[gpfsug-discuss] Question concerning integration of CES with AD authentication system
mark.bergman at uphs.upenn.edu
mark.bergman at uphs.upenn.edu
Fri Jul 26 00:31:21 BST 2019
In the message dated: Thu, 24 May 2018 17:07:02 -0000,
The pithy ruminations from Christof Schmitt on
[Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system] were:
=>
Following up on an old, old post...
=> > Basically Samba ignores the separate GID field in RFC2307bis, so one
=> > imagines the options for changing the LDAP attributes are none
=> > existent.
=>
=> mmuserauth now has an option to use either the gid from the actual primary
=> group or the gid defined for the user. See:
=>
=> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/
=> com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm
=>
=> --unixmap-domains unixDomainMap
=> [...]
=> win: Specifies the system to read the primary group set as Windows
=> primary group of a user on the Active Directory.
=> unix: Specifies the system to read the primary group as set in "UNIX
=> attributes" of a user on the Active Directory.
=> For example,
=> --unixmap-domains "MYDOMAIN1(20000-50000:unix);MYDOMAIN2
=> (100000-200000:win)"
I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.
=> This gets mapped to 'idmap config ... : unix_primary_group' in the
=> internal config.
Does that correspond to setting the smb.conf parameter
unix_primary_group = yes
Specifically, under Spectrum Scale 5.0.2, if I run:
mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad
(some args removed in this example), will that map the user's primary group to
the primaryGroupID supplied by AD
or
the primaryGroupID LDAP field
or
the gidNumber LDAP field
or something else?
Thanks,
Mark
=>
=> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
=> christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
=>
More information about the gpfsug-discuss
mailing list