Configuring an AD-based authentication for object access

You can configure Keystone with an external AD server as the authentication back-end so that AD users can access the object store by using their AD credentials. The same AD server can be used for both object access and file access.

The AD server is set up to handle the authentication requests. AD is used as an LDAP server. Unlike file access, multiple AD domains are not supported.

Prerequisites

Ensure that you have the following details before you start AD-based authentication configuration:
  • AD server details such as IP address or host name, user name, user password, base dn, and user dn.
  • If you want to configure TLS with AD for secure communication between Keystone and AD, you need to place the CA certificate that is used for signing the AD server setup for TLS under the following directory of the node on which the mmuserauth service create command is run:
    • /var/mmfs/tmp/ldap_cacert.pem
  • The secret key you provided for encrypting/decrypting passwords unless you have disabled prompting for the key.

See Integrating with AD server for more information on the prerequisites for integrating AD server with the IBM Spectrum Scale system.

The following parameters must be used with mmuserauth service create command to configure AD-based authentication for object access:
  • --type ad
  • --data-access-method object
  • --servers IP address or host name of AD. All user lookups by Keystone are done only against this server. If multiple servers are specified, only the first server is used and the rest are ignored.
  • --base-dn ldapBase
  • { --enable-anonymous-bind | --user-name BindDN --password BindPwd} You need to mention either anonymous bind or either –user-name or –password.
  • --enable-server-tls, if TLS needs to be enabled
  • --user-dn ldapUserSuffix. LDAP container from where users are looked up.
  • --ks-dns-name keystoneDNSName
  • --ks-admin-user keystoneAdminUser from AD
  • --enable-ks-ssl, if SSL needs to be enabled. You need to have another set of certificates that are placed in standard directory.
  • --enable-ks-casigning, if you want to use external CA signed certificate for token signing
  • --ks-swift-user Swift_Service_User from AD
  • --ks-swift-pwd Swift_Service_User’s Password from AD

For more information on each parameter, see the mmuserauth service create command.

To change the authentication method that is already configured for object access, you need to remove the authentication method and ID mappings. For more information, see Deleting the authentication and the ID mapping configuration.

Parent topic: Configuring authentication for object access
Related concepts:
Configuring an LDAP-based authentication for object access
Configuring object authentication with an external keystone server
Managing object users, roles, and projects
Integrating with AD server
AD-based authentication for file access
Related tasks:
Configuring local authentication for object access
Creating object accounts
Deleting expired tokens
Related reference:
mmuserauth command