Configuring LDAP with TLS and Kerberos for file access

You can configure LDAP with TLS and Kerberos as an authentication method for file access. Using Kerberos and TLS with LDAP provides maximum security for the communication channel between the IBM Storage Scale system and the LDAP server.

1. Ensure that the CA certificate for LDAP server is placed under the /var/mmfs/tmp directory with the ldap_cacert.pem name. Specifically, on a protocol node where the command is run. Perform validation of CA cert availability with a desired name at a required location.

   # stat /var/mmfs/tmp/ldap_cacert.pem
   File: /var/mmfs/tmp/ldap_cacert.pem  
   Size: 2130 Blocks: 8 IO Block: 4096 regular file
   Device: fd00h/64768d Inode: 103169903 Links: 1
   Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
   Context: unconfined_u:object_r:user_tmp_t:s0
   Access: 2015-01-23 12:37:34.088837381 +0530
   Modify: 2015-01-23 12:16:24.438837381 +0530
   Change: 2015-01-23 12:16:24.438837381 +0530

2. Ensure that the keytab file is placed under /var/mmfs/tmp directory name as krb5_scale.keytab specifically on the node where the command is run. Perform validation of keytab file availability with a desired name at a required location:

   # stat /var/mmfs/tmp/krb5_scale.keytab
     File: /var/mmfs/tmp/krb5_scale.keytab
     Size: 1490      Blocks: 8          IO Block: 4096   regular file
   Device: fd00h/64768d Inode: 68252098    Links: 1
   Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
   Context: unconfined_u:object_r:user_tmp_t:s0
   Access: 2021-05-26 06:52:49.511820164 -0400
   Modify: 2021-04-28 09:52:07.661820164 -0400
   Change: 2021-05-26 05:15:09.837820164 -0400
   Birth: -

3. Issue the mmuserauth service create command.

   # mmuserauth service create --type ldap --data-access-method file 
   --servers myLDAPserver --base-dn dc=example,dc=com 
   --user-name cn=manager,dc=example,dc=com  
   --netbios-name ess --enable-server-tls --enable-kerberos 
   --kerberos-server myKerberosServer --kerberos-realm example.com

   A sample output is as follows:

   File authentication configuration completed successfully.

4. To verify the authentication configuration, issue the mmuserauth service list command.

   # mmuserauth service list

   A sample output is as follows:

   FILE access configuration : LDAP
   PARAMETERS               VALUES
   -------------------------------------------------
   ENABLE_SERVER_TLS        true
   ENABLE_KERBEROS          true
   USER_NAME                cn=manager,dc=example,dc=com
   SERVERS                  myLDAPserver
   NETBIOS_NAME             ess
   BASE_DN                  dc=example,dc=com
   USER_DN                  none
   GROUP_DN                 none
   NETGROUP_DN              none
   USER_OBJECTCLASS         posixAccount
   GROUP_OBJECTCLASS        posixGroup
   USER_NAME_ATTRIB         cn
   USER_ID_ATTRIB           uid
   KERBEROS_SERVER          myKerberosServer
   KERBEROS_REALM           example.com
   
   OBJECT access not configured
   PARAMETERS               VALUES
   -------------------------------------------------

5. Verify the user resolution on the system.

   # id ldapuser3
   uid=1002(ldapuser3) gid=1002(ldapuser3) groups=1002(ldapuser3)