Setting up a range of ID maps that can be allotted to the users
You can optionally specify the pool of values from which the UIDs and GIDs are assigned by the IBM Spectrum Scale™ system to Active Directory users and groups. When a user or group is defined in AD, it is identified by a security identifier (SID), which includes a component that is called Relative Identifier (RID). The RID value depends on the number of users and groups in the Active Directory domain. The --idmap-range and --idmap-range-size parameters of the mmuserauth service create command specify the pool from which UIDs and GIDs are assigned by the IBM Spectrum Scale system to AD users and group of users.
The ID map range is defined between a minimum and maximum value. The default minimum value is 10000000 and the default maximum value is 299999999, and the default range size is 1000000. This allows for a maximum of 290 unique Active Directory domains.
The ID map range size specifies the total number of UIDs and GIDs that are assignable per domain. For example, if range is defined as 10000-20000, and range size is defined as 2000 (--idmap-range 10000-20000:2000), five domains can be mapped, each consisting of 2000 IDs. Ensure that range size is defined such that at least three domains can be mapped. The range size is identical for all AD domains that are configured by the IBM Spectrum Scale system. Choose an ID map range size that allows for the highest anticipated RID value among all of the anticipated AD users and group of users in all of the anticipated AD domains. Ensure that the range size value, when originally defined, takes into account the planned growth in the number of AD users and groups of users. The ID map range size cannot be changed after the IBM Spectrum Scale system is configured with Active Directory as the authentication server.
Whenever a user or user group from an AD domain accesses the IBM Spectrum Scale system, a range is allocated per domain. UID or GID for a user or user group is allocated depending upon this range and the RID of the user or user group. If RID of any user or group is greater than the range size, then that user or user group is mapped into extension ranges depending upon the number of available ranges. If the number of ranges (default value is 290) runs out, then mapping requests for a new user or user group (or new extension ranges for user and group that is already known) are ignored and thus that user and user group cannot access the data.
Choosing range size
- Determine the highest Active Directory RID that is currently assigned.
You can use the dcdiag command at the command prompt
of the operating system of the server that is hosting Active Directory
to determine the value of the rIDNextRID attribute.
For example:
# dcdiag /s:IP_of_system_hosting_AD /v /test:ridmanagerSpecifically,
C:\Program Files\Support Tools>dcdiag /s:10.0.0.123 /v /test:ridmanagerThe following output is displayed:
Starting test: RidManager * Available RID Pool for the Domain is 1600 to 1073741823 * win2k8.pollux.com is the RID Master * DsBind with RID Master was succesRFC2307l * rIDAllocationPool is 1100 to 1599 * rIDPreviousAllocationPool is 1100 to 1599 * rIDNextRID: 1174In this example, the rIDNextRID value is 1174. Another way to determine the current value for rIDNextRID is to run an LDAP query on the following DN Path:CN=Rid Set,Cn=computername,ou=domain controllers,DC=domain,DC=COMIf there is more than one domain controller serving the Active Directory domain, determine the highest RID among all of the domain controllers. Similarly, if there is more than one domain, determine the highest RID among all of the domains.
- Estimate the expected number of users and groups that might be added in future, in addition to the current number of users and groups.
- Add the highest RID determined in step 1 to the number of users and groups that were estimated in the previous step. The result is the estimate for the value of the range size.