mmuserauth command
Manages the authentication of protocol users who need to access the protocol data that is stored on the system. You can create, list, verify, and remove authentication configuration using this command.
Synopsis
mmuserauth service create --data-access-method{file|object}
--type {ldap|local|ad|nis|userdefined}
--servers[IP address/hostname]
[--base-dn]
{[--enable-anonymous-bind]|[--user-name][--password]}
[--enable-server-tls][--enable-ks-ssl]
[--enable-kerberos][--enable-nfs-kerberos][--enable-ks-casigning]
[--user-dn][--group-dn][--netgroup-dn]
[--netbios-name] [--domain]
[--idmap-role{master|subordinate}][--idmap-range][--idmap-range-size]
[--user-objectclass][--group-objectclass][--user-name-attrib]
[--user-id-attrib][--user-mail-attrib][--user-filter]
[ --ks-dns-name][--ks-admin-user][--ks-admin-pwd]
[--ks-swift-user] [--ks-swift-pwd][--ks-ext-endpoint]
[--kerberos-server][--kerberos-realm]
[--unixmap-domains][ldapmap-domains]
Or
mmuserauth service list [--data-access-method {file|object|all}][-Y]
Or
mmuserauth service check [--data-access-method {file|object|all}] [-r|--rectify]
[-N|--nodes {node-list|cesNodes}][--server-reachability]
Or
mmuserauth service remove --data-access-method {file|object|all}[--idmapdelete]
Availability
Available with IBM Spectrum Scale™ Standard Edition or higher.
Description
Use the mmuserauth commands to create and manage IBM Spectrum Scale protocol authentication and ID mappings.
Parameters
- service
- Manages the authentication configuration for protocol users with
one of the following actions:
- create
- Configures authentication for object and file protocols. The authentication method for file and object cannot be configured together. The mmuserauth service create command needs to be submitted separately for configuring authentication for the file and object access.
- list
- Displays the details of the authentication method that is configured for both file and object access on the protocol nodes.
- check
- Verifies and corrects the authentication method that is configured for file and object access on the protocol nodes. Also checks for the existence of SSL and TLS certificates.
- remove
- Removes the authentication and ID maps. If you need to remove both authentication and ID maps, remove authentication first and then ID maps. That is, at first you need to run the mmuserauth service remove command without the --idmapdelete option to remove the authentication method and then run the same command with the --idmapdelete option to remove ID maps.
- Deleting authentication and ID maps result in loss of access to data.
- --data-access-method {file|object}
- Specifies the data access method for which the authentication needs to be configured. The IBM Spectrum Scale system supports protocols such as SMB, NFS, and Object to access data that is stored in the system.
- The file data access method is meant for authorizing the users who access data over SMB and NFS protocols.
- --type {ldap|local|ad|nis|userdefined}
- Specifies the type of authentication server to be integrated for file and object authentication.
- ldap - Uses an external LDAP as the authentication server. This authentication type is valid for both file and object.
- ad - Uses an external Microsoft Active Directory as the authentication server. This authentication type is valid for both file and object.
- local - Uses an internal database for authenticating object users.
- nis - Uses an NIS server as the authentication method for NFS data access. This authentication type is only used for file access.
- userdefined - Uses user-defined authentication method for data access. This authentication type is valid for both file and object.
- --servers [AuthServer1[:Port],AuthServer2[:Port],AuthServer3[:Port] ...]
- Specifies the host name or IP address of the authentication server that is used for file and object. This option is only valid with --type {ldap|ad|nis}.
- With --type ldap, the input value format is "serverName/serverIP:[port]". The port is optional. Default port is 389. For example, --servers ldapserver.mydomain.com:1389. Multiple LDAP servers can be specified is the value of --data-access-method is file. For object, only one server is considered as the authentication server at a time. Even if you specify multiple servers, only the first server in the list is considered as the authentication server.
- With --type ad, the input value format is "serverName/serverIP". For example, --servers ldapserver.mydomain.com. For object, only one server is considered as the authentication server at a time. Even if you specify multiple servers, only the first server in the list is considered as the authentication server. Specifying multiple servers is not valid for file authentication.
- With --type nis, the input value format is "serverName/serverIP". For example, --servers ldapserver.mydomain.com. At least one of the servers specified with --servers must be available while configuring authentication. This is essential for the NIS domain verification, where the availability of either 'passwd.byname' or 'netgroup' map is validated.
- --base-dn ldapBase
- Specifies the LDAP base DN of the authentication server. This option is only valid with --type {ldap|ad} for --data-access-method object and --type ldap for --data-access-method file.
- --enable-anonymous-bind
- Enables anonymous binding with authentication server for operations. This option is only valid with --type {ldap|ad} and --data-access-method {object}. This option is mutually exclusive with --user-name and --password.
- --user-name userName
- Specifies the user name to be used to perform operations against the authentication server. The specified user name must have sufficient permissions to read user and group attributes from the authentication server. This option is only valid with --type {ldap|ad} and --data-access-method {file|object}. This option along with --password is mutually exclusive with --enable-anonymous-bind.
- In case of --type ad|ldap with --data-access-method object, the user name must be specified in complete DN format.
- --password userPassword
- Specifies the password of the user name that is specified with the --user-name option. This option is only valid with --type {ldap|ad} and --data-access-method {file|object}.
- The password must be in clear text. To hide the password, submit the command without this option and then the system prompts you to enter the password.
- --enable-server-tls
- Enables TLS communication with the authentication server. This option is disabled by default. For file access configuration, the following certificate file must be placed at: /var/mmfs/tmp/ldap_cacert.pem on the current node. For object access configuration, the following certificate file must be placed at: /var/mmfs/tmp/object_ldap_cacert.pem on the current node.
- If --data-access-method is object, this option is only valid with --type {ldap|ad} and if the --data-access-method is file, this option is only valid with --type {ldap}.
- --enable-nfs-kerberos
- Enables Kerberized NFSv4-based access to exports. Kerberized NFSv4-based access is only supported for users from AD domains which are configured for fetching UID / GID information from Active Directory (RFC2307 schema attributes). Such an AD domain definition is specified via the --unixmap-domains option.
- This option is only valid with --type {ad} and --data-access-method {file}. This option is disabled by default.
- --user-dn ldapUserDN
- Specifies the LDAP group DN. Restricts search of groups within the specified sub-tree. For CIFS access, the value of this parameter is ignored and a search is performed on the baseDN.
- This option is only valid with --type {ldap} and --data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.
- --group-dn ldapGroupDN
- Specifies the LDAP group suffix. Restricts search of groups within a specified sub-tree.
- This option is only valid with --type {ldap} and --data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.
- --netgroup-dn ldapGroupDN
- Specifies the LDAP netgroup suffix. The system searches the netgroups based on this suffix. The value must be specified in complete DN format.
- This option is only valid with --type {ldap}and --data-access-method {file}. Default value is baseDN.
- --user-objectclass userObjectClass
- Specifies the object class of user on the authentication server. Only users with specified object class along with other filter are treated as valid users.
- If the --data-access-method is object, this option is only valid with --type {ldap|ad}.
- If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, the default value is posixAccount and with --type ad the default value is organizationalPerson.
- --group-objectclass groupObjectClass
- Specifies the object class of group on the authentication server. This option is only valid with --type {ldap} and --data-access-method {file}.
- --netbios-name netBiosName
- Specifies the unique identifier of the resources on a network that are running NetBIOS. This option is only valid with --type {ad|ldap} and --data-access-method {file}.
- The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
- If AD is selected as the authentication method, the NetBIOS name
must be selected carefully. If there are name collisions across multiple IBM
Spectrum Scale clusters, or
between the AD Domain and the NetBIOS name, the configuration does
not work properly. Consider the following points while planning for
a naming strategy:
- There must not be NetBIOS name collision between two IBM Spectrum Scale clusters that are configured against the same Active Directory server.
- The domain join of the latter machines revokes the join of the former one.
- The NetBIOS name and the domain name must not collide.
- The NetBIOS name and the short name of the Domain Controllers hosting the domain must not collide.
- --domain domainName
- Specifies the name of the NIS domain. This option is only valid with --type {nis} and --data-access-method {file}.
- The NIS domain that is specified must be served by one of the servers specified with --server. This option is mandatory when NIS-based authentication is configured for file access.
- --idmap-role {master|subordinate}
- Specifies the ID map role of the IBM Spectrum Scale system. ID map role of a stand-alone or singular system deployment must be selected "master". The value of the ID map role is important in AFM-based deployments.
- This option is only valid with --type {ad} and --data-access-method {file}.
- You can use AD with automatic ID mapping to set up two or more
storage subsystems in AFM relationship. The two or more systems configured
in a master-subordinate relationship provides a means to synchronize
the UIDs and GIDs generated for NAS clients on one system with UIDs
and GIDs on the other systems. In the AFM relationship, only one system
can be configured as master and other systems must be configured as
subordinates. The ID map role of master and subordinate systems are
the following:
- Master: System creates ID maps on its own.
- Subordinate: System does not create ID maps on its own. ID maps must be exported from the master to the subordinate.
- --idmap-range lowerValue-higherValue
- Specifies the range of values from which the IBM Spectrum Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. This option is only valid with --type {ad} and --data-access-method {file}. The default value is 10000000-299999999. The lower value of the range must be at least 1000. After configuring the IBM Spectrum Scale system with AD authentication, only the higher value can be increased (this essentially increases the number of ranges).
- --idmap-range-size rangeSize
- Specifies the total number of UIDs and GIDs that are assignable per domain. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, 290 domains can be mapped, each consisting of 1000000 IDs.
- Choose a value for range size that allows for the highest anticipated RID value among all of the anticipated AD users and AD groups in all of the anticipated AD domains. Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale system.
- This option is only valid with --type {ad} and --data-access-method {file}. Default value is 1000000.
- --unixmap-domains unixDomainMap
- Specifies the AD domains for which user ID and group ID should be fetched from the AD server. This option is only valid with --type {ad} and --data-access-method {file}. The unixDomainMap takes value in this format: DOMAIN1(L1-H1)[;DOMAIN2(L2-H2)[;DOMAIN3(L3-H3)....]]
- DOMAIN
- Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the NetBIOS domain name. The UIDs and GIDs of the users and groups for the specified DOMAIN are read from the UNIX attributes that are populated in the RFC2307 schema extension of AD server. Any users or groups, from this domain, with missing UID/GID attributes are denied access. Use the L-H format to specify the ID range. All the users or groups from DOMAIN that need access to exports need to have their UIDs or GIDs in the specified range.
- The specified range should not intersect with:
- The range specified by using the --idmap-range option of the command .
- The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option.
- The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in the --ldapmap-domains option.
- For example,
- --unixmap-domains "MYDOMAIN1(20000-50000);MYDOMAIN2(100000-200000)"
- --ldapmap-domains ldapDomainMap
- Specifies the AD domains for which user ID and group ID should be fetched from a separate standalone LDAP server. This option is only valid with --type {ad} and --data-access-method {file}. ldapDomainMap takes value of the format as follows,
DOMAIN1 (type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN] :[bind_dn_pwd=bindDNpassword])[;DOMAIN2(type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN :grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])[;DOMAIN3(type=stand-alone:ldap_srv=ldapServer :range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])...]]
- DOMAIN
- Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the Pre-Win2K domain name. The UID and GID of the users and groups for the specified DOMAIN are read from the objects stored on LDAP server in RFC2307 schema attributes. Any users or groups, from this domain, with missing UID/GID attributes are denied access.
- type
- Defines the type of LDAP server to use.
- Supported value: stand-alone.
- range
- Attribute takes value in the L-H format. Defines the user or group
from DOMAIN that needs access to exports need to have their UIDs or
GIDs in the specified range. The specified range should not intersect
with,
- The range specified using --idmap-range option of the command
- The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option
- The range specified for other AD DOMAIN for which ID mapping needs
to be done from LDAP server specified in --ldapmap-domains option
This is intended to avoid ID collisions among users and groups from different domains.
- ldap_srv
- Defines the name or IP address of the LDAP server to fetch the UID or GID for of a user or group records in RFC2307 schema format. The user and group objects should be in RFC2307 schema format. Specifying only single LDAP server is supported.
- user_dn
- Defines the bind tree on the LDAP server where user objects shall be found.
- grp_dn
- Defines the bind tree on the LDAP server where the group objects shall be found.
- bind_dn
- Optional attribute.
-
Defines the user DN that should be used for authentication against the LDAP server. If not specified anonymous, bind shall be performed against the LDAP server.
- bind_dn_pwd
- Optional attribute.
- Defines the password of the user DN specified in bind_dn to be used for authentication against the LDAP server. Must be specified when bind_dn attribute is specified for binding with the LDAP server in the DOMAIN definition.
- Password cannot contain these special characters such as semicolon (;) or colon (:).
- For example,
--ldapmap-domains "MYDOMAIN1(type=stand-alone:range=10000-50000:ldap_srv=myldapserver.mydomain.com :usr_dn=ou=People,dc=mydomain,dc=com:grp_dn=ou=Groups,dc=mydomain,dc=com :bind_dn=cn=manager,dc=mydomain,dc=com:bind_dn_pwd=MYPASSWORD);MYDOMAIN2(type=stand-alone :range=70000-100000:ldap_srv=myldapserver.example.com:usr_dn=ou=People,dc=example,dc=com :grp_dn=ou=Groups,dc=example,dc=com)"
- --enable-kerberos
- Indicates whether to enable Kerberos in the user authentication. Kerberos is a network authentication protocol for client/server applications that uses symmetric key cryptography. User password in clear text format is never sent over a network to ensure security.
- This option is only valid with --type {ldap} and --data-access-method
{file}. This option is disabled by default.Note: If you need to use Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as "krb5.keytab"; specifically, on the node where the command is run.
- --kerberos-server kerberosServer
- Specifies the Kerberos server. This option is only valid with --type {ldap} and --data-access-method {file}.
- --kerberos-realm kerberosRealm
- Indicates the Kerberos server authentication administrative domain. The realm name is usually the all-uppercase version of the domain name. This option is case sensitive.
- --user-name-attrib UserNameAttribute
- Specifies the attribute to be used to search for user name on authentication server.
- If the --data-access-method is object, this option is only valid with --type {ldap|ad}.
- If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, default value is cn and with --type ad, the default value is sAMAccountName.
- --user-id-attrib UserIDAttribute
- Specifies the attribute to be used to search for user ID on the authentication server.
- If --data-access-method is object, this option is only valid with --type {ldap|ad}.
- If --data-access-method is file, this option is only valid with --type {ldap}. For --type ldap, default value is uid and for --type ad the default value is CN.
- --user-mail-attrib UserMailAttribute
- Specifies the attribute to be used to search for email on authentication server. If the --data-access-method is object, this option is only valid with --type {ldap|ad}. For --data-access-method file, this option is only valid with --type {ldap}. Default value is mail.
- --user-filter userFilter
- Specifies the additional filter to be used to search for user in the authentication server. The filter must be specified in LDAP filter format. This option is only valid with --type {ldap|ad} and --data-access-method {object}. By default, no filter is used.
- --ks-dns-name keystoneDnsName
- Specifies the DNS name for keystone service. The specified name must be resolved on all protocol nodes for proper functioning. This is optional with --data-access-method {object}. If the value is not specified for this parameter, the mmuserauth service create command uses the value that is used during the IBM Spectrum Scale system installation.
- --ks-admin-user keystoneAdminName
- Specifies the Keystone server administrative user. This user must be a valid user on authentication server if --type {ldap|ad} is specified. In case of --type local, new user along with the password specified in --ks-admin-pwd is created, and admin role is assigned in Keystone. This option is mandatory with --data-access-method {object}.
- For --type {ldap|ad}, do not specify user name in DN format for --ks-admin-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.
- --ks-admin-pwd keystoneAdminPwd
- Specifies the password of the Keystone administrative user. This option is mandatory and valid with --type {local} and --data-access-method {object}. To hide the password due to security reasons, call the command without this option and the command prompts to enter the password when the mmuserauth service createcommand is issued.
- --enable-ks-ssl
- Specifies whether to enable SSL for Keystone. Using SSL certificate provides a secured way to access the Keystone service over the HTTPS protocol. This option is only valid with --data-access-method {object}. It is disabled by default. If SSL is not enabled for Keystone, the Keystone communicates through HTTP protocol and it results in security risks.
- If --type local | ad | ldap, keep the valid certificate files at the following location on the current node:
- The certificate at /var/mmfs/tmp/ssl_cert.pem.
- The private key at: /var/mmfs/tmp/ssl_cert.pem.
- The cacert at: /var/mmfs/tmp/ssl_cacert.pem .
- If --type userdefined, keep the valid certificate files at the following location on the current node:
- The cacert at: /var/mmfs/tmp/ssl_cacert.pem.
- --ks-swift-user keystoneSwiftName
- Specifies the username to be used as swift user in proxy-server.conf. If AD or LDAP-based authentication is used, this user must be available in the AD or LDAP authentication server. If local authentication method is used, new user with this name is created in the local database This option is only valid with --data-access-method {object}.
- For --type {ldap|ad}, do not specify user name in DN format for --ks-swift-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.
- --ks-swift-pwd keystoneSwiftPwd
- Specifies the password of the ks-swift-user. If AD or LDAP-based authentication is used, this must be set for ks-swift user in AD or LDAP server. If local authentication method is used, the ks-swift-user with this password is created in the local database. This option is only valid with --data-access-method {object}.
- --enable-ks-casigning
- Indicates whether to use a CA signed certificate for PKI (signing). This option is only valid with --data-access-method {object} and --type {ad|ldap|local}
- Valid certificate files must exist at the following location on the current node: /var/mmfs/tmp/signing_cert.pem
- Private key at: /var/mmfs/tmp/signing_key.pem
- cacert at: /var/mmfs/tmp/signing_cacert.pem
- --ks-ext-endpoint externaleEndpoint
- Specifies the endpoint URL of external keystone. Only API v3 and HTTP are supported. This option is only valid with --data-access-method {object} and --type {userdefined}
- --idmapdelete
- Specifies whether to delete ID maps. You cannot delete both authentication and ID maps together. The authentication must be deleted first and then ID maps. This option is only valid with mmuserauth service remove command.
- -N|--nodes{node-list|cesNodes}
- Verifies the authentication configuration on each node. If the specified node is not protocol node, it is ignored. If protocol node is specified, then the system checks configuration on all protocol nodes. If you do not specify a node, the system checks the configuration of only the current node.
- -Y
- Creates parsable output. This is optional.
- -r|--rectify
- Rectifies the authentication configurations and missing SSL and TLS certificates.
- --server-reachability
- Without this flag, the mmuserauth service check command only validates whether the authentication configuration files are consistent across the protocol nodes. Use this flag to ensure if the external authentication server is reachable by each protocol node.
Exit status
- 0
- Successful completion.
- nonzero
- A failure has occurred.
Security
You must have root authority to run the mmuserauth command.
The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.
Examples
- To configure Microsoft Active
Directory (AD) based authentication with automatic ID mapping for
file access, issue this command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method file --netbios-name ess --user-name administrator --idmap-role master --servers myADserver --password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS myADserver USER_NAME administrator NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure Microsoft Active
Directory (AD) based authentication with RFC2307 ID mapping for file
access, issue this command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method file --netbios-name ess --user-name administrator --idmap-role master --servers myAdserver --password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN(5000-20000)'
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS myAdserver USER_NAME administrator NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN(5000-20000) OBJECT access not configured PARAMETERS VALUES
- To configure Microsoft Active
Directory (AD) based authentication with LDAP ID mapping for file
access, issue this command:
The system displays output similar to this:mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name administrator --password Passw0rd --netbios-name ess --idmap-role master --ldapmap-domains "SONAS(type=stand-alone: range=1000-10000:ldap_srv=9.118.46.17: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com:bind_dn=cn=manager, dc=example,dc=com:bind_dn_pwd=password)"
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS myADserver USER_NAME administrator NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS DOMAIN(type=stand-alone: range=1000-10000: ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn= ou=Groups,dc=example,dc=com:bind_dn=cn-manager,dc=example,dc=com) OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure Microsoft Active
Directory (AD) based authentication with LDAP ID mapping for file
access (anonymous binding with LDAP), issue this command:
The system displays output similar to this:# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name administrator --password Passw0rd --netbios-name ess --idmap-role master --ldapmap-domains "SONAS(type=stand-alone: range=1000-10000:ldap_srv=9.118.46.17: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)"
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS myADserver USER_NAME administrator NETBIOS_NAME ess IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com) OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with TLS encryption for
file access, issue this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers es-pune-host-01 --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name ess --enable-server-tls
File Authentication configuration completed successfully.
Note: Before issuing the mmuserauth service create command to configure LDAP with TLS, ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name "ldap_cacert.pem" specifically on the protocol node where the command is issued.To verify the authentication configuration, use the mmuserauth service list as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with Kerberos for file
access, issue this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name ess --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm example.com
File Authentication configuration completed successfully.
Note: Before issuing the mmuserauth service create command to configure LDAP with Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as "krb5.keytab" specifically on the node where the command is run.To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KERBEROS true USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER myKerberosServer KERBEROS_REALM example.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP with TLS and Kerberos for file access, issue
this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name ess --enable-server-tls --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm example.com
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KERBEROS true USER_NAME cn=manager,dc=example,dc=com SERVERS es-pune-host-01 NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER myKerberosServer KERBEROS_REALM example.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP without TLS and Kerberos for file access, issue
this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=manager,dc=example,dc=com --password secret --netbios-name ess
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KERBEROS false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME ess BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure NIS-based authentication for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type nis --data-access-method file --servers myNISserver --domain nisdomain
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : NIS PARAMETERS VALUES ------------------------------------------------- SERVERS myNISserver DOMAIN nisdomain OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure user-defined authentication for file access, issue
this command:
The system displays output similar to this:# mmuserauth service create --data-access-method file --type userdefined
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : USERDEFINED PARAMETERS VALUES ------------------------------------------------- OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure local authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --data-access-method object --type local --ks-dns-name ksDNSname --ks-admin-user admin --ks-admin-pwd Passw0rd
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with local (Database) as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LOCAL PARAMETERS VALUES ------------------------------------------------- ENABLE_KS_SSL false ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure AD without TLS authentication for object access,
issue this command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method object --user-name "cn=Administrator,cn=Users,dc=example,dc=com" --password Passw0rd --base-dn "dc=example,DC=com" --ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift --ks-swift-pwd Passw0rd
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with LDAP (Active Directory) as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration: AD PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KS_SSL false USER_NAME cn=Administrator,cn=Users,dc=example,dc=com SERVERS myADserver BASE_DN dc=IBM,DC=local USER_DN cn=users,dc=example,dc=com USER_OBJECTCLASS organizationalPerson USER_NAME_ATTRIB sAMAccountName USER_ID_ATTRIB cn USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure AD with TLS authentication for object access, issue
this command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method object --user-name "cn=Administrator,cn=Users,dc=example,dc=com" --password Passw0rd --base-dn "dc=example,DC=com" --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift --ks-swift-pwd Passw0rd
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with LDAP (Active Directory) as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration: AD PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KS_SSL false USER_NAME cn=Administrator,cn=Users,dc=example,dc=com SERVERS myADserver BASE_DN dc=IBM,DC=local USER_DN cn=users,dc=example,dc=com USER_OBJECTCLASS organizationalPerson USER_NAME_ATTRIB sAMAccountName USER_ID_ATTRIB cn USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure LDAP-based authentication for object access, issue
this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method object --user-name "cn=manager,dc=example,dc=com" --password "Passw0rd" --base-dn dc=example,dc=com --ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver --user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift --ks-swift-pwd Passw0rd
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with LDAP as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KS_SSL false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver BASE_DN dc=example,dc=com USER_DN ou=people,dc=example,dc=com USER_OBJECTCLASS posixAccount USER_NAME_ATTRIB cn USER_ID_ATTRIB uid USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure LDAP with TLS-based authentication for object access,
issue this command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method object --user-name "cn=manager,dc=example,dc=com" --password "Passw0rd" --base-dn dc=example,dc=com --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver --user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift --ks-swift-pwd Passw0rd
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with LDAP as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KS_SSL false USER_NAME cn=manager,dc=example,dc=com SERVERS myLDAPserver BASE_DN dc=example,dc=com USER_DN ou=people,dc=example,dc=com USER_OBJECTCLASS posixAccount USER_NAME_ATTRIB cn USER_ID_ATTRIB uid USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To remove the authentication method that is configured for file
access, issue this command:
The system displays output similar to this:# mmuserauth service remove --data-access-method file
mmuserauth service remove: Command successfully completed
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object. - To remove the authentication method that is configured for object
access, issue this command:
The system displays output similar to this:# mmuserauth service remove --data-access-method object
mmuserauth service remove: Command successfully completed
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove the ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object. - To check whether the authentication configuration is consistent
across the cluster and the required services are enabled and running,
issue this command:
The system displays output similar to this:# mmuserauth service check --data-access-method file --nodes cesNodes --rectify
Userauth file check on node: dgnode3 Checking SSSD_CONF: OK LDAP server status LDAP server 192.0.2.18 : OK Service 'sssd' status: OK Userauth file check on node: dgnode2 dgnode2: not CES node. Ignoring...
- To check whether the file authentication configuration is consistent
across the cluster and the required services are enabled and running,
and if you do not want to correct the situation , issue this command:
# mmuserauth service check --data-access-method file --nodes cesNodes --rectify
- To check that all object configuration files (including certificates)
are present, and if not, rectify the situation by issuing the following
command:
The system displays output similar to this:# mmuserauth service check --data-access-method object --rectify
Userauth object check on node: node1 Checking keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK Checking /etc/keystone/ssl/certs/object_ldap_cacert.pem: OK Service 'openstack-keystone' status: OK
- To check if the external authentication
server is reachable by each protocol node, issue the following command:
mmuserauth service check --server-reachability
- If file is not configured, object is configured, and there are
no errors, the system displays output similar to this:
Userauth object check on node: vmnode2 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server 9.118.37.234 : OK Service 'httpd' status: OK
- If file is not configured, object is configured, and there is
a single error, the system displays output similar to this:
Userauth object check on node: vmnode2 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server 9.118.37.234 : ERROR Service 'httpd' status: OK
- If file and object are configured and there are no errors, the
system displays output similar to this:
Userauth file check on node: vmnode2 Checking nsswitch file: OK AD servers status NETLOGON connection: OK Domain join status: OK Machine password status: OK Service 'gpfs-winbind' status: OK Userauth object check on node: vmnode2 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server 9.118.37.234 : OK Service 'httpd' status: OK
- If file and object are configured and there is a single error,
the system displays output similar to this:
Userauth file check on node: vmnode2 Checking nsswitch file: OK AD servers status NETLOGON connection: OK Domain join status: OK Machine password status: ERROR Service 'gpfs-winbind' status: OK Userauth object check on node: vmnode2 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server 9.118.37.234 : OK
- If file and object are configured and there is are multiple errors,
the system displays output similar to this:
Userauth file check on node: vmnode2 Checking nsswitch file: OK AD servers status NETLOGON connection: ERROR Domain join status: ERROR Machine password status: ERROR Service 'gpfs-winbind' status: OK Userauth object check on node: vmnode2 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server 9.118.37.234 : ERROR Service 'httpd' status: OK
Note: The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the errorneous config files and service-related errors only.
- If file is not configured, object is configured, and there are
no errors, the system displays output similar to this: