Modifying the authentication method

If data already exists or is created with the existing authentication and ID mapping method, it is not recommended to change the authentication or the ID mapping modes. Changing the authentication method also might invalidate the existing ACLs that are applicable to files and directories. ACLs depend on the preexisting users and group IDs.

To modify the authentication method, perform the following steps:
  1. List the existing authentication configuration for file and object authentication method by using the mmuserauth service list command.
  2. Identify the parameters that you need to change. If an authentication method and ID maps are already existing, you must not plan to change the authentication type or ID mapping schemes. When you remove the existing authentication method and ID maps, the user and group of users who were accessing the data cannot access the data anymore.

    The following list provides the parameters that can be modified in each authentication configuration.

    For file authentication:
    • With LDAP authentication, all attributes of the configuration can be modified. When changing authentication servers, ensure that the newly specified servers are the replica of the original servers, otherwise, it might result in loss of access to data.
    • With AD authentication, all attributes of the configuration can be modified. When changing the authentication server, ensure that the newly specified server is a domain controller in the same AD domain that is being served by the original server, otherwise, it might result in loss of access to data. If UNIX ID maps are specified in current configuration and more new AD domains are to be added, it is vital to specify the current list of domains along with the new domains.
    • With NIS authentication, all attributes of the configuration can be modified. When changing servers, ensure that the newly specified servers are serving the same NIS domain as the original servers; otherwise, it might result in loss of access to data.

    For object authentication:

    You can change all options except --data-access-method and --type parameters.

  3. Clean up the existing authentication by using the mmuserauth service remove command. Do not specify the --idmapdelete option as it results in loss of access to data.
  4. Issue the mmuserauth service create with the required parameter change; ensuring that you use the same authentication, ID mapping scheme, and associated authentication servers.
  5. List the authentication configuration by using the mmuserauth service list to verify the change.
  6. Ensure that the authentication is consistent across the cluster by using the mmuserauth service check command.
Parent topic: Managing protocol user authentication
Related concepts:
Setting up authentication servers to configure protocol user access
Configuring authentication and ID mapping for file access
Managing user-defined authentication
Configuring authentication for object access
Deleting the authentication and the ID mapping configuration
Listing the authentication configuration
Verifying the authentication services configured in the system
Authentication limitations