Active Directory (AD) authentication with Lightweight Directory Access Protocol (LDAP) ID
mapping provides a way for IBM Storage Scale to read ID
mappings from an LDAP server as defined in RFC 2307. The LDAP server must be a stand-alone LDAP
server. Mappings must be provided in advance by the administrator by creating the user accounts in
the AD server and the posixAccount and posixGroup objects in the
LDAP server. The names in the AD server and in the LDAP server must be the same. This
ID-mapping approach allows the continued use of existing LDAP authentication servers that store
records in the RFC2307 format. The group memberships that are defined in the AD server are also
accepted in the system.
In the following example, AD is configured with the LDAP ID mapping.
- Submit the mmuserauth service create command as shown in the following
example:
mmuserauth service create --data-access-method file --type ad --servers myADserver
--user-name administrator --netbios-name specscale
--idmap-role master --ldapmap-domains "DOMAIN1(type=stand-alone:range=1000-100000
:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,
dc=com:bind_dn=cn=manager,dc=example,dc=com:bind_dn_pwd=password)"
Note: The
bind_dn_pwd cannot contain the following special characters: semicolon (;),
colon (:), opening brace '(', or closing brace ')'.
A sample output is as
follows:File authentication configuration completed successfully.
- Issue the mmuserauth service list to verify the authentication
configuration as shown in the following
example:
mmuserauth service list
A sample
output is as
follows:FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS "*"
USER_NAME specscale$
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone: range=1000-100000:
ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=cn-manager,dc=example,dc=com)
- Verify the user name resolution on the system. Confirm that the resolution is showing IDs
that are pulled from LDAP attributes on the AD server.
id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=10000(DOMAIN\domain users)
groups=10000(DOMAIN\domain users
- To configure an IBM Storage Scale system with Active Directory that has IPv6 address and
LDAP ID mapping, issue the following
command:
mmuserauth service create --type ad --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --netbios-name specscale
--user-name adUser --idmap-role master --ldapmap-domains "TESTDOMAIN(type=stand-alone: range=1000-10000:ldap_srv=[2001:192::e61f:122:feb7:5bf0]:
usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,
dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"
A sample output is as
follows:File Authentication configuration completed successfully.
- To verify the authentication configuration with Active
Directory that has IPv6 address, issue the mmuserauth service list command as
shown in the following example:
mmuserauth service list
A sample output is as
follows:FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS "*"
USER_NAME adUser$
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS TESTDOMAIN(type=stand-alone: range=1000-10000:
ldap_srv=[2001:192::e61f:122:feb7:5bf0]:usr_dn=ou=People,dc=example,dc=com:grp_dn=
ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com)
OBJECT access not configured
PARAMETERS VALUES
-------------------------------------------------