From jonathan.buzzard at strath.ac.uk Mon Mar 16 13:44:34 2026 From: jonathan.buzzard at strath.ac.uk (Jonathan Buzzard) Date: Mon, 16 Mar 2026 13:44:34 +0000 Subject: [gpfsug-discuss] AD-based authentication with LDAP ID mapping Message-ID: I have some questions on this because the documentation referenced below is as clear as mud. https://www.ibm.com/docs/en/storage-scale/5.2.3?topic=access-configuring-ad-based-authentication-ldap-id-mapping Firstly what permissions does the LDAP account need? Is it sufficient for the account to only have read permissions? Specifically for security purposes we have a special read only account on the LDAP server for SSSD and would prefer to reuse that. Or is it pulling SID's from the AD and storing them in LDAP so needs write permission? Secondly I have a question about the ID mapping range. It is entirely unclear what the ID mapping range should be. Reading around by looking at the examples it would appear that it should be the range of UID/GID's for which the LDAP server is authoritative? Thirdly is it possible to specify more than one AD and/or LDAP server? So for example for the AD server specify say ad.mycorp.com which will return a bunch of IP address for all the AD servers we have. Similarly can I use ldap.mycorp.com which will return a couple of IP addresses for the 389-ds cluster we have. Clearly specifying just one creates a single point of failure which is far from ideal. My random thought for the day would be to offer AD for authentication, leave it up to the user to provide a UID/GID service of their choice on the protocol servers whether it be LDAP, NIS, Hesiod etc. and then use idmap_nss to provide the mapping to SID's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG