beautypg.com

Using active directory with ldap id mapping – HP StoreAll Storage User Manual

Page 54

background image

6 Configuring authentication for CIFS, FTP, and HTTP

X9000 software supports several services for authenticating users accessing shares on X9000 file
systems:

Active Directory (supported for CIFS, FTP, and HTTP)

Active Directory with LDAP ID mapping as a secondary lookup source (supported for CIFS)

LDAP (supported for CIFS)

Local Users and Groups (supported for CIFS, FTP, and HTTP)

Local Users and Groups can be used with Active Directory or LDAP.

NOTE:

Active Directory and LDAP cannot be used together.

You can configure authentication from the GUI or CLI. When you configure authentication with
the GUI, the selected authentication services are configured on all servers. The CLI commands
allow you to configure authentication differently on different servers.

Using Active Directory with LDAP ID mapping

When LDAP ID mapping is a secondary lookup method, the system reads CIFS client UIDs and
GIDs from LDAP if it cannot locate the needed ID in an AD entry. The name in LDAP must match
the name in AD without respect for case or pre-appended domain.

If the user configuration differs in LDAP and Windows AD, the LDAP ID mapping feature uses the
AD configuration. For example, the following AD configuration specifies that the primary group
for user1 is Domain Users, but in LDAP, the primary group is group1.

LDAP Configuration

AD configuration

user1

uid:

user1

user:

1010

uidNumber:

Domain Users

primary group:

1001 (group1)

gidNumber:

not specified

UNIX uid:

Domain Users

cn:

not specified

UNIX gid:

1111

gidNumber:

The Linux id command returns the primary group specified in LDAP:

user: user1
primary group: group1 (1001)

LDAP ID mapping uses AD as the primary source for identifying the primary group and all
supplemental groups. If AD does not specify a UNIX GID for a user, LDAP ID mapping looks up
the GID for the primary group assigned in AD. In the example, the primary group assigned in AD
is Domain Users, and LDAP ID mapping looks up the GID of that group in LDAP. The lookup
operation returns:

user: user1
primary group: Domain Users (1111)

AD does not force the supplied primary group to match the supplied UNIX GID.

The supplemental groups assigned in AD do not need to match the members assigned in LDAP.
LDAP ID mapping uses the members list assigned in AD and ignores the members list configured
in LDAP.

54

Configuring authentication for CIFS, FTP, and HTTP