Configuring LDAP with TLS for file access
You can configure LDAP with TLS as the authentication method for file access. Using TLS with LDAP helps you to have a secure communication channel between the IBM Storage Scale system and LDAP server.
In the following example, LDAP is configured with TLS as
the authentication method for file access.
- Ensure that the CA certificate for LDAP server is placed under
/var/mmfs/tmp directory with the name ldap_cacert.pem;
specifically, on the protocol node where the command is run. Perform validation of CA cert
availability with wanted name at required location as shown in the following example:
stat /var/mmfs/tmp/ldap_cacert.pem File: /var/mmfs/tmp/ldap_cacert.pem Size: 2130 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 103169903 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:user_tmp_t:s0 Access: 2015-01-23 12:37:34.088837381 +0530 Modify: 2015-01-23 12:16:24.438837381 +0530 Change: 2015-01-23 12:16:24.438837381 +0530 - Issue the mmuserauth service create command as shown in the following
example:
A sample output is as follows:mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --netbios-name ess --enable-server-tlsFile authentication configuration completed successfully. - Issue the mmuserauth service list command to see the current
authentication configuration as shown in the following example:
A sample output is as follows:mmuserauth service listFILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- - Verify the user resolution on system present in LDAP:
id ldapuser2 uid=1001(ldapuser2) gid=1001(ldapuser2) groups=1001(ldapuser2) - To configure an IBM Storage Scale system with LDAP that has TLS and IPv6 address, issue
the following
command:
A sample output is as follows:mmuserauth service create --type ldap --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tlsFile Authentication configuration completed successfully. - To verify the authentication configuration with LDAP that has
TLS and IPv6 address, issue the mmuserauth service list command as shown in the
following example:
A sample output is as follows:mmuserauth service listFILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS [2001:192::e61f:122:feb7:5df0] NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------