Configuring LDAP-based authentication for file access
Using LDAP-based authentication can be useful when you use an external LDAP server to store user information and user passwords. In this authentication method, you can use LDAP as the authentication as well as the ID mapping server for both NFS and SMB. Appropriate SMB schema needs to be uploaded in the LDAP if you plan to have SMB access.
- LDAP with TLS
- LDAP with Kerberos
- LDAP with TLS and Kerberos
- LDAP
Using LDAP with TLS secures the communication between the IBM Spectrum Scale™ system and the LDAP server, assuming that the LDAP server is configured for TLS.
You can use LDAP with Kerberos for higher security reasons. Kerberos is a network authentication protocol that provides secured communication by ensuring passwords are not sent over the network to the system. LDAP with Kerberos is typically used where an MIT KDC infrastructure exists and you are using it for various Kerberized application or if you want to have NFS and SMB with Kerberized access for higher security reasons.
The LDAP server might need to handle the login requests and ID mapping requests from the client that uses SMB protocol. Usually, the ID mapping requests are cached and they do not contribute to the load on the LDAP server unless the ID mapping cache is cleared due to a maintenance action. If the LDAP server cannot handle the load or a high number of connections, then the response to the login requests is slow or it might time out. In such cases, users need to retry their login requests.
See Integrating with LDAP server for more information on the prerequisites for integrating LDAP server with the IBM Spectrum Scale system.