Configuring authentication for object access
Configuring authentication for object access by using the command line utility
- By using the spectrumscale installation toolkit
- By using the mmuserauth command in the command line utility
- Active Directory (AD)
- LDAP
- Local authentication
- User-defined (external keystone)
The AD-based and LDAP-based authentication methods use an external AD and LDAP server respectively to manage the authentication. Local authentication is handled by a Keystone server that resides within the IBM Spectrum Scale™ system.
The IBM Spectrum Scale system installation process configures Keystone server that is required for object access. By default the IBM Spectrum Scale installation process configures object authentication with a local Keystone authentication method. If you have an existing Keystone server that you want to use, specify that it be used for authentication.
Before you configure object authentication method, ensure that the Keystone Identity service is properly configured.
Before you start manually configuring authentication method for object access, ensure that the openldap-clients RPM is installed.
The mapping between user, role, and tenant is stored in the Keystone database. If you switch from one authentication type to another you must delete the existing mapping definitions by running the mmuserauth service remove --idmapdelete command.
mmuserauth service check --data-access-method object -N cesNodes
If the
mmuserauth service check command reports that any certificate file is missing on
any of the nodes, then run the following
command:mmuserauth service check --data-access-method object -N cesNodes --rectify
For more information about mmuserauth service check, see the
topic mmuserauth command.