Configuring external authentication for GUI users

You can manage administrative users either locally within the system or in an external authentication server such as Microsoft Active Directory (AD) or Lightweight Directory Access Protocol Server (LDAP). By default, the IBM Spectrum Scale uses an internal authentication repository for administrative GUI users.

Perform the following steps to configure an external LDAP-based authentication method for authenticating the GUI users:
  1. Go to Services > GUI page in the IBM Spectrum Scale GUI.
  2. Click External Authentication.
  3. Click Configure External Authentication. The Configure LDAP-Based External Authentication wizard appears.
  4. Select an external authentication repository from the Repository type field.
    You can store the user credentials in the following repository types:
    • Microsoft Active Directory
    • IBM® Lotus Domino
    • IBM SecureWay Directory Server
    • IBM Tivoli® Directory Server
    • Netscape Directory Server
    • Novell eDirectory
    • Sun Java™ System Directory Server
    • Custom
    Note: This procedure explains how to configure the authentication method by using Microsoft Active Directory as the repository type.
  5. Click Next.
  6. Type the LDAP server IP address or host name in the Server field.
  7. Type the port number in the Port field.
  8. Specify the BaseDN string for the repository in the Base DN field.
  9. Specify the BindDN string that is used for searching the authentication user, in the Bind DN field.
  10. Type the password of the authentication user in the Bind DN password field.
  11. Select the Use SSL certificate checkbox if you want to use an SSL certificate to secure the connection between the GUI server and the external authentication server. If you select this option, upload the keystore file and type the keystore password in the Keystore password field.
  12. Select the Use truststore checkbox. If you select this option, upload the truststore file and type the truststore password in the Truststore password field.
    Note: The truststore file is located at /opt/IBM/wlp/usr/servers/gpfsgui/resources/security.
  13. Click Next. The Search Settings page of the Configure LDAP-Based External Authentication wizard appears. The fields are already populated with default values from the Account Name template. If necessary, you can modify the values.
  14. Type the filter clause for searching the user registry for users, in the User filter field.
  15. Type the filter that maps the name of a user to an LDAP entry, in the User ID map field.
  16. Type the filter clause for searching the user registry for groups, in the Group filter field.
  17. Type the filter that maps the name of a group to an LDAP entry, in the Group ID map field.
  18. Specify the filter that identifies user to group memberships, in the Group member ID map field.
  19. Select the Use recursive search checkbox to enable the nested group search.
    Note: A recursive search identifies all the nested groups that are mapped to the GUI group to which an external LDAP user belongs. GUI authentication works for all users who are assigned to either the sub-groups or the main group of the nested group structure.
  20. Apply the User Principal Name template if required. Accordingly, the values that you entered in the various fields of the Search Settings page of the wizard change.
  21. Click Next after making changes. The Summary page of the wizard appears.
  22. Review the configuration details and click Finish.
An LDAP-based external authentication method is configured for the GUI users. Configuring an external authentication method for the GUI users prompts the system to log out the already logged-in GUI users. You need to log in to the system again.

You can log in to the IBM Spectrum Scale GUI and create group mappings through the GUI on the Services > GUI > Users page by using the Create Group Mapping option.

You can edit or delete the external authentication by using the Edit and Delete options that are available in the Services > GUI > External Authentication page of the GUI.

Configuring external authentication by using CLI

Perform the following steps to configure external authentication by using CLI:

  1. Create your AD or LDAP configuration by issuing the mkldap command at the following location: /usr/lpp/mmfs/gui/cli/mkldap.

    This command writes the configuration automatically to /opt/ibm/wlp/usr/servers/gpfsgui/ldap.xml, which is then distributed across all GUI nodes. For secure AD or LDAP connection, make sure that the keystores are present on the respective GUI nodes.

    The mkldap command accepts the following parameters.
    Table 1. mkldap command parameters
    Parameters Description 
    id
    		 Unique ID of the LDAP configuration. 
    --host
    		 The IP address or host name of the LDAP server. 
    --baseDn
    		 BaseDn string for the repository. 
    --bindDn
    		 BindDn string for the authentication user. 
    --bindPassword
    		 Password of the authentication user. 
    --port
    		 Port number of the LDAP. Default is 389 or 636 over SSL. 
    --type
    		 Repository type such as "Microsoft Active Directory, ids, domino, secureway, iplanet, netscape, edirectory" or "custom". Default value is "Microsoft Active Directory". 
    --connectTimeout 
    		 Maximum time for establishing a connection with the LDAP server. Default value is 1 m. 
    --searchTimeout
    		 Maximum time for an LDAP server to respond before a request is canceled. Default value is 1 m. 
    --keystore
    		 Location with file name of the keystore file (.jks, .p12 or .pfx). 
    --keystorePassword
    		 Password of the keystore. 
    --truststore
    		 Location with file name of the truststore file (.jks, .p12 or .pfx). 
    --truststorePassword
    		 Password of the truststore. 
    --userFilter
    		 User filter for the LDAP repository. 
    --userIdMap
    		 User ID map for the LDAP repository. 
    --groupFilter
    		 Group filter for the LDAP repository. 
    --groupIdMap
    		 Group ID map for the LDAP repository. 
    --groupMemberIdMap
    		 Group member ID map for the LDAP repository.
    Example for standard AD
    mkldap myad --host 9.155.106.19 --bindDn CN=Administrator,CN=Users,DC=mydomain,DC=local 
--baseDn CN=Users,DC=mydomain,DC=local
    Example for secure AD
    mkldap mysecuread --host 9.155.106.19 --bindDn CN=Administrator,CN=Users,DC=mydomain,DC=local 
--baseDn CN=Users,DC=mydomain,DC=local --keystore /tmp/ad.jks

    If you specify multiple AD or LDAP servers, you might encounter a problem that a user with the same user name exists in multiple user repositories. This user cannot be able to log in. To prevent this situation, you can specify LDAP filters for User Principal Names (UPN) for a selected server configuration.

    Example for a scenario where UPN filters are enabled
    mkldap myfilteredad --host 9.155.106.19 --bindDn CN=Administrator,CN=Users,DC=mydomain,DC=local 
--baseDn CN=Users,DC=mydomain,DC=local --userFilter "(&(userPrincipalName=%v)(objectcategory=person))" 
--groupFilter "(&(cn=%v)(objectcategory=group))" --userIdMap "*:userPrincipalName" 
--groupIdMap "*:cn" --groupMemberIdMap "memberOf:member"
  2. Map an existing AD or LDAP group to the SecurityAdmin GUI role as shown in the following example:
    /usr/lpp/mmfs/gui/cli/mkusergrp LDAPGroup --role securityadmin

    Now you can log in with your AD or LDAP user and create more group mappings through the GUI on the Services > GUI > Users page by using the Create Group Mapping option.

    If you want to remove the existing configurations, use the rmldap command. To see all specified LDAP configurations, issue the lsldap command.

Note: Configurations that are managed by mkldap and rmldap commands are not overwritten during the upgrade. That is you do not need to back up the configuration data.