mmuserauth command

Manages the authentication of protocol users who need to access the protocol data that is stored on the system. You can create, list, verify, and remove authentication configuration using this command.

Synopsis

mmuserauth service create  --data-access-method{file|object}
              --type {ldap|local|ad|nis|userdefined}
              --servers[IP address/hostname]
              [--base-dn]
              {[--enable-anonymous-bind]|[--user-name][--password]}
              [--enable-server-tls][--enable-ks-ssl]
              [--enable-kerberos][--enable-nfs-kerberos][--enable-ks-casigning]
              [--user-dn][--group-dn][--netgroup-dn]
              [--netbios-name]  [--domain]
              [--idmap-role{master|subordinate}][--idmap-range][--idmap-range-size]
              [--user-objectclass][--group-objectclass][--user-name-attrib]
              [--user-id-attrib][--user-mail-attrib][--user-filter]
              [ --ks-dns-name][--ks-admin-user][--ks-admin-pwd]
              [--ks-swift-user]  [--ks-swift-pwd][--ks-ext-endpoint]
              [--kerberos-server][--kerberos-realm]
              [--unixmap-domains][ldapmap-domains]

mmuserauth service list [--data-access-method {file|object|all}][-Y]

mmuserauth service check [--data-access-method {file|object|all}] [-r|--rectify]
            [-N|--nodes {node-list|cesNodes}][--server-reachability]

mmuserauth service remove  --data-access-method {file|object|all}[--idmapdelete]

Availability

Available with IBM Spectrum Scale™ Standard Edition or higher.

Description

Use the mmuserauth commands to create and manage IBM Spectrum Scale protocol authentication and ID mappings.

Parameters

service

Manages the authentication configuration for protocol users with one of the following actions:

create: Configures authentication for object and file protocols. The authentication method for file and object cannot be configured together. The mmuserauth service create command needs to be submitted separately for configuring authentication for the file and object access.
list: Displays the details of the authentication method that is configured for both file and object access on the protocol nodes.
check: Verifies and corrects the authentication method that is configured for file and object access on the protocol nodes. Also checks for the existence of SSL and TLS certificates.
remove: Removes the authentication and ID maps. If you need to remove both authentication and ID maps, remove authentication first and then ID maps. That is, at first you need to run the mmuserauth service remove command without the --idmapdelete option to remove the authentication method and then run the same command with the --idmapdelete option to remove ID maps.; Deleting authentication and ID maps result in loss of access to data.

--data-access-method {file|object}

Specifies the data access method for which the authentication needs to be configured. The IBM Spectrum Scale system supports protocols such as SMB, NFS, and Object to access data that is stored in the system.

The file data access method is meant for authorizing the users who access data over SMB and NFS protocols.

--type {ldap|local|ad|nis|userdefined}

Specifies the type of authentication server to be integrated for file and object authentication.

ldap - Uses an external LDAP as the authentication server. This authentication type is valid for both file and object.

ad - Uses an external Microsoft Active Directory as the authentication server. This authentication type is valid for both file and object.

local - Uses an internal database for authenticating object users.

nis - Uses an NIS server as the authentication method for NFS data access. This authentication type is only used for file access.

userdefined - Uses user-defined authentication method for data access. This authentication type is valid for both file and object.

--servers [AuthServer1[:Port],AuthServer2[:Port],AuthServer3[:Port] ...]

Specifies the host name or IP address of the authentication server that is used for file and object. This option is only valid with --type {ldap|ad|nis}.

With --type ldap, the input value format is "serverName/serverIP:[port]". The port is optional. Default port is 389. For example, --servers ldapserver.mydomain.com:1389. Multiple LDAP servers can be specified is the value of --data-access-method is file. For object, only one server is considered as the authentication server at a time. Even if you specify multiple servers, only the first server in the list is considered as the authentication server.

With --type ad, the input value format is "serverName/serverIP". For example, --servers ldapserver.mydomain.com. For object, only one server is considered as the authentication server at a time. Even if you specify multiple servers, only the first server in the list is considered as the authentication server. Specifying multiple servers is not valid for file authentication.

With --type nis, the input value format is "serverName/serverIP". For example, --servers ldapserver.mydomain.com. At least one of the servers specified with --servers must be available while configuring authentication. This is essential for the NIS domain verification, where the availability of either 'passwd.byname' or 'netgroup' map is validated.

--base-dn ldapBase

Specifies the LDAP base DN of the authentication server. This option is only valid with --type {ldap|ad} for --data-access-method object and --type ldap for --data-access-method file.

--enable-anonymous-bind

Enables anonymous binding with authentication server for operations. This option is only valid with --type {ldap|ad} and --data-access-method {object}. This option is mutually exclusive with --user-name and --password.

--user-name userName

Specifies the user name to be used to perform operations against the authentication server. The specified user name must have sufficient permissions to read user and group attributes from the authentication server. This option is only valid with --type {ldap|ad} and --data-access-method {file|object}. This option along with --password is mutually exclusive with --enable-anonymous-bind.

In case of --type ad|ldap with --data-access-method object, the user name must be specified in complete DN format.

--password userPassword

Specifies the password of the user name that is specified with the --user-name option. This option is only valid with --type {ldap|ad} and --data-access-method {file|object}.

The password must be in clear text. To hide the password, submit the command without this option and then the system prompts you to enter the password.

--enable-server-tls

Enables TLS communication with the authentication server. This option is disabled by default. For file access configuration, the following certificate file must be placed at: /var/mmfs/tmp/ldap_cacert.pem on the current node. For object access configuration, the following certificate file must be placed at: /var/mmfs/tmp/object_ldap_cacert.pem on the current node.

If --data-access-method is object, this option is only valid with --type {ldap|ad} and if the --data-access-method is file, this option is only valid with --type {ldap}.

--enable-nfs-kerberos

Enables Kerberized NFSv4-based access to exports. Kerberized NFSv4-based access is only supported for users from AD domains which are configured for fetching UID / GID information from Active Directory (RFC2307 schema attributes). Such an AD domain definition is specified via the --unixmap-domains option.

This option is only valid with --type {ad} and --data-access-method {file}. This option is disabled by default.

--user-dn ldapUserDN

Specifies the LDAP group DN. Restricts search of groups within the specified sub-tree. For CIFS access, the value of this parameter is ignored and a search is performed on the baseDN.

This option is only valid with --type {ldap} and --data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.

--group-dn ldapGroupDN

Specifies the LDAP group suffix. Restricts search of groups within a specified sub-tree.

This option is only valid with --type {ldap} and--data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.

--netgroup-dn ldapGroupDN

Specifies the LDAP netgroup suffix. The system searches the netgroups based on this suffix. The value must be specified in complete DN format.

This option is only valid with --type {ldap}and --data-access-method {file}. Default value is baseDN.

--user-objectclass userObjectClass

Specifies the object class of user on the authentication server. Only users with specified object class along with other filter are treated as valid users.

If the --data-access-method is object, this option is only valid with --type {ldap|ad}.

If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, the default value is posixAccount and with --type ad the default value is organizationalPerson.

--group-objectclass groupObjectClass

Specifies the object class of group on the authentication server. This option is only valid with --type {ldap} and --data-access-method {file}.

--netbios-name netBiosName

Specifies the unique identifier of the resources on a network that are running NetBIOS. This option is only valid with--type {ad|ldap} and --data-access-method {file}.

The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |

If AD is selected as the authentication method, the NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. Consider the following points while planning for a naming strategy:

There must not be NetBIOS name collision between two IBM Spectrum Scale clusters that are configured against the same Active Directory server.
The domain join of the latter machines revokes the join of the former one.
The NetBIOS name and the domain name must not collide.
The NetBIOS name and the short name of the Domain Controllers hosting the domain must not collide.

--domain domainName

Specifies the name of the NIS domain. This option is only valid with --type {nis} and --data-access-method {file}.

The NIS domain that is specified must be served by one of the servers specified with --server. This option is mandatory when NIS-based authentication is configured for file access.

--idmap-role {master|subordinate}

Specifies the ID map role of the IBM Spectrum Scale system. ID map role of a stand-alone or singular system deployment must be selected "master". The value of the ID map role is important in AFM-based deployments.

This option is only valid with --type {ad} and --data-access-method {file}.

You can use AD with automatic ID mapping to set up two or more storage subsystems in AFM relationship. The two or more systems configured in a master-subordinate relationship provides a means to synchronize the UIDs and GIDs generated for NAS clients on one system with UIDs and GIDs on the other systems. In the AFM relationship, only one system can be configured as master and other systems must be configured as subordinates. The ID map role of master and subordinate systems are the following:

Master: System creates ID maps on its own.
Subordinate: System does not create ID maps on its own. ID maps must be exported from the master to the subordinate.

While using automatic ID mapping, in order to have same ID maps on systems sharing AFM relationship, you need to export the ID mappings from master to subordinate. The NAS file services are inactive on the subordinate system. If you need to export and import ID maps from one system to another, contact the IBM® Support Center.

--idmap-range lowerValue-higherValue

Specifies the range of values from which the IBM Spectrum Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. This option is only valid with --type {ad} and --data-access-method {file}. The default value is 10000000-299999999. The lower value of the range must be at least 1000. After configuring the IBM Spectrum Scale system with AD authentication, only the higher value can be increased (this essentially increases the number of ranges).

--idmap-range-size rangeSize

Specifies the total number of UIDs and GIDs that are assignable per domain. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, 290 domains can be mapped, each consisting of 1000000 IDs.

Choose a value for range size that allows for the highest anticipated RID value among all of the anticipated AD users and AD groups in all of the anticipated AD domains. Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale system.

This option is only valid with --type {ad} and --data-access-method {file}. Default value is 1000000.

--unixmap-domains unixDomainMap

Specifies the AD domains for which user ID and group ID should be fetched from the AD server. This option is only valid with --type {ad} and --data-access-method {file}. The unixDomainMap takes value in this format: DOMAIN1(L1-H1)[;DOMAIN2(L2-H2)[;DOMAIN3(L3-H3)....]]

DOMAIN

Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the NetBIOS domain name. The UIDs and GIDs of the users and groups for the specified DOMAIN are read from the UNIX attributes that are populated in the RFC2307 schema extension of AD server. Any users or groups, from this domain, with missing UID/GID attributes are denied access. Use the L-H format to specify the ID range. All the users or groups from DOMAIN that need access to exports need to have their UIDs or GIDs in the specified range.

The specified range should not intersect with:

The range specified by using the --idmap-range option of the command .
The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option.
The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in the --ldapmap-domains option.

The command reports a failure if you attempt to run the command with such configurations. This is intended to avoid ID collisions among users and groups from different domains.

For example,

--unixmap-domains "MYDOMAIN1(20000-50000);MYDOMAIN2(100000-200000)"

--ldapmap-domains ldapDomainMap

Specifies the AD domains for which user ID and group ID should be fetched from a separate standalone LDAP server. This option is only valid with --type {ad} and --data-access-method {file}. ldapDomainMap takes value of the format as follows,

DOMAIN1 (type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]
:[bind_dn_pwd=bindDNpassword])[;DOMAIN2(type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN
:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])[;DOMAIN3(type=stand-alone:ldap_srv=ldapServer
:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])...]]

DOMAIN: Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the Pre-Win2K domain name. The UID and GID of the users and groups for the specified DOMAIN are read from the objects stored on LDAP server in RFC2307 schema attributes. Any users or groups, from this domain, with missing UID/GID attributes are denied access.

type: Defines the type of LDAP server to use.; Supported value: stand-alone.

range

Attribute takes value in the L-H format. Defines the user or group from DOMAIN that needs access to exports need to have their UIDs or GIDs in the specified range. The specified range should not intersect with,

The range specified using --idmap-range option of the command
The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option
The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in --ldapmap-domains option
This is intended to avoid ID collisions among users and groups from different domains.

ldap_srv: Defines the name or IP address of the LDAP server to fetch the UID or GID for of a user or group records in RFC2307 schema format. The user and group objects should be in RFC2307 schema format. Specifying only single LDAP server is supported.

user_dn: Defines the bind tree on the LDAP server where user objects shall be found.

grp_dn: Defines the bind tree on the LDAP server where the group objects shall be found.

bind_dn: Optional attribute.; Defines the user DN that should be used for authentication against the LDAP server. If not specified anonymous, bind shall be performed against the LDAP server.

bind_dn_pwd

Optional attribute.

Defines the password of the user DN specified in bind_dn to be used for authentication against the LDAP server. Must be specified when bind_dn attribute is specified for binding with the LDAP server in the DOMAIN definition.

Password cannot contain these special characters such as semicolon (;) or colon (:).

For example,

--ldapmap-domains "MYDOMAIN1(type=stand-alone:range=10000-50000:ldap_srv=myldapserver.mydomain.com
:usr_dn=ou=People,dc=mydomain,dc=com:grp_dn=ou=Groups,dc=mydomain,dc=com
:bind_dn=cn=manager,dc=mydomain,dc=com:bind_dn_pwd=MYPASSWORD);MYDOMAIN2(type=stand-alone
:range=70000-100000:ldap_srv=myldapserver.example.com:usr_dn=ou=People,dc=example,dc=com
:grp_dn=ou=Groups,dc=example,dc=com)"

--enable-kerberos

Indicates whether to enable Kerberos in the user authentication. Kerberos is a network authentication protocol for client/server applications that uses symmetric key cryptography. User password in clear text format is never sent over a network to ensure security.

This option is only valid with --type {ldap} and --data-access-method {file}. This option is disabled by default.

Note: If you need to use Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as "krb5.keytab"; specifically, on the node where the command is run.

--kerberos-server kerberosServer

Specifies the Kerberos server. This option is only valid with --type {ldap} and --data-access-method {file}.

--kerberos-realm kerberosRealm

Indicates the Kerberos server authentication administrative domain. The realm name is usually the all-uppercase version of the domain name. This option is case sensitive.

--user-name-attrib UserNameAttribute

Specifies the attribute to be used to search for user name on authentication server.

If the --data-access-method is object, this option is only valid with --type {ldap|ad}.

If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, default value is cn and with --type ad, the default value is sAMAccountName.

--user-id-attrib UserIDAttribute

Specifies the attribute to be used to search for user ID on the authentication server.

If --data-access-method is object, this option is only valid with --type {ldap|ad}.

If --data-access-method is file, this option is only valid with --type {ldap}. For --type ldap, default value is uid and for --type ad the default value is CN.

--user-mail-attrib UserMailAttribute

Specifies the attribute to be used to search for email on authentication server. If the --data-access-method is object, this option is only valid with --type {ldap|ad}. For --data-access-method file, this option is only valid with --type {ldap}. Default value is mail.

--user-filter userFilter

Specifies the additional filter to be used to search for user in the authentication server. The filter must be specified in LDAP filter format. This option is only valid with --type {ldap|ad} and --data-access-method {object}. By default, no filter is used.

--ks-dns-name keystoneDnsName

Specifies the DNS name for keystone service. The specified name must be resolved on all protocol nodes for proper functioning. This is optional with --data-access-method {object}. If the value is not specified for this parameter, the mmuserauth service create command uses the value that is used during the IBM Spectrum Scale system installation.

--ks-admin-user keystoneAdminName

Specifies the Keystone server administrative user. This user must be a valid user on authentication server if --type {ldap|ad} is specified. In case of --type local, new user along with the password specified in --ks-admin-pwd is created, and admin role is assigned in Keystone. This option is mandatory with --data-access-method {object}.

For --type {ldap|ad}, do not specify user name in DN format for --ks-admin-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.

--ks-admin-pwd keystoneAdminPwd

Specifies the password of the Keystone administrative user. This option is mandatory and valid with --type {local} and --data-access-method {object}. To hide the password due to security reasons, call the command without this option and the command prompts to enter the password when the mmuserauth service createcommand is issued.

--enable-ks-ssl

Specifies whether to enable SSL for Keystone. Using SSL certificate provides a secured way to access the Keystone service over the HTTPS protocol. This option is only valid with --data-access-method {object}. It is disabled by default. If SSL is not enabled for Keystone, the Keystone communicates through HTTP protocol and it results in security risks.

If --type local | ad | ldap, keep the valid certificate files at the following location on the current node:

The certificate at /var/mmfs/tmp/ssl_cert.pem.

The private key at: /var/mmfs/tmp/ssl_cert.pem.

The cacert at: /var/mmfs/tmp/ssl_cacert.pem .

If --type userdefined, keep the valid certificate files at the following location on the current node:

The cacert at: /var/mmfs/tmp/ssl_cacert.pem.

--ks-swift-user keystoneSwiftName

Specifies the username to be used as swift user in proxy-server.conf. If AD or LDAP-based authentication is used, this user must be available in the AD or LDAP authentication server. If local authentication method is used, new user with this name is created in the local database This option is only valid with --data-access-method {object}.

For --type {ldap|ad}, do not specify user name in DN format for --ks-swift-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.

--ks-swift-pwd keystoneSwiftPwd

Specifies the password of the ks-swift-user. If AD or LDAP-based authentication is used, this must be set for ks-swift user in AD or LDAP server. If local authentication method is used, the ks-swift-user with this password is created in the local database. This option is only valid with --data-access-method {object}.

--enable-ks-casigning

Indicates whether to use a CA signed certificate for PKI (signing). This option is only valid with --data-access-method {object} and --type {ad|ldap|local}

Valid certificate files must exist at the following location on the current node: /var/mmfs/tmp/signing_cert.pem

Private key at: /var/mmfs/tmp/signing_key.pem

cacert at: /var/mmfs/tmp/signing_cacert.pem

--ks-ext-endpoint externaleEndpoint

Specifies the endpoint URL of external keystone. Only API v3 and HTTP are supported. This option is only valid with --data-access-method {object} and --type {userdefined}

--idmapdelete

Specifies whether to delete ID maps. You cannot delete both authentication and ID maps together. The authentication must be deleted first and then ID maps. This option is only valid with mmuserauth service remove command.

-N|--nodes{node-list|cesNodes}

Verifies the authentication configuration on each node. If the specified node is not protocol node, it is ignored. If protocol node is specified, then the system checks configuration on all protocol nodes. If you do not specify a node, the system checks the configuration of only the current node.

-Y

Creates parsable output. This is optional.

-r|--rectify

Rectifies the authentication configurations and missing SSL and TLS certificates.

--server-reachability

Without this flag, the mmuserauth service check command only validates whether the authentication configuration files are consistent across the protocol nodes. Use this flag to ensure if the external authentication server is reachable by each protocol node.

Exit status

0: Successful completion.
nonzero: A failure has occurred.

Security

You must have root authority to run the mmuserauth command.

The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.

Examples

To configure Microsoft Active Directory (AD) based authentication with automatic ID mapping for file access, issue this command:

# mmuserauth service create --type ad --data-access-method file --netbios-name
ess --user-name administrator --idmap-role master --servers myADserver
--password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999