Configuring LDAP with TLS for file access

You can configure LDAP with TLS as the authentication method for file access. Using TLS with LDAP helps you to have a secure communication channel between the IBM Spectrum Scale™ system and LDAP server.

In the following example, LDAP is configured with TLS as the authentication method for file access.
  1. Ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name ldap_cacert.pem; specifically, on the protocol node where the command is run. Perform validation of CA cert availability with desired name at required location as shown in the following example: 
    # stat /var/mmfs/tmp/ldap_cacert.pem
File: ∾/var/mmfs/tmp/ldap_cacert.pem∾
Size: 2130 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169903 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 12:37:34.088837381 +0530
Modify: 2015-01-23 12:16:24.438837381 +0530
Change: 2015-01-23 12:16:24.438837381 +0530
  2. Issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create --type ldap --data-access-method file 
--servers myLDAPserver --base-dn dc=example,dc=com 
--user-name cn=manager,dc=example,dc=com --password secret 
--netbios-name ess --enable-server-tls
    The system displays the following output: 
    File authentication configuration completed successfully.
  3. Issue the mmuserauth service list command to see the current authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays the following output: 
    FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_SERVER_TLS        true
ENABLE_KERBEROS          false
USER_NAME                cn=manager,dc=example,dc=com
SERVERS                  myLDAPserver
NETBIOS_NAME             ess
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          none
KERBEROS_REALM           none

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------
  4. Verify the user resolution on system present in LDAP: 
    # id ldapuser2
uid=1001(ldapuser2) gid=1001(ldapuser2) groups=1001(ldapuser2)
Parent topic: Configuring LDAP-based authentication for file access
Related reference:
mmuserauth command