mmuserauth command

Manages the authentication configuration of file and object access protocols. The configuration allows protocol access methods to authenticate users who need to access data that is stored on the system over these protocols.

Synopsis

mmuserauth service create  --data-access-method{file|object}
              --type {ldap|local|ad|nis|userdefined}
              --servers[IP address/hostname]
              {[--pwd-file PasswordFile]--user-name | --enable-anonymous-bind} 
              [--base-dn]
              [--enable-server-tls][--enable-ks-ssl]
              [--enable-kerberos][--enable-nfs-kerberos]
              [--user-dn][--group-dn][--netgroup-dn]
              [--netbios-name]  [--domain]
              [--idmap-role{master|subordinate}][--idmap-range][--idmap-range-size]
              [--user-objectclass][--group-objectclass][--user-name-attrib]
              [--user-id-attrib][--user-mail-attrib][--user-filter]
              [ --ks-dns-name][--ks-ext-endpoint]
              [--kerberos-server][--kerberos-realm]
              [--unixmap-domains] [--enable-overlapping-unixmap-ranges] [--ldapmap-domains]

mmuserauth service list [-Y] [ --data-access-method {file|object|all}]

mmuserauth service check [ --data-access-method {file|object|all}] [-r|--rectify]
            [-N|--nodes {node-list|cesNodes}][--server-reachability]

mmuserauth service remove  --data-access-method {file|object|all}[--idmapdelete]

Availability

Available on all IBM Storage Scale editions.

Description

Use the mmuserauth commands to create and manage IBM Storage Scale protocol authentication and ID mappings.

Parameters

service

Manages the authentication configuration of file and object access protocols with one of the following actions:

create: Configures authentication for file and object access protocols. The authentication method for file and object access protocols cannot be configured together. The mmuserauth service create command needs to be submitted separately for configuring authentication for the file and object access protocols each.
list: Displays the details of the authentication method that is configured for both file and object access protocols.
check: Verifies the authentication method configuration details for file and object access protocols. Validates the connectivity to the configured authentication servers. It also supports corrections to the configuration details on the erroneously configured protocol nodes.
remove: Removes the authentication method configuration of file and object access protocols and ID maps if any.
If you plan to remove both, authentication method configuration and ID maps, remove authentication method configuration followed by the removal of ID maps. That is, at first you need to submit the mmuserauth service remove command without the --idmapdelete option to remove the authentication method configuration and then submit the same command with the --idmapdelete option to remove ID maps.

CAUTION:
Deleting the authentication method configuration with the ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning.

--data-access-method {file|object}

Specifies the access protocols for which the authentication method needs to be configured. The IBM Storage Scale system supports file access protocols such as SMB and NFS along with Object access protocols to access data that is stored on the system.

The file data access method is meant for authorizing the users who access data over SMB and NFS protocols.

--type {ldap|local|ad|nis|userdefined}

Specifies the authentication method to be configured for accessing data over file and object access protocols.

ldap - Defines an external LDAP server as the authentication server. This authentication type is valid for both file and object access protocols.

ad - Defines an external Microsoft Active Directory server as the authentication server. This authentication type is valid for both file and object access protocols.

local - Defines an internal database stored on IBM Storage Scale protocol nodes for authenticating user accessing data over object access protocol. This authentication type is valid for Object access protocol only.

nis - Defines an external NIS server as the authentication server. This authentication type is only valid for NFS file access protocol only. The NIS configuration with an IPv6 address is not supported.

Note: NIS authentication is not supported for RHEL 9.

userdefined - Defines user-defined (system administrator defined) authentication method for data access. This authentication type is valid for both file and object access protocols.

--servers [AuthServer1[:Port],AuthServer2[:Port],AuthServer3[:Port] ...]

Specifies the host name or IP address of the authentication server that is used for file and object access protocols.

This option is only valid with --type {ldap|ad|nis}.

With --type ldap, the input value format is "serverName/serverIP:[port]".

Specifying the port value is optional. Default port is 389.

For example,

--servers ldapserver.mydomain.com:1389.

For file access protocol, multiple LDAP servers can be specified by using a comma as a separator.

For the object access protocol, only one authentication server must be specified. If multiple servers are specified by using a comma, only the first server in the list is considered as the authentication server for configuration.

With --type ad, the input value format is "serverName/serverIP".

For example,

--servers ldapserver.mydomain.com.

For the file access protocol, only one authentication server must be specified. Specifying multiple servers is invalid. The AD server accepted while configuration is used to fetch details required for validation and configuration of the authentication method. Post successful configuration, each CES node will query DNS to lookout available Domain Controllers serving the AD domain it is joined to. Among the returned list, the node binds with the best available domain controller.

With --type nis, the input value format is "serverName/serverIP".

For example,

--servers nisserver.mydomain.com.

Multiple NIS servers can be specified by using a comma separator. At least one of the specified servers must be available and reachable while configuring the authentication method. This is important for the verification of the specified NIS domain, against which the availability of either passwd.byname or netgroup map is validated.

When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.

For example,
--servers [2001:192::e61f:122:feb7:5df5]

--base-dn ldapBase

Specifies the LDAP base DN of the authentication server. This option is only valid with --type {ldap|ad} for --data-access-method object and --type ldap for --data-access-method file.

--enable-anonymous-bind

Specifies whether to enable anonymous binding with authentication server for various validation operations.

This option is valid for the following cases (if the authentication server supports anonymous binding):

--type {ldap|ad} and --data-access-method {object}
--type {ldap} and --data-access-method {file}
Note: This case is supported for NFS shares only.

This option is mutually exclusive with --user-name and password combination.

--user-name userName

Specifies the user name to be used to perform operations against the authentication server. This option is only valid with --type {ldap|ad} and

--data-access-method
{file|object}

This option combined with password is mutually exclusive with --enable-anonymous-bind. The specified user name must have sufficient permissions to read user and group attributes from the authentication server.

In case of --type {ad|ldap} with --data-access-method object, the user name must be specified in complete DN format.

In case of --type ad with --data-access-method file, the specified username is used to join the cluster to AD domain. It results in creating a machine account for the cluster based on the --netbios-name specified in the command. After successful configuration, the cluster connects with its machine account, and not the user used during the domain join. So the specified username after domain join has no role to play in communication with the AD domain controller and can be even deleted from the AD server. The cluster can still keep using AD for authentication via the machine account created.

--pwd-file PasswordFile

Specifies the file containing passwords of administrative users for authentication configuration of file and object access protocols. The password file must be saved under /var/mmfs/ssl/keyServ/tmp on the node from which you are running the command. If this option is omitted, the command prompts for a password. The password file is a security-sensitive file and hence, must have the following characteristics:

It must be a regular file.
It must be owned by the root user.
Only the root user must have permission to read or write it.

A password file for file protocol configuration must have the following format:

%fileauth:
password=userpassword

where:

fileauth: Stanza name for file protocol
password: Specifies the password of --user-name.

Note: With --type ad for file authentication, the specified password is only required during the domain joining period. After joining the domain, the password of the machine account of the cluster is used for accessing Active Directory.

A password file for object protocol configuration must have the following format:

%objectauth:
password=userpassword
ksAdminPwd=ksAdminPwdpassword
ksSwiftPwd=ksSwiftPwdpassword

where:

objectauth: Stanza name for object protocol
password: Specifies the password of --user-name.
ksAdminPwd: Specifies the Keystone Administrator's password.
ksSwiftPwd: Specifies the Swift service user's password.

Note: Passwords cannot contain any of the following characters: / : \ @ $ { } and space.

The passwords are stored in the associated Keystone and Swift configuration files. You can change these passwords by using the following commands:

To change the stored AD or LDAP password, issue the following command:

# mmobj config change --ccrfile keystone.conf --section ldap --property password --value NewPassword

To change the stored password for the Swift user, issue the following command:

# mmobj config change --ccrfile proxy-server.conf --section filter:authtoken --property password --value NewPassword

--enable-server-tls

Specifies whether to enable TLS communication with the authentication server. With --data-access-method object, this option is only valid with

--type
{ldap|ad}

. With --data-access-method file, this option is only valid with --type {ldap}.

This option is disabled by default.

For file access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name ldap_cacert.pem on the node that the command is to be run.

For object access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name object_ldap_cacert.pem on the node that the command is to be run.

--enable-nfs-kerberos

Specifies whether to enable Kerberized logins for users gaining access by using the NFSv3 and NFSv4 file access protocols.

This option is only valid with --type {ad} and --data-access-method {file}.

This option is disabled by default.

Note: Kerberized NFSv3 and NFSv4 access is only supported for users from AD domains that are configured for fetching the UID/GID information from Active Directory (RFC2307 schema attributes). Such AD domain definition is specified by using the --unixmap-domains option.

--user-dn ldapUserDN

Specifies the LDAP group DN. Restricts search of groups within the specified sub-tree. For CIFS access, the value of this parameter is ignored and a search is performed on the baseDN.

This option is only valid with --type {ldap} and

--data-access-method
{file}

. If this parameter is not set, the system uses the value that is set for baseDN as the default value.

--group-dn ldapGroupDN

Specifies the LDAP group suffix. Restricts search of groups within a specified sub-tree.

This option is only valid with --type {ldap} and

 --data-access-method
{file}

. If this parameter is not set, the system uses the value that is set for baseDN as the default value.

--netgroup-dn ldapGroupDN

Specifies the LDAP netgroup suffix. The system searches the netgroups based on this suffix. The value must be specified in complete DN format.

This option is only valid with --type {ldap}and

--data-access-method
{file}

. Default value is baseDN.

--user-objectclass userObjectClass

Specifies the object class of user on the authentication server. Only users with specified object class along with other filter are treated as valid users.

If the --data-access-method is object, this option is only valid with --type {ldap|ad}.

If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, the default value is posixAccount and with --type ad the default value is organizationalPerson.

--group-objectclass groupObjectClass

Specifies the object class of group on the authentication server. This option is only valid with --type {ldap} and --data-access-method {file}.

--netbios-name netBiosName

Specifies the unique identifier of the resources on a network that are running NetBIOS. This option is only valid with --type {ad|ldap} and

--data-access-method
{file}

The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |

If AD is selected as the authentication method, the NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Storage Scale clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. Consider the following points while planning for a naming strategy:

There must not be NetBIOS name collision between two IBM Storage Scale clusters that are configured against the same Active Directory server.
The domain join of the latter machines revokes the join of the former one.
The NetBIOS name and the domain name must not collide.
The NetBIOS name and the short name of the Domain Controllers hosting the domain must not collide.

--domain domainName

Specifies the name of the NIS domain. This option is only valid with

--type
{nis}

and --data-access-method {file}.

The NIS domain that is specified must be served by one of the servers specified with --server. This option is mandatory when NIS-based authentication is configured for file access.

--idmap-role {master|subordinate}

Specifies the ID map role of the IBM Storage Scale system. ID map role of a stand-alone or singular system deployment must be selected "master". The value of the ID map role is important in AFM-based deployments.

This option is only valid with --type {ad} and

--data-access-method
{file}

You can use AD with automatic ID mapping to set up two or more storage subsystems in AFM relationship. The two or more systems configured in a master-subordinate relationship provides a means to synchronize the UIDs and GIDs generated for NAS clients on one system with UIDs and GIDs on the other systems. In the AFM relationship, only one system can be configured as master and other systems must be configured as subordinates. The ID map role of master and subordinate systems are the following:

Master: System creates ID maps on its own.
Subordinate: System does not create ID maps on its own. ID maps must be exported from the master to the subordinate.

While using automatic ID mapping, in order to have same ID maps on systems sharing AFM relationship, you need to export the ID mappings from master to subordinate. The NAS file services are inactive on the subordinate system. If you need to export and import ID maps from one system to another, contact the IBM® Support Center.

--idmap-range lowerValue-higherValue

Specifies the range of values from which the IBM Storage Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. This option is only valid with --type {ad} and --data-access-method {file}. The default value is 10000000-299999999. The lower value of the range must be at least 1000. After configuring the IBM Storage Scale system with AD authentication, only the higher value can be increased (this essentially increases the number of ranges).

--idmap-range-size rangeSize

Specifies the total number of UIDs and GIDs that are assignable per domain. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, 290 domains can be mapped, each consisting of 1000000 IDs.

Choose a value for range size that allows for the highest anticipated RID value among all of the anticipated AD users and AD groups in all of the anticipated AD domains. Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Storage Scale system.

This option is only valid with --type {ad} and

--data-access-method
{file}

. Default value is 1000000.

--unixmap-domains unixDomainMap

Specifies the AD domains for which user ID and group ID should be fetched from the AD server. This option is only valid with --type {ad} and

--data-access-method
{file}

. The unixDomainMap takes value in this format: DOMAIN1(L1-H1:{win|unix})[;DOMAIN2(L2-H2:{win|unix})[;DOMAIN3(L3-H3:{win|unix})....]]

DOMAIN

Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the NetBIOS domain name. The UIDs and GIDs of the users and groups for the specified DOMAIN are read from the UNIX attributes that are populated in the RFC2307 schema extension of AD server. Any users or groups, from this domain, with missing UID/GID attributes are denied access. Use the L-H format to specify the ID range. All the users or groups from DOMAIN that need access to exports need to have their UIDs or GIDs in the specified range.

The specified range should not intersect with:

The range specified by using the --idmap-range option of the command.
The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option.
However, you can use the --enable-overlapping-unixmap-ranges option to allow overlapping ID map ranges for multiple AD domains for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes).
The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in the --ldapmap-domains option.

The command reports a failure if you attempt to run the command with such configurations. This is intended to avoid ID collisions among users and groups from different domains.

win: Specifies the system to read the primary group set as Windows primary group of a user on the Active Directory.

unix: Specifies the system to read the primary group as set in "UNIX attributes" of a user on the Active Directory.

For example,

--unixmap-domains "MYDOMAIN1(20000-50000:unix);MYDOMAIN2(100000-200000:win)"

--enable-overlapping-unixmap-ranges

Allows overlapping ranges for multiple AD domains that are specified by using --unixmap-domains option. This option is only valid with --data-access-method {file} and --type {ad} along with --unixmap-domains.

Note: Ensure that UIDs and GIDs are unique among users and groups from different domains. ID collisions can cause data access issues and compromise data security.

--ldapmap-domains ldapDomainMap

Specifies the AD domains for which user ID and group ID should be fetched from a separate stand-alone LDAP server. This option is only valid with --type {ad} and --data-access-method {file}. ldapDomainMap takes value of the format as follows,

DOMAIN1 (type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]
:[bind_dn_pwd=bindDNpassword])[;DOMAIN2(type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN
:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])[;DOMAIN3(type=stand-alone:ldap_srv=ldapServer
:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])...]]

DOMAIN: Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the Pre-Win2K domain name. The UID and GID of the users and groups for the specified DOMAIN are read from the objects stored on LDAP server in RFC2307 schema attributes. Any users or groups, from this domain, with missing UID/GID attributes are denied access.

type: Defines the type of LDAP server to use.; Supported value: stand-alone.

range

Attribute takes value in the L-H format. Defines the user or group from DOMAIN that needs access to exports need to have their UIDs or GIDs in the specified range. The specified range should not intersect with,

The range specified using --idmap-range option of the command
The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option
The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in --ldapmap-domains option
This is intended to avoid ID collisions among users and groups from different domains.

ldap_srv: Defines the name or IP address of the LDAP server to fetch the UID or GID for of a user or group records in RFC2307 schema format. The user and group objects should be in RFC2307 schema format. Specifying only single LDAP server is supported.; When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.; For example,
--servers [2001:192::e61f:122:feb7:5df5]

user_dn: Defines the bind tree on the LDAP server where user objects shall be found.

grp_dn: Defines the bind tree on the LDAP server where the group objects shall be found.

bind_dn: Optional attribute.; Defines the user DN that should be used for authentication against the LDAP server. If not specified, anonymous bind shall be performed against the LDAP server.

bind_dn_pwd

Optional attribute.

Defines the password of the user DN specified in bind_dn to be used for authentication against the LDAP server. Must be specified when bind_dn attribute is specified for binding with the LDAP server in the DOMAIN definition.

Password cannot contain these special characters such as semicolon (;) or colon (:).

For example,

--ldapmap-domains "MYDOMAIN1(type=stand-alone:range=10000-50000
:ldap_srv=myldapserver.mydomain.com :usr_dn=ou=People,dc=mydomain,dc=com
:grp_dn=ou=Groups,dc=mydomain,dc=com :bind_dn=cn=ldapuser,dc=mydomain,dc=com
:bind_dn_pwd=MYPASSWORD);MYDOMAIN2(type=stand-alone :range=70000-100000
:ldap_srv=myldapserver.example.com:usr_dn=ou=People,dc=example,dc=com
:grp_dn=ou=Groups,dc=example,dc=com)"

--enable-kerberos

Specifies whether to enable Kerberized logins for users who are gaining access by using file access protocols.

This option is only valid with --type {ldap} and --data-access-method {file}.

This option is disabled by default.

Note: Ensure that the legitimate keytab file is placed in the /var/mmfs/tmp directory and is named as krb5_scale.keytab on the node that the authentication method configuration command is to be run.

--kerberos-server kerberosServer

Specifies the Kerberos server. This option is only valid with --type {ldap} and --data-access-method {file}.

When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.

For example,
--servers [2001:192::e61f:122:feb7:5df5]

--kerberos-realm kerberosRealm

Indicates the Kerberos server authentication administrative domain. The realm name is usually the all-uppercase version of the domain name. This option is case-sensitive.

--user-name-attrib UserNameAttribute

Specifies the attribute to be used to search for user name on authentication server.

If the --data-access-method is object, this option is only valid with --type {ldap|ad}.

If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, default value is cn and with --type ad, the default value is sAMAccountName.

--user-id-attrib UserIDAttribute

Specifies the attribute to be used to search for user ID on the authentication server.

If --data-access-method is object, this option is only valid with --type {ldap|ad}.

If --data-access-method is file, this option is only valid with --type {ldap}. For --type ldap, default value is uid and for --type ad the default value is CN.

--user-mail-attrib UserMailAttribute

Specifies the attribute to be used to search for email on authentication server. If the --data-access-method is object, this option is only valid with

--type
{ldap|ad}

. For --data-access-method file, this option is only valid with --type {ldap}. Default value is mail.

--user-filter userFilter

Specifies the additional filter to be used to search for user in the authentication server. The filter must be specified in LDAP filter format. This option is only valid with

--type
{ldap|ad}

and --data-access-method {object}. By default, no filter is used.

--ks-dns-name keystoneDnsName

Specifies the DNS name for keystone service. The specified name must be resolved on all protocol nodes for proper functioning. This is optional with --data-access-method {object}. If the value is not specified for this parameter, the mmuserauth service create command uses the value that is used during the IBM Storage Scale system installation.

--ks-admin-user keystoneAdminName

Specifies the Keystone server administrative user. This user must be a valid user on authentication server if --type {ldap|ad} is specified. In case of

--type
local

, new user is created, and admin role is assigned in Keystone. This option is mandatory with --data-access-method {object}.

For --type {ldap|ad}, do not specify user name in DN format for --ks-admin-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.

--enable-ks-ssl

Specifies whether the SSL communication must be enabled with the Keystone service. It enables a secured way to access the Keystone service over the HTTPS protocol. The default communication option with the Keystone service is over HTTP protocol, which has security risks.

This option is only valid with --data-access-method {object}.

By default, this option is disabled.

With --type local | ad | ldap, ensure that the valid certificate files are placed in the /var/mmfs/tmp directory on the node that the command has to be run:

The SSL certificate at: /var/mmfs/tmp/ssl_cert.pem

The private key at: /var/mmfs/tmp/ssl_key.pem

The CA certificate at: /var/mmfs/tmp/ssl_cacert.pem

With --type userdefined, ensure that the valid certificate files are placed in the /var/mmfs/tmp directory on the node that the command has to be run:

The CA certificate at: /var/mmfs/tmp/ssl_cacert.pem

--ks-swift-user keystoneSwiftName

Specifies the username to be used as swift user in proxy-server.conf. If AD or LDAP-based authentication is used, this user must be available in the AD or LDAP authentication server. If local authentication method is used, new user with this name is created in the local database This option is only valid with --data-access-method {object}.

For --type {ldap|ad}, do not specify user name in DN format for --ks-swift-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.

--ks-ext-endpoint externalendpoint

Specifies the endpoint URL of external keystone. Only API v3 and HTTP are supported. This option is only valid with --data-access-method {object} and

--type
{userdefined}

--idmapdelete

Specifies whether to delete the current ID maps (SID to UID/GID mappings) from the ID mapping databases for the file access method and user-role-project-domain mappings stored in local keystone database for object access method.

This option is only valid with the mmuserauth service remove command. Unless the --data-access-method parameter is specified on the command line, ID maps for file and object access protocols are erased by default. To delete the ID maps of a particular access protocol, explicitly specify the --data-access-method parameter on command line along with the valid access protocol name.

The authentication method configuration and ID maps cannot be deleted together. The authentication method configuration must be deleted before the ID maps.

CAUTION:

Deleting ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning.

-N|--nodes{node-list|cesNodes}

Verifies the authentication configuration on each node. If the specified node is not protocol node, it is ignored. If protocol node is specified, then the system checks configuration on all protocol nodes. If you do not specify a node, the system checks the configuration of only the current node.

-Y

Displays the command output in a parseable format with a colon (:) as a field delimiter. Each column is described by a header.

Note: Fields that have a colon (:) are encoded to prevent confusion. For the set of characters that might be encoded, see the command documentation of mmclidecode. Use the mmclidecode command to decode the field.

-r|--rectify

Rectifies the authentication configurations and missing SSL and TLS certificates.

--server-reachability

Without this flag, the mmuserauth service check command only validates whether the authentication configuration files are consistent across the protocol nodes. Use this flag to ensure if the external authentication server is reachable by each protocol node.

Exit status

0: Successful completion.
nonzero: A failure has occurred.

Note: When you reconfigure Object protocol access, messages suggesting that a duplicate key value violates unique constraint might appear in the system log. Disregard these messages.

Security

You must have root authority to run the mmuserauth command.

The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.

Examples

To configure Microsoft Active Directory (AD) based authentication with automatic ID mapping for file access, issue this command:

# mmuserauth service create --type ad --data-access-method file --netbios-name
specscale --user-name adUser --idmap-role master --servers myADserver 
--idmap-range-size 1000000 --idmap-range 10000000-299999999

The system displays output similar to this:


File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:


FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                specscale$
NETBIOS_NAME             specscale
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          none
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure Microsoft Active Directory (AD) based authentication with RFC2307 ID mapping for file access, issue this command:

# mmuserauth service create  --type ad --data-access-method file
--netbios-name specscale --user-name adUser --idmap-role master
--servers myAdserver   --idmap-range-size 1000000
--idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN(5000-20000:win)'

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:


FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                specscale$
NETBIOS_NAME             specscale
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN(5000-20000:win)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES

To configure Microsoft Active Directory (AD) based authentication with LDAP ID mapping for file access, issue this command:

mmuserauth service create --data-access-method file --type ad --servers myADserver
--user-name adUser  --netbios-name specscale --idmap-role master
--ldapmap-domains "DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,
dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:


FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                specscale$
NETBIOS_NAME             specscale
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          none
LDAPMAP_DOMAINS          DOMAIN(type=stand-alone: range=1000-10000:
ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=
ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com)

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure Microsoft Active Directory (AD) based authentication with LDAP ID mapping for file access (anonymous binding with LDAP), issue this command:

# mmuserauth service create --data-access-method file --type ad
--servers myADserver --user-name adUser 
--netbios-name specscale --idmap-role master --ldapmap-domains
"DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)"

The system displays output similar to this:


File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:


FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                specscale$
NETBIOS_NAME             specscale
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          none
LDAPMAP_DOMAINS          DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure AD-based authentication with overlapping ID map ranges, issue this command:

# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser
 --netbios-name specscale --idmap-role master --unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" 
--enable-overlapping-unixmap-ranges

The system displays output similar to this:

Enter Active Directory User 'adUser' password:
Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs 
or/and data access issues. See man mmuserauth for further details.

File authentication configuration completed successfully.

To verify the authentication configuration, the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

# mmuserauth service list
FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  "*"
USER_NAME                specscale$
NETBIOS_NAME             specscale
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure LDAP-based authentication with TLS encryption for file access, issue this command:

# mmuserauth service create --type ldap --data-access-method file
--servers myLDAPserver --base-dn dc=example,dc=com
--user-name cn=ldapuser,dc=example,dc=com 
--netbios-name specscale --enable-server-tls

The system displays output similar to this:


File Authentication configuration completed successfully.

Note: Before issuing the mmuserauth service create command to configure LDAP with TLS, ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name "ldap_cacert.pem" specifically on the protocol node where the command is issued.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:


FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KERBEROS          false
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
NETBIOS_NAME             specscale
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          none
KERBEROS_REALM           none

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure LDAP-based authentication with Kerberos for file access, issue this command:

# mmuserauth service create --type ldap --data-access-method file
--servers myLDAPserver --base-dn dc=example,dc=com
--user-name cn=ldapuser,dc=example,dc=com 
--netbios-name specscale --enable-kerberos
--kerberos-server myKerberosServer  --kerberos-realm MYREAL.com

The system displays output similar to this:


File Authentication configuration completed successfully.

Note: Before issuing the mmuserauth service create command to configure LDAP with Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as krb5_scale.keytab specifically on the node where the command is run.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        false
ENABLE_KERBEROS          true
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
NETBIOS_NAME             specscale
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          myKerberosServer
KERBEROS_REALM           MYREAL.com

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure LDAP with TLS and Kerberos for file access, issue this command:

# mmuserauth service create --type ldap --data-access-method file
--servers myLDAPserver --base-dn dc=example,dc=com
--user-name cn=ldapuser,dc=example,dc=com 
--netbios-name specscale --enable-server-tls --enable-kerberos
      --kerberos-server myKerberosServer --kerberos-realm MYREAL.com

The system displays output similar to this:


File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KERBEROS          true
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
NETBIOS_NAME             specscale
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          myKerberosServer
KERBEROS_REALM           MYREAL.com

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure LDAP without TLS and without Kerberos for file access, issue this command:

# mmuserauth service create --type ldap --data-access-method file
--servers myLDAPserver --base-dn dc=example,dc=com --user-name
cn=ldapuser,dc=example,dc=com  --netbios-name specscale

The system displays output similar to this:


File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        false
ENABLE_KERBEROS          false
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
NETBIOS_NAME             specscale
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          none
KERBEROS_REALM           none

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure NIS-based authentication for file access, issue this command:

# mmuserauth service create --type nis --data-access-method file
--servers myNISserver --domain nisdomain

The system displays output similar to this:


File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : NIS
PARAMETERS               VALUES
-------------------------------------------------
SERVERS                  myNISserver
DOMAIN                   nisdomain

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

Note: NIS authentication is not supported for RHEL 9.

To configure user-defined authentication for file access, issue this command:

# mmuserauth service create --data-access-method file --type userdefined

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : USERDEFINED
PARAMETERS               VALUES
-------------------------------------------------
OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------

To configure local authentication for object access, issue this command:

# mmuserauth service create --data-access-method object --type local
--ks-dns-name ksDNSname --ks-admin-user admin

The system displays output similar to this:

Object configuration with local (Database) as identity backend is completed
successfully.
Object Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration : LOCAL
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_KS_SSL            false
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

To configure AD without TLS authentication for object access, issue this command:

# mmuserauth service create --type ad --data-access-method object
--user-name "cn=adUser,cn=Users,dc=example,dc=com"  --base-dn "dc=example,DC=com" 
--ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn
--user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com"
--ks-swift-user swift

The system displays output similar to this:

Object configuration with LDAP (Active Directory) as identity backend is completed
successfully.
Object Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration: AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        false
ENABLE_KS_SSL            false
USER_NAME                cn=adUser,cn=Users,dc=example,dc=com
SERVERS                  myADserver
BASE_DN                  dc=IBM,DC=local
USER_DN                  cn=users,dc=example,dc=com
USER_OBJECTCLASS         organizationalPerson
USER_NAME_ATTRIB         sAMAccountName
USER_ID_ATTRIB           cn
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

To configure AD with TLS authentication for object access, issue this command:

# mmuserauth service create --type ad --data-access-method object
--user-name "cn=adUser,cn=Users,dc=example,dc=com"  --base-dn
"dc=example,DC=com" --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers
myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson
--user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift

The system displays output similar to this:

Object configuration with LDAP (Active Directory) as identity backend is completed
successfully.
Object Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------
OBJECT access configuration: AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KS_SSL            false
USER_NAME                cn=adUser,cn=Users,dc=example,dc=com
SERVERS                  myADserver
BASE_DN                  dc=IBM,DC=com
USER_DN                  cn=users,dc=example,dc=com
USER_OBJECTCLASS         organizationalPerson
USER_NAME_ATTRIB         sAMAccountName
USER_ID_ATTRIB           cn
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

To configure LDAP-based authentication for object access, issue this command:

# mmuserauth service create --type ldap --data-access-method object
--user-name "cn=ldapuser,dc=example,dc=com" 
--base-dn dc=example,dc=com --ks-dns-name ksDNSname --ks-admin-user admin 
--servers myLDAPserver --user-dn "ou=People,dc=example,dc=com"
--ks-swift-user swift

The system displays output similar to this:

Object configuration with LDAP as identity backend is completed successfully.
Object Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------
OBJECT access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_SERVER_TLS        false
ENABLE_KS_SSL            false
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
BASE_DN                  dc=example,dc=com
USER_DN                  ou=people,dc=example,dc=com
USER_OBJECTCLASS         posixAccount
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

To configure LDAP with TLS-based authentication for object access, issue this command:

# mmuserauth service create --type ldap --data-access-method object
--user-name "cn=ldapuser,dc=example,dc=com" 
--base-dn dc=example,dc=com --enable-server-tls
--ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver
--user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift

The system displays output similar to this:

Object configuration with LDAP as identity backend is completed successfully.
Object Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_SERVER_TLS        true
ENABLE_KS_SSL            false
USER_NAME                cn=ldapuser,dc=example,dc=com
SERVERS                  myLDAPserver
BASE_DN                  dc=example,dc=com
USER_DN                  ou=people,dc=example,dc=com
USER_OBJECTCLASS         posixAccount
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

To remove the authentication method that is configured for file access, issue this command:
```
# mmuserauth service remove --data-access-method file
```
The system displays output similar to this:
```
mmuserauth service remove: Command successfully completed
```
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object.
To remove the authentication method that is configured for object access, issue this command:
```
# mmuserauth service remove --data-access-method object
```
The system displays output similar to this:
```
mmuserauth service remove: Command successfully completed 
```
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove the ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object.

To check whether the authentication configuration is consistent across the cluster and the required services are enabled and running, issue this command:

 mmuserauth service check --data-access-method file --nodes cesNodes  --server-reachability

The system displays output similar to this:

 
         Userauth file check on node: node1
                   Checking SSSD_CONF: OK
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
         LDAP servers status
                   LDAP server myLdapServer : OK
         Service 'sssd' status: OK

         Userauth file check on node: node2
                   Checking SSSD_CONF: OK
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
         LDAP servers status
                   LDAP server myLdapServer : OK
         Service 'sssd' status: OK

To check whether the file authentication configuration is consistent across the cluster and the required services are enabled and running, and if you want to correct the situation, issue this command:
```
mmuserauth service check --data-access-method file --nodes cesNodes  --rectify
```

To check that all object configuration files (including certificates) are present, and if not, rectify the situation by issuing the following command:

# mmuserauth service check --data-access-method object --rectify

The system displays output similar to this:

Userauth object check on node: node1
Checking keystone.conf: OK
Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
Checking /etc/keystone/ssl/private/signing_key.pem: OK
Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
Checking /etc/keystone/ssl/certs/object_ldap_cacert.pem: OK
Service 'openstack-keystone' status: OK

To check if the external authentication server is reachable by each protocol node, use the following command:

mmuserauth service check --server-reachability

If file is not configured, object is configured, and there are no errors, the system displays output similar to this:

Userauth object check on node: node1
	Checking keystone.conf: OK
	Checking wsgi-keystone.conf: OK
	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
	Checking /etc/keystone/ssl/private/signing_key.pem: OK
	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK

LDAP servers status
	LDAP server myLDAPserver : OK
Service 'httpd' status: OK

If file is not configured, object is configured, and there is a single error, the system displays output similar to this:

Userauth object check on node: node1
	Checking keystone.conf: OK
	Checking wsgi-keystone.conf: OK
	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
	Checking /etc/keystone/ssl/private/signing_key.pem: OK
	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK

LDAP servers status
	LDAP server myLDAPserver : ERROR
Service 'httpd' status: OK

If file and object are configured and there are no errors, the system displays output similar to this:

Userauth file check on node: node1
	Checking nsswitch file: OK
       Checking Pre-requisite Packages: OK
       Checking SRV Records lookup: OK

Domain Controller status
	NETLOGON connection: OK, connection to DC: win2k16.example.com
	Domain join status: OK
	Machine password status: OK
Service 'gpfs-winbind' status: OK

Userauth object check on node: node1
	Checking keystone.conf: OK
	Checking wsgi-keystone.conf: OK
	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
	Checking /etc/keystone/ssl/private/signing_key.pem: OK
	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK

LDAP servers status
	LDAP server myLDAPserver : OK
Service 'httpd' status: OK

If file and object are configured and there is a single error, the system displays output similar to this:


Userauth file check on node: node1
	Checking nsswitch file: OK
       Checking Pre-requisite Packages: OK
       Checking SRV Records lookup: OK

Domain Controller status
	NETLOGON connection: OK, connection to DC: WIN8-12Up.example.com
	Domain join status: OK
	Machine password status: ERROR
Service 'gpfs-winbind' status: OK

Userauth object check on node: node1


	Checking keystone.conf: OK
	Checking wsgi-keystone.conf: OK
	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
	Checking /etc/keystone/ssl/private/signing_key.pem: OK
	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK

LDAP servers status
	LDAP server myLDAPserver : OK

If file and object are configured and there is are multiple errors, the system displays output similar to this:

Userauth file check on node: node1
	Checking nsswitch file: OK
       Checking Pre-requisite Packages: OK
       Checking SRV Records lookup: OK

Domain Controller status
	NETLOGON connection: ERROR (DC not found)
	Domain join status: ERROR
	Machine password status: ERROR
Service 'gpfs-winbind' status: OK

Userauth object check on node: node1
	Checking keystone.conf: OK
	Checking wsgi-keystone.conf: OK
	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
	Checking /etc/keystone/ssl/private/signing_key.pem: OK
	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK

LDAP servers status
	LDAP server myLDAPserver : ERROR
Service 'httpd' status: OK

Note: The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the erroneous config files and service-related errors only.

To configure AD authentication by using a password file for File protocol configuration, use the following command:
```
mmuserauth service create  --type ad --data-access-method file
 --netbios-name test --user-name administrator 
--idmap-role master --servers myADServer
 --pwd-file fileauth
```
Contents of fileauth saved at /var/mmfs/ssl/keyServ/tmp/ are:
```
%fileauth:       
password=Passw0rd
```
Here, Passw0rd is the password for the user to bind with the authentication server.
To configure AD authentication by using a password file for Object protocol configuration, use the following command:
```
mmuserauth service create --type ad --data-access-method object
 --base-dn "dc=example,DC=com"  --servers myADserver --user-id-attrib cn
--user-name-attrib sAMAccountName --user-objectclass organizationalPerson 
--user-dn "cn=Users,dc=example,dc=com"  --pwd-file objectauth
```
Contents of objectauth saved at /var/mmfs/ssl/keyServ/tmp/ are:
```
%objectauth:  
password=Passw0rd
ksAdminPwd=Passw0rd1
ksSwiftPwd=Passw0rd2
```
Here, Passw0rd is the password for the user to bind with the authentication server. Passw0rd1 is the Keystone administrator's password, and Passw0rd2 is the Swift Service user's password.

To check whether the DNS configuration is correct when cluster is already configured with file AD authentication scheme, issue this command:

mmuserauth service check --data-access-method file --nodes cesNodes

If DNS configuration is valid; then system displays output similar to this:


    Userauth file check on node: node1
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
                   Checking SRV Records lookup: OK
    Service 'gpfs-winbind' status: OK

    Userauth file check on node: node2
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
                   Checking SRV Records lookup: OK
    Service 'gpfs-winbind' status: OK

If DNS configuration is incorrect; then system displays output similar to this:


   Userauth file check on node: node1
               Checking nsswitch file: OK
               Checking Pre-requisite Packages: OK
               Checking SRV Records lookup: ERROR (Make sure Domain Controller 
   can be looked up from this node. Validate correct DNS server is populated in network configuration.)
   Found errors in configuration.

   Userauth file check on node: node2
               Checking nsswitch file: OK
               Checking Pre-requisite Packages: OK
               Checking SRV Records lookup: ERROR (Make sure Domain Controller
   can be looked up from this node. Validate correct DNS server is populated in network configuration.)
        Found errors in configuration.

To configure Microsoft Active Directory(AD)-based authentication when the time difference between the node and domain controller is more than five minutes, run the following command:

mmuserauth service create --type ad --data-access-method file --netbios-name
   specscale --user-name adUser --idmap-role master --servers myADserver
   --idmap-range-size 1000000 --idmap-range 10000000-299999999

The system displays output similar to this:


   WARNING: Time difference between current node and domain controller is 4073 seconds.
   It is greater than max allowed clock skew 300 seconds.   File Authentication configuration
   completed successfully.

To configure LDAP-based authentication for file access with an IPv6 address of the authentication server, issue this command:

# mmuserauth service create --type ldap --data-access-method file --servers
[2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name
cn=ldapuser,dc=example,dc=com --netbios-name specscale

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_SERVER_TLS        false                    
    ENABLE_KERBEROS          false                    
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  [2001:192::e61f:122:feb7:5df0]
    NETBIOS_NAME             specscale                
    BASE_DN                  dc=example,dc=com          
    USER_DN                  none                     
    GROUP_DN                 none                     
    NETGROUP_DN              none                     
    USER_OBJECTCLASS         posixAccount             
    GROUP_OBJECTCLASS        posixGroup               
    USER_NAME_ATTRIB         cn                       
    USER_ID_ATTRIB           uid                      
    KERBEROS_SERVER          none                     
    KERBEROS_REALM           none                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

To configure LDAP-based authentication with TLS encryption for file access with an IPv6 address of the authentication server, issue this command:

mmuserauth service create --type ldap --data-access-method file --servers 
[2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name 
cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tls

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_SERVER_TLS        true                    
    ENABLE_KERBEROS          false                    
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  [2001:192::e61f:122:feb7:5df0]
    NETBIOS_NAME             specscale                
    BASE_DN                  dc=example,dc=com          
    USER_DN                  none                     
    GROUP_DN                 none                     
    NETGROUP_DN              none                     
    USER_OBJECTCLASS         posixAccount             
    GROUP_OBJECTCLASS        posixGroup               
    USER_NAME_ATTRIB         cn                       
    USER_ID_ATTRIB           uid                      
    KERBEROS_SERVER          none                     
    KERBEROS_REALM           none                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

To configure LDAP-based authentication with Kerberos for file access with an IPv6 address of the authentication server, issue this command:

mmuserauth service create --type ldap --data-access-method file --servers 
[2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name 
cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-kerberos --kerberos-server 
[2001:192::e61f:122:feb7:5dc0] --kerberos-realm MYREALM.com

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : LDAP
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_SERVER_TLS        false                    
    ENABLE_KERBEROS          true                    
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  [2001:192::e61f:122:feb7:5df0]
    NETBIOS_NAME             specscale                
    BASE_DN                  dc=example,dc=com          
    USER_DN                  none                     
    GROUP_DN                 none                     
    NETGROUP_DN              none                     
    USER_OBJECTCLASS         posixAccount             
    GROUP_OBJECTCLASS        posixGroup               
    USER_NAME_ATTRIB         cn                       
    USER_ID_ATTRIB           uid                      
    KERBEROS_SERVER          [2001:192::e61f:122:feb7:5dc0]                     
    KERBEROS_REALM           MYREALM.com                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

To configure Microsoft Active Directory (AD)-based authentication with the automatic ID mapping for file access with an IPv6 address of the authentication server, issue this command:

mmuserauth service create --type ad --data-access-method file --servers 
[2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
adUser --idmap-role master --idmap-range-size 1000000 --idmap-range 10000000-299999999

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : AD
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false                    
    SERVERS                  "*"                      
    USER_NAME                adUser$             
    NETBIOS_NAME             specscale              
    IDMAP_ROLE               master                   
    IDMAP_RANGE              10000000-299999999       
    IDMAP_RANGE_SIZE         1000000                  
    UNIXMAP_DOMAINS          none                     
    LDAPMAP_DOMAINS          none                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

To configure Microsoft Active Directory (AD)-based authentication with RFC2307 ID mapping for file access with IPv6 address of the authentication server, issue this command:

mmuserauth service create --type ad --data-access-method file --servers 
[2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
adUser --idmap-role master --unixmap-domains 'TESTDOMAIN(10000-50000:win)'

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : AD
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false                    
    SERVERS                  "*"                      
    USER_NAME                adUser$             
    NETBIOS_NAME             specscale              
    IDMAP_ROLE               master                   
    IDMAP_RANGE              10000000-299999999       
    IDMAP_RANGE_SIZE         1000000                  
    UNIXMAP_DOMAINS          TESTDOMAIN(10000-50000:win)                     
    LDAPMAP_DOMAINS          none                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

To configure Microsoft Active Directory (AD)-based authentication with LDAP ID mapping for file access with IPv6 address of the authentication server, issue this command:

mmuserauth service create --type ad --data-access-method file --servers 
[2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
adUser --idmap-role master --ldapmap-domains "TESTDOMAIN(type=stand-alone: range=1000-10000:ldap_srv=[2001:192::e61f:122:feb7:5bf0]: 
usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example, 
dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"

The system displays output similar to this:

File Authentication configuration completed successfully.

To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

# mmuserauth service list

The system displays output similar to this:

FILE access configuration : AD
    PARAMETERS               VALUES                   
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false                    
    SERVERS                  "*"                      
    USER_NAME                adUser$             
    NETBIOS_NAME             specscale              
    IDMAP_ROLE               master                   
    IDMAP_RANGE              10000000-299999999       
    IDMAP_RANGE_SIZE         1000000                  
    UNIXMAP_DOMAINS          none                     
    LDAPMAP_DOMAINS          TESTDOMAIN(type=stand-alone: range=1000-10000:
    ldap_srv=[2001:192::e61f:122:feb7:5bf0]:usr_dn=ou=People,dc=example,dc=com:grp_dn=
    ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com)                     

    OBJECT access not configured
    PARAMETERS               VALUES                   
    -------------------------------------------------

Location

/usr/lpp/mmfs/bin

mmuserauth command

Synopsis

Availability

Description

Parameters

Security

Examples

See also

Location