Configuring an LDAP-based authentication for object access

You can configure Keystone with an external LDAP server as the authentication back-end. This will allow LDAP users to access the object store using their LDAP credentials. The same LDAP server can be used for both object access and file access.

Prerequisites

Ensure that you have the following details before you configure LDAP-based authentication:
  • LDAP server details such as IP address or host name, LDAP user name, user password, base dn, and user dn.
  • If you want to configure TLS with LDAP for secure communication between Keystone and LDAP, you need to place the CA certificate that is used for signing the LDAP server setup for TLS under the following directory of the node on which the mmuserauth service create command is run:
    • /var/mmfs/tmp/ldap_cacert.pem
  • The secret key you provided for encrypting/decrypting passwords unless you have disabled prompting for the key.

See Integrating with LDAP server for more information on the prerequisites for integrating LDAP server with the IBM Spectrum Scale™ system.

You need to issue the mmuserauth service create command to configure LDAP-based authentication with the following parameters:
  • --type ldap
  • --data-access-method object
  • --servers IP address or host name of LDAP (all user lookups by Keystone is done only against this server. If multiple servers are specified, only the first server is used and rest are ignored).
  • --base-dn ldapBase
  • { --enable-anonymous-bind | --user-name BindDN --password BindPwd} (You need to mention either anonymous bind or either --user-name or --password).
  • --enable-server-tls, if TLS needs to be enabled.
  • --user-dn ldapUserSuffix (LDAP container from where users are looked up)
  • --ks-admin-user keystoneAdminUser from LDAP.
  • --enable-ks-ssl, if SSL needs to be enabled. You need to have another set of certificates that are placed in the standard directory.
  • --enable-ks-casigning, if you want to use external CA signed certificate for token signing.
  • --ks-swift-user swiftServiceUser from LDAP.
  • --ks-swift-pwd swiftServiceUser Password from LDAP.

For more information on each parameter, see the mmuserauth service create command.

To change the authentication method that is already configured for object access, you need to remove the authentication method and ID mappings. For more information, see Deleting the authentication and the ID mapping configuration.

Parent topic: Configuring authentication for object access
Related concepts:
Configuring an AD-based authentication for object access
Configuring object authentication with an external keystone server
Managing object users, roles, and projects
Related tasks:
Configuring local authentication for object access
Creating object accounts
Deleting expired tokens
Configuring LDAP without TLS and Kerberos for file access
Related reference:
mmuserauth command