Validating shared authentication ID mapping

Perform the following steps to validate shared authentication ID mapping.

1. List the authentication details on IBM Storage Scale by running the mmuserauth service list command.
   The system displays output similar to the following output as follows:

   FILE access configuration : LDAP
   PARAMETERS VALUES
   -------------------------------------------------
   ENABLE_SERVER_TLS false
   ENABLE_KERBEROS false
   USER_NAME cn=manager,dc=sonasldap,dc=com
   SERVERS 9.118.37.234 
   NETBIOS_NAME deepakcluster
   BASE_DN dc=sonasldap,dc=com
   USER_DN dc=sonasldap,dc=com
   GROUP_DN none
   NETGROUP_DN none
   USER_OBJECTCLASS posixAccount
   GROUP_OBJECTCLASS posixGroup
   USER_NAME_ATTRIB cn
   USER_ID_ATTRIB uid
   KERBEROS_SERVER none
   KERBEROS_REALM none
   
   OBJECT access configuration : LDAP
   PARAMETERS VALUES
   -------------------------------------------------
   ENABLE_ANONYMOUS_BIND false
   ENABLE_SERVER_TLS false
   ENABLE_KS_SSL false
   USER_NAME cn=manager,dc=sonasldap,dc=com
   SERVERS 9.118.37.234 
   BASE_DN dc=sonasldap,dc=com
   USER_DN dc=sonasldap,dc=com
   USER_OBJECTCLASS posixAccount
   USER_NAME_ATTRIB cn
   USER_ID_ATTRIB uid
   USER_MAIL_ATTRIB mail
   USER_FILTER none
   ENABLE_KS_CASIGNING false
   KS_ADMIN_USER userr

2. Make sure that the file authentication type and the object authentication type are the same. The valid values are AD and LDAP.
   The following show potential file authentication and object authentication types:

   FILE access configuration : LDAP
   OBJECT access configuration : LDAP

   With AD configuration, file authentication needs to be configured with Unix mapped domain. And the object authentication needs to also be configured with the same AD domain. This AD domain needs to be updated in the object-server-sof.conf configuration as:

   ad_domain = <AD domain name>

3. Configure the file authentication and the object authentication against the same server as follows:

   FILE : SERVERS 9.118.37.234 
   OBJECT : SERVERS 9.118.37.234

   Note: If there are multiple domain controllers in AD, the values might not match. The administrator needs to make sure that the server is referring to same user authentication source.
4. Make sure that the object users are receiving the correct UIDs and GIDs from the authentication source.
   The following example uses userr as the object user:

   cat /root/openrc
   export OS_AUTH_URL="http://127.0.0.1:35357/v3"
   export OS_IDENTITY_API_VERSION=3
   export OS_AUTH_VERSION=3
   export OS_USERNAME="userr"
   export OS_PASSWORD=""
   export OS_USER_DOMAIN_NAME=Default
   export OS_PROJECT_NAME=admin
   export OS_PROJECT_DOMAIN_NAME=Default

5. Make sure that the object user is correctly resolved on all the protocol nodes and the same UID and GID are listed.
   The following example lists the UID and GID for the object user userr:

   id userr
   uid=1101(userr) gid=1000(testgrp) groups=1000(testgrp),1002(testgrp2)