Configuring LDAP with TLS for file access
You can configure LDAP with TLS as the authentication method for file access. Using TLS with LDAP helps you to have a secure communication channel between the IBM Spectrum Scale™ system and LDAP server.
In the following example, LDAP is configured with TLS as
the authentication method for file access.
- Ensure that the CA certificate for LDAP server is placed
under /var/mmfs/tmp directory with the name ldap_cacert.pem;
specifically, on the protocol node where the command is run. Perform
validation of CA cert availability with desired name at required location
as shown in the following example:
# stat /var/mmfs/tmp/ldap_cacert.pem File: ∾/var/mmfs/tmp/ldap_cacert.pem∾ Size: 2130 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 103169903 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:user_tmp_t:s0 Access: 2015-01-23 12:37:34.088837381 +0530 Modify: 2015-01-23 12:16:24.438837381 +0530 Change: 2015-01-23 12:16:24.438837381 +0530
- Issue the mmuserauth service create command
as shown in the following example:
The system displays the following output:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name ess --enable-server-tls
File authentication configuration completed successfully.
- Issue the mmuserauth service list command
to see the current authentication configuration as shown in the following
example:
The system displays the following output:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- Verify the user resolution on system present in LDAP:
# id ldapuser2 uid=1001(ldapuser2) gid=1001(ldapuser2) groups=1001(ldapuser2)
Parent topic: Configuring LDAP-based authentication for file access
Related reference: