com
Here,
--enable-kerberos flag configures LDAP with Kerberos. --kerberos-server - provided the certificates are existing in required path and are valid."mmuserauth service list" command will confirm that Kerberos is enabled.
# mmuserauth service listThe system displays the following output:
FILE access configuration : LDAP
PARAMETERS VALUES
-------------------------------------------------
ENABLE_SERVER_TLS false
ENABLE_KERBEROS true
...
....
-------------------------------------------------
LDAP with Kerberos and TLS
Follow the steps of both
LDAP with TLS and
LDAP with Kerberos and ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory along with the keytab file is placed under /var/mmfs/tmp directory.
Issue the "mmuserauth service create" command as shown in the following example:
# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password myPassword --netbios-name specscale --enable-server-tls --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm example.com
To verify the authentication configuration, issue the "mmuserauth service list" command as shown in the following example:
# mmuserauth service list
FILE access configuration : LDAP
PARAMETERS VALUES
-------------------------------------------------
ENABLE_SERVER_TLS true
ENABLE_KERBEROS true
USER_NAME cn=manager,dc=example,dc=com
SERVERS myLDAPserver
NETBIOS_NAME specscale
BASE_DN dc=example,dc=com
USER_DN none
GROUP_DN none
NETGROUP_DN none
USER_OBJECTCLASS posixAccount
GROUP_OBJECTCLASS posixGroup
USER_NAME_ATTRIB cn
USER_ID_ATTRIB uid
KERBEROS_SERVER myKerberosServer
KERBEROS_REALM example.com
OBJECT access not configured
PARAMETERS VALUES
-------------------------------------------------
#IBMSpectrumScale#LDAPAuthentication#Softwaredefinedstorage#softwaredefinedstorage#IBMSoftwareDefinedStorage#ibmstorage