Authentication considerations
To enable read and write access to directories and files for the users on the IBM Storage Scale system, you must configure user authentication on the system. Only one user authentication method, and only one instance of that method, can be supported.
- ✓: Supported
- X: Not supported
- NA: Not applicable
| Authentication method | ID-mapping method | File | Object | |||||
|---|---|---|---|---|---|---|---|---|
| SMB | SMB with Kerberos | NFSV3 | NFSV3 with Kerberos | NFSV4 | NFSV4 with Kerberos | |||
| User-defined | User-defined | NA | NA | NA | NA | NA | NA | ✓ |
| LDAP with TLS | LDAP | ✓ | NA | ✓ | NA | ✓ | NA | ✓ |
| LDAP with Kerberos | LDAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | NA |
| LDAP with Kerberos and TLS | LDAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | NA |
| LDAP without TLS and without Kerberos | LDAP | ✓ | NA | ✓ | NA | ✓ | NA | ✓ |
| LDAP with SSL | NA | NA | NA | NA | NA | NA | ✓ | |
| AD | Automatic | ✓ | ✓ | X | X | X | X | ✓ |
| AD | RFC2307 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| AD | LDAP | ✓ | ✓ | ✓ | X | X | X | ✓ |
| AD with SSL | NA | NA | NA | NA | NA | NA | ✓ | |
| AD with TLS | NA | NA | NA | NA | NA | NA | ✓ | |
| Network Information Service (NIS) | NIS | NA | NA | ✓ | NA | ✓ | NA | NA |
| Local | None | NA | NA | NA | NA | NA | NA | ✓ |
| Local (OpenStack Keystone) | None | NA | NA | NA | NA | NA | NA | ✓ |
| Local (OpenStack Keystone) with SSL | None | NA | NA | NA | NA | NA | NA | ✓ |
- NIS is not supported for Object protocol.
- NIS authentication is not supported for RHEL 9.
- When you use a unified file and object access (serving the same data with a file and with an object), select the appropriate authentication service. For more information, see Administering unified file and object access.
- The ID-mapping option that is given in this table is only applicable for file access. Ignore the ID-mapping details that are listed in the table if you are looking for the supported configurations for object access.
- In the User-defined mode, the customer is free to choose the authentication and ID-mapping methods for file and object and manage on their own. That is, the authentication needs to be configured by the administrator outside of the IBM Storage Scale commands and ensure that it is common and consistent across the cluster.
- If LDAP-based authentication is used, ACL management for SMB is not supported.
- Object that is configured with AD, and a file is configured with the same AD where the user or group ID is available on AD+RFC 2307.
- Object that is configured with LDAP, and a file is configured with the same LDAP where the user or group ID is available on LDAP.
The authentication requests that are received from the client systems are handled by the corresponding services in the IBM Storage Scale system. For example, if a user needs to access the NFS data, the NFS services resolves the access request by interacting with the corresponding authentication and ID-mapping servers.
For more information about how to configure authentication, see Managing protocol user authentication.
For more planning information, for example, prerequisites, see Configuring authentication and ID mapping for file access.