Configuring AD with TLS for object access

Configuring Active Directory (AD) with Transport Layer Security (TLS) helps to encrypt the communication between the IBM Storage Scale system and AD server.

Configures AD with TLS as the authentication method for object access.
  1. The CA certificate for the AD server must be placed under the /var/mmfs/tmp directory with the name ldap_cacert.pem specifically on the protocol node where the command is run. Validate the CA cert availability with the wanted name at the required location as shown in the following example: 
    # stat /var/mmfs/tmp/ldap_cacert.pem
File: /var/mmfs/tmp/ldap_cacert.pem
Size: 2130 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169903 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 12:37:34.088837381 +0530
Modify: 2015-01-23 12:16:24.438837381 +0530
Change: 2015-01-23 12:16:24.438837381 +0530
  2. Run the following command to configure AD with TLS authentication for object access: 
    # mmuserauth service create --type ad --data-access-method object 
--user-name "cn=Administrator,cn=Users,dc=IBM,dc=local"  
--base-dn "dc=IBM,DC=local" --enable-server-tls --ks-dns-name cluster-ces-ip.ibm 
--ks-admin-user admin --servers myADserver --user-id-attrib cn 
--user-name-attrib sAMAccountName --user-objectclass organizationalPerson 
--user-dn "cn=Users,dc=IBM,dc=local" --ks-swift-user swift
    The system displays the following output: 
    Object configuration with LDAP (Active Directory) as identity 
backend is completed successfully.
Object Authentication configuration completed successfully.
  3. Run the following command to verify the authentication configuration: 
    # mmuserauth service list
    The system displays the following output: 
    FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration: AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KS_SSL            false
USER_NAME                cn=Administrator,cn=Users,dc=IBM,dc=local
SERVERS                  myADserver
BASE_DN                  dc=IBM,DC=local
USER_DN                  cn=users,dc=ibm,dc=local
USER_OBJECTCLASS         organizationalPerson
USER_NAME_ATTRIB         sAMAccountName
USER_ID_ATTRIB           cn
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin