Configuring LDAP with Kerberos for file access
You can configure LDAP with Kerberos as the authentication method for file access. Using Kerberos with LDAP provides more security for the communication channel between the IBM Storage Scale system and LDAP server.
Example for configuring LDAP with Kerberos as the authentication
method for file access.
- Ensure that the keytab file is also placed under the /var/mmfs/tmp
directory with the name as krb5_scale.keytab on the node where the command is run.
Perform validation of keytab file availability with a desired name at a required location:
stat /var/mmfs/tmp/krb5_scale.keytab File: /var/mmfs/tmp/krb5_scale.keytab Size: 1490 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 68252098 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:user_tmp_t:s0 Access: 2021-05-26 06:52:49.511820164 -0400 Modify: 2021-04-28 09:52:07.661820164 -0400 Change: 2021-05-26 05:15:09.837820164 -0400 Birth: - - Issue the mmuserauth service create command as shown in the following
example:
A sample output is as follows:mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --netbios-name ess --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm example.comFile authentication configuration completed successfully. - Issue the mmuserauth service list command to see the current
authentication configuration as shown in the following example:
A sample output is as follows:mmuserauth service listFILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KERBEROS true USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER myKerberosServer KERBEROS_REALM example.com OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- - To configure an IBM Storage Scale system with LDAP and Kerberos servers that have IPv6
address, issue the following
command:
A sample output is as follows:mmuserauth service create --type ldap --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-kerberos --kerberos-server [2001:192::e61f:122:feb7:5dc0]File Authentication configuration completed successfully. - To verify the authentication configuration with LDAP and
Kerberos servers that have IPv6 address, issue the mmuserauth service list
command.
A sample output is as follows:mmuserauth service listFILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KERBEROS true USER_NAME cn=ldapuser,dc=example,dc=com SERVERS [2001:192::e61f:122:feb7:5df0] NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER [2001:192::e61f:122:feb7:5dc0] KERBEROS_REALM MYREALM.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------