To enable read and write access to directories and files
for the users on the IBM Spectrum
Scale system,
you must configure user authentication on the system. Only one user
authentication method, and only one instance of that method, can be
supported.
The following authentication services can be configured with the IBM Spectrum
Scale system for file protocol access:
Microsoft Active Directory (AD). For more information, see Table 2.
Lightweight Directory Access Protocol (LDAP). For more
information, see Table 1.
Network Information Service (NIS) for NFS client access. For
more information, see Table 3.
The following authentication services can be configured with the IBM Spectrum
Scale system for object access:
Microsoft Active Directory (AD). For more information, see Table 5.
Lightweight Directory Access Protocol (LDAP). For more
information, see Table 4.
Local authentication. For more information, see Table 6.
The following matrix gives a quick overview of the supported authentication configurations for
both file and object access.
✓: Supported
X: Not supported
NA: Not applicable
File Protocol Authentication and ID-mapping matrices
Table 1. Authentication support matrix when LDAP is the Authentication service
that is being used
Authentication method
ID-mapping method
SMB
SMB with Kerberos
NFSV3
NFSV3 with Kerberos
NFSV4
NFSV4 with Kerberos
LDAP with TLS
LDAP
✓
NA
✓
NA
✓
NA
LDAP with Kerberos
LDAP
✓
✓
✓
✓
✓
✓
LDAP with Kerberos and TLS
LDAP
✓
✓
✓
✓
✓
✓
LDAP without TLS and without Kerberos
LDAP
✓
NA
✓
NA
✓
NA
Table 2. Authentication support matrix when
AD is the Authentication service that is being used
Authentication method
ID-mapping method
SMB
SMB with Kerberos
NFSV3
NFSV3 with Kerberos
NFSV4
NFSV4 with Kerberos
AD
Automatic
✓
✓
X
X
X
X
AD
RFC2307
✓
✓
✓
✓
✓
✓
AD
LDAP
✓
✓
✓
X
X
X
Table 3. Authentication support matrix when
NIS is the Authentication service that is being used
Authentication method
ID-mapping method
SMB
SMB with Kerberos
NFSV3
NFSV3 with Kerberos
NFSV4
NFSV4 with Kerberos
NIS
NIS
NA
NA
✓
NA
✓
NA
Note: The local authentication mode is not supported for the file
protocol.
Object Protocol Authentication Matrices
Table 4. Authentication support matrix when LDAP is the Authentication service
that is being used
Authentication method
Object
LDAP with TLS
✓
LDAP with Kerberos
NA
LDAP with Kerberos and TLS
NA
LDAP
with SSL
✓
LDAP without TLS and without Kerberos
✓
Table 5. Authentication support matrix when
AD is the Authentication service that is being used
Authentication method
Object
AD
✓
AD
with SSL
✓
AD
with TLS
✓
Table 6. Authentication support matrix when
"local" is the Authentication service that is being used
Authentication method
Object
Local
✓
Local
(OpenStack Keystone)
✓
Local
(OpenStack Keystone) with SSL
✓
Table 7. Authentication support matrix when
"user defined" is the Authentication service that is being used
Authentication method
Object
User defined
✓
Note:
NIS is not supported for Object protocol.
When you use a unified file and object access (serving the same data with
a file and with an object), select the appropriate authentication service. For more information, see Administering unified file and object access.
For information on a complete list of supported authentication
configurations for both file and Object protocols, see General authentication support matrix.
Unified Identity between Object & File: In this case, you need to ensure that
the users get the same user UID and GID across POSIX, NFS, SMB, and Object. Therefore, only the
following authentication mechanisms are supported:
Object that is configured with AD, and a file is configured with the same AD where the user or
group ID is available on AD+RFC 2307.
Object that is configured with LDAP, and a file is configured with the same LDAP where the user
or group ID is available on LDAP.
The following diagram shows the high-level overview of the authentication configuration.
The authentication requests that are received from the client systems are handled by the
corresponding services in the IBM Spectrum
Scale system. For
example, if a user needs to access the NFS data, the NFS services resolves the access request by
interacting with the corresponding authentication and ID-mapping servers.