Configuring AD-based authentication with LDAP ID mapping
This method provides a way for IBM Spectrum Scale™ to read ID mappings from an LDAP server as defined in RFC2307. Mappings must be provided in advance by the administrator by creating the user accounts in the AD server and the posixAccount and posixGroup objects in the LDAP server. The names in the AD server and in the LDAP server have to be the same. This ID mapping approach allows the continued use of existing LDAP authentication servers that store records in the RFC2307 format. The group memberships defined in the AD server are also be honored in the system.
Command to Configure Plain AD with LDAP
Issue the mmuserauth service create command as shown in the following example:
#mmuserauth service create –data-access-method file –type ad –servers myADserver –user-name administrator –password Passw0rd –netbios-name specscale –idmap-role master –ldapmap-domains “DOMAIN1(type=stand-alone:range=1000-100000:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com:
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly.
Important: ID Mappings are always created only on the “master” system. On the “subordinate” system, these ID Mappings have to be imported from the “master” system.
Check Manpage of mmuserauth for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:
File Authentication configuration completed successfully.
Verify the authentication configuration by issuing the command as shown below:
# mmuserauth service list
The system displays the following output:
FILE access configuration : AD
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone: range=1000-100000:ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:
So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the LDAP Map Domains and their details.