Configuring an LDAP-based authentication for object access

You can configure Keystone server with an external LDAP server as the authentication server so that users in LDAP can access object store with their LDAP credentials. This configuration is useful when the user credentials are stored in LDAP and you want them to get authenticated to access the object store. It is also useful in cases where you have configured file authentication with LDAP and want to use the same authentication for object access. You can use TLS with the LDAP server to further tighten the security of the system.

Prerequisites

Ensure that you have the following details before you configure LDAP-based authentication:
  • LDAP server details such as IP address or host name, LDAP user name, user password, base dn, and user dn.
  • If you want to configure TLS with LDAP for secure communication between Keystone and LDAP, you need to place the CA certificate that is used for signing the LDAP server setup for TLS under the following directory of the node on which the mmuserauth service create command is run:
    • /var/mmfs/tmp/ldap_cacert.pem
  • The secret key you provided for encrypting/decrypting passwords unless you have disabled prompting for the key.

See Integrating with LDAP server for more information on the prerequisites for integrating LDAP server with the IBM Spectrum Scale™ system.

You need to issue the mmuserauth service create command to configure LDAP-based authentication with the following mandatory parameters:
  • --type ldap
  • --data-access-method object
  • --servers IP address or host name of LDAP (all user lookups by Keystone is done only against this server. If multiple servers are specified, only the first server is used and rest are ignored).
  • --base-dn ldapBase
  • { --enable-anonymous-bind | --user-name BindDN --password BindPwd} (You need to mention either anonymous bind or either --user-name or --password).
  • --enable-server-tls, if TLS needs to be enabled.
  • --user-dn ldapUserSuffix (LDAP container from where users are looked up)
  • --ks-dns-name keystoneDNSName
  • --ks-admin-user keystoneAdminUser from LDAP.
  • --enable-ks-ssl, if SSL needs to be enabled. You need to have another set of certificates that are placed in the standard directory.
  • --enable-ks-casigning, if you want to use external CA signed certificate for token signing.
  • --ks-swift-user swiftServiceUser from LDAP.
  • --ks-swift-pwd swiftServiceUser Password from LDAP.

For more information on each parameter, see the mmuserauth service create command.

To change the authentication method that is already configured for object access, you need to remove the authentication method and ID mappings. For more information, see Deleting the authentication and the ID mapping configuration.

Parent topic: Configuring authentication for object access
Related concepts:
Configuring an AD-based authentication for object access
Configuring object authentication with an external Keystone server
Managing object users, roles, and projects
Related tasks:
Configuring local authentication for object access
Creating object accounts
Deleting expired tokens
Configuring LDAP without TLS and Kerberos for file access
Related reference:
mmuserauth command