[gpfsug-discuss] AD-based authentication with LDAP ID mapping

[Jonathan Buzzard]

I have some questions on this because the documentation referenced below 
is as clear as mud.

https://www.ibm.com/docs/en/storage-scale/5.2.3?topic=access-configuring-ad-based-authentication-ldap-id-mapping

Firstly what permissions does the LDAP account need? Is it sufficient 
for the account to only have read permissions? Specifically for security 
purposes we have a special read only account on the LDAP server for SSSD 
and would prefer to reuse that. Or is it pulling SID's from the AD and 
storing them in LDAP so needs write permission?

Secondly I have a question about the ID mapping range. It is entirely 
unclear what the ID mapping range should be. Reading around by looking 
at the examples it would appear that it should be the range of UID/GID's 
for which the LDAP server is authoritative?

Thirdly is it possible to specify more than one AD and/or LDAP server? 
So for example for the AD server specify say ad.mycorp.com which will 
return a bunch of IP address for all the AD servers we have. Similarly 
can I use ldap.mycorp.com which will return a couple of IP addresses for 
the 389-ds cluster we have. Clearly specifying just one creates a single 
point of failure which is far from ideal.

My random thought for the day would be to offer AD for authentication, 
leave it up to the user to provide a UID/GID service of their choice on 
the protocol servers whether it be LDAP, NIS, Hesiod etc. and then use 
idmap_nss to provide the mapping to SID's.


JAB.

-- 
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG