Configuring LDAP with TLS for object access

Use the following steps to configure Lightweight Directory Access Protocol (LDAP) with TLS-based authentication for object access:

1. Ensure that the CA certificate for the LDAP server is placed under /var/mmfs/tmp directory with the name ldap_cacert.pem. Placed it specifically on the protocol node where the command is run. Validate the CA cert availability with the wanted name that is at the required location:

   # stat /var/mmfs/tmp/ldap_cacert.pem
   File: /var/mmfs/tmp/ldap_cacert.pem
   Size: 2130 Blocks: 8 IO Block: 4096 regular file
   Device: fd00h/64768d Inode: 103169903 Links: 1
   Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
   Context: unconfined_u:object_r:user_tmp_t:s0
   Access: 2015-01-23 12:37:34.088837381 +0530
   Modify: 2015-01-23 12:16:24.438837381 +0530
   Change: 2015-01-23 12:16:24.438837381 +0530

2. To configure LDAP with TLS-based authentication for object access, run the mmuserauth service create command as shown in the following example:

   # mmuserauth service create --type ldap --data-access-method object 
   --user-name "cn=manager,dc=essldapdomain"  
   --base-dn dc=isst,dc=aus,dc=stglabs,dc=ibm,dc=com --enable-server-tls 
   --ks-dns-name cluster-ces-ip.ibm --ks-admin-user mamdouh --servers 192.0.2.11 
   --user-dn "ou=People,dc=essldapdomain" --ks-swift-user swift 

   The system displays the following output:

   Object configuration with LDAP as identity backend is completed successfully.
   Object Authentication configuration completed successfully.

3. To verify the authentication configuration, use the following command as shown in this example:

   # mmuserauth service list

   The system displays the following output:

   FILE access not configured
   PARAMETERS               VALUES
   -------------------------------------------------
   
   OBJECT access configuration : LDAP
   PARAMETERS               VALUES
   -------------------------------------------------
   ENABLE_ANONYMOUS_BIND    false
   ENABLE_SERVER_TLS        true
   ENABLE_KS_SSL            false
   USER_NAME                cn=manager,dc=essldapdomain
   SERVERS                  192.0.2.11
   BASE_DN                  dc=isst,dc=aus,dc=stglabs,dc=ibm,dc=com
   USER_DN                  ou=people,dc=essldapdomain
   USER_OBJECTCLASS         posixAccount
   USER_NAME_ATTRIB         cn
   USER_ID_ATTRIB           uid
   USER_MAIL_ATTRIB         mail
   USER_FILTER              none
   ENABLE_KS_CASIGNING      false
   KS_ADMIN_USER            mamdouh