Configuring authentication for object access
You can use the following authentication methods for object access:
- Active Directory (AD)
- LDAP
- Local authentication
The AD-based and LDAP-based authentication methods use an external AD and LDAP server respectively to manage the authentication. Local authentication is handled by a Keystone server that resides within the IBM Spectrum Scale™ system.
The IBM Spectrum Scale system installation process configures Keystone server that is required for object access. If you are not using an external Keystone server, the IBM Spectrum Scale installation process by default configures the object authentication with local authentication as the authentication method.
Before you configure object authentication method, ensure that the Keystone Identity service is properly configured.
Before you start manually configuring authentication method for object access, ensure that the openldap-clients RPM is installed.
The mapping between user, role, and tenant is stored in a database. This mapping is not deleted until you run the mmuserauth service remove command with the --idmapdelete option for data-access-method object. While switching from one authentication type to another, it is mandatory to remove the mapping after removing the authentication.
mmuserauth service check --data-access-method object -N cesNodes
If the
mmuserauth service check command reports that any certificate file is missing on
any of the nodes, then run the following
command:mmuserauth service check --data-access-method object -N cesNodes --rectify
For more
information about mmuserauth service check, see the topic mmuserauth
command in the IBM
Spectrum Scale: Administration
and Programming Reference.