Decoding IBM Spectrum Scale Object Authentication configuration with Active Directory(AD)

            One can use Installer toolkit during deploy to configure Spectrum Scale object with Active Directory or use mmuserauth CLI to configure Spectrum Scale object with Active Directory after enabling Spectrum Scale object

In this blog entry I am making use of mmuserauth CLI to configure Spectrum Scale object with Active Directory

Example of mmuserauth CLI for configuring Spectrum Scale object with Active Directory.

mmuserauth service create

–data-access-method object
–type ad
–servers 10.0.0.27
–user-dn dc=sonas,dc=com
–base-dn dc=sonas,dc=com
–user-name administrator@sonas.com
–password Passw0rd
–ks-admin-user keystoneadminuser
–ks-swift-user swiftserviceuser
–ks-swift-pwd swiftPassw0rd
[–user-objectclass organizationalPerson]
[–user_name_attrib sAMAccountName]
[–user-id-attrib CN ]
Note : [option] denotes the optional parameter with default values

There are more option to this cli, Above listed are important.
Refer mmuserauth man page for details

Things to check before configuring the Spectrum Scale object with Active Directory

  1. Is Active Directory Server is correct, Reachable and Bind details are working ?
It simply means validating following parameter from mmuserauth example given at the start
–servers 10.0.0.27
–user-dn cn=users,dc=sonas,dc=com
–user-name administrator@sonas.com
–password Passw0rd
  Ldapsearch sample command to validate AD details 

/usr/bin/ldapsearch -x -H ldap://<–server> -b <–user-dn> -s sub -o nettimeout=10 -LLL -A -D < –username > -w <–password>

The command for my environment
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd

Above command print all the user details on command line so you can use following to limit the details on screen

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd dn

OR

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd cn=administrator

Note : Provide Bind user ( ie –user-name ) in
DN format (example : CN=Administrator,CN=Users,DC=SONAS,DC=COM)
or
user logon name format (example : administrator@sonas.com)

If this step is successful then your Active Directory is correct, reachable and provided bind details are Valid.

  1. Is –ks-admin-user keystoneadminuser is present in Active Directory ?

Note : Keystoneadminuser should be present in Active Directory under provide –user-dn and It should have Valid Password

To validate –ks-admin-user following options need careful attention
[–user-objectclass organizationalPerson]
[–user_name_attrib sAMAccountName]
[–user-id-attrib CN ]

Ldapsearch sample command to validate the –ks-admin-user
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd ‘(&(objectClass=organizationalPerson)(|(sAMAccountName=keystoneadminuser)(CN=keystoneadminuser)))’ -z1 dn

This command should return something like
dn: CN=keystoneadminuser,CN=Users,DC=SONAS,DC=COM

This steps confirm that you –ks-admin-user is good to go with.

Note : Use shortname for –ks-admin-user. Do not user DN or user logon name
For example I am using keystoneadminuser not the
CN=keystoneadminuser,CN=Users,DC=SONAS,DC=COM
or
keystoneadminuser@sonas.com

  1. is–ks-swift-user and –ks-swift-pwd is correct ?

Validating –ks-swift-user exist in Active Directory
–ks-swift-user swiftserviceuser
–ks-swift-pwd Passw0rd

Ldapsearch sample command to check if –ks-swift-user exist using admin credentials
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd ‘(&(objectClass=organizationalPerson)(|(sAMAccountName=swiftserviceuser)(CN=swiftserviceuser)))’ dn

This command will return something like dn: CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM use this DN to validate the provided –ks-swift-pwd

Ldapsearch sample command to check if –ks-swift-pwd exist is correct

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM -w swiftPassw0rd ‘(objectClass=*)’ -z1 dn

If this is successful then you are ready to configure Spectrum Scale with Active Directory

Note : Use shortname for –ks-swift-user. Do not user DN or user logon name
For example I am using swiftserviceuser not the
CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM or
swiftserviceuser@sonas.com

  1. Importance of –user-objectclass, –user-name-attrib and –user-id-attrib ?
All these are used as initial filter for Keystone users. Only user who has these attribute will be listed in Keystone users.
Default for Active Directory, You can change it as per your environment.
[–user-objectclass organizationalPerson]
[–user-name-attrib sAMAccountName]
[–user-id-attrib CN ]
Note : Choosing –user-id-attrib, It should be the attribute used in user DN. For example in all DN of users (CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM) in my environment it is CN. Hence I am using –user-id-attrib CN

“These are my personal views and do not necessarily reflect that of my employer”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s