AD authentication with LDAP ID mapping provides a way for IBM Spectrum Scale™ to read ID
mappings from an LDAP server as defined in RFC 2307. The LDAP server
must be a stand-alone LDAP server. Mappings must be provided in advance
by the administrator by creating the user accounts in the AD server
and the posixAccount and posixGroup objects in the LDAP server. The
names in the AD server and in the LDAP server have to be the same.
This ID mapping approach allows the continued use of existing LDAP
authentication servers that store records in the RFC2307 format. The
group memberships defined in the AD server are also be honored in
the system.
In the following example, AD is configured with LDAP ID mapping.
- Submit the mmuserauth service create command
as shown in the following example:
mmuserauth service create --data-access-method file --type ad --servers myADserver
--user-name administrator --password Passw0rd --netbios-name specscale
--idmap-role master --ldapmap-domains "DOMAIN1(type=stand-alone:range=1000-100000
:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,
dc=com:bind_dn=cn=manager,dc=example,dc=com:bind_dn_pwd=password)
Note: The bind_dn_password cannot
contain the following special characters: semicolon (;), colon (:),
opening brace '( ', or closing brace ')'.
The system displays
the following output: File authentication configuration completed successfully.
- Issue the mmuserauth service list to
verify the authentication configuration as shown in the following
example:
# mmuserauth service list
The
system displays the following output:FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone: range=1000-100000:
ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=cn-manager,dc=example,dc=com)
- Verify the user name resolution on the system. Confirm
that the resolution is showing IDs that are pulled from LDAP attributes
on the AD server.
# id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=10000(DOMAIN\domain users)
groups=10000(DOMAIN\domain users