Including or excluding user groups

When your Linux® management hosts use either Microsoft Active Directory (AD) or MIT Kerberos as the KDC, include or exclude user groups to limit users that are added to the cluster.

Before you begin

Users and user groups must be automatically added to the cluster. To enable users and user groups to be added automatically, one of the following parameters must be configured on management hosts:

Procedure

  1. To limit users added to the cluster, include or exclude user groups by configuring either the INCLUDED_USERGROUP or EXCLUDED_USERGROUP parameter in the sec_ego_gsskrb.conf file on each management host:

    Configure any one parameter to limit the users you want to add to IBM Spectrum Symphony. If both parameters are configured, neither parameter takes effect.

    • INCLUDED_USERGROUP: Specify the user groups to load to IBM Spectrum Symphony, in the format groupname1,groupname2,.... Only users belonging to the specified user groups are loaded; if the group contains subgroups, the subgroups and users in the subgroups are not loaded. When FOLLOW_GETENT_GROUP=Y, only users that can be shown as members of a group with the getent group groupname command are considered as belonging to the user group. For example:
      INCLUDED_USERGROUP=testGroup,testGroup2
    • EXCLUDED_USERGROUP: Specify the user groups from which users must not be loaded, in the format groupname1,groupname2,.... When FOLLOW_GETENT_GROUP=Y, only users that can be shown as members of a group with the getent group groupname command are considered as belonging to the user group.
  2. Optional: To strictly follow the output of the getent group groupname command to identify members of a user group, configure the FOLLOW_GETENT_GROUP parameter based on your environment in the sec_ego_gsskrb.conf file on each management host. If the command in your environment will return all users that should be considered in the group, define FOLLOW_GETENT_GROUP to Y.

    Valid values are Y to include only users of a group who show with the getent group groupname command or N to include all users who show as members of a group with the getent group groupname command and users who have this user group as their primary group. For example:

    FOLLOW_GETENT_GROUP=Y

What to do next

For a sample scenario, see Using additional configuration for a Linux cluster (MIT Kerberos as KDC).