Apply OpenLDAP Authentication to NAS

You can apply your environment's existing OpenLDAP authentication services to StorNext NAS. Through this authentication configuration, clients can access NAS shares only if they are authenticated by the OpenLDAP service.

In addition, you can enable Access Control Lists (ACLs) when the NAS server is bound to an OpenLDAP server. However, you must take additional steps to enable SID mapping for full ACL support. See (Optional) Step 4: Enable SID Mapping for Full ACL Support.

Important

If you configure AD or OpenLDAP to authenticate users accessing your NAS cluster, you must add your cluster host name to the same DNS as your AD or OpenLDAP server. Otherwise, users authenticated through AD or OpenLDAP cannot access the NAS shares through the NAS cluster.

Note: For a list of all the Appliance Controller commands, see the Command Index.

Directory Services

StorNext NAS supports the following OpenLDAP directory services:

OpenLDAP with Samba extensions (ldapsam)

If your remote OpenLDAP server supports Samba Version 3 LDAP schema extensions, then you can use ldapsam to configure authentication.

With ldapsam, StorNext NAS uses Samba to manage attributes in the OpenLDAP remote server. Samba manages user-account passwords, and you can enable the mapping of user IDs to SIDs for file ACLs. See (Optional) Step 4: Enable SID Mapping for Full ACL Support.

If you are using ldapsam authentication services, make sure to configure the OpenLDAP server to accommodate Samba extensions. After you complete this configuration, you can perform the steps in Step 1: Apply ldapsam authentication.

OpenLDAP with Kerberos (LDAP)

You can also use OpenLDAP with a Kerberos server. In this configuration, the Kerberos server manages user-account passwords, and Samba relies on the Kerberos server to authenticate user accounts as follows:

The Kerberos service principal — contained within the generated Kerberos keytab file — is set up as the authenticated user.
The Kerberos keytab file enables LDAP authentication without needing to specify an administrator user and password.

After configuring your OpenLDAP services, you will need to perform one of the following procedures to apply LDAP authentication services to your Appliance Controller system:

Step 2: Apply LDAP Authentication Using a Previously Generated Keytab .
Step 3: Apply LDAP Authentication Using NAS.

Step 1: Apply ldapsam authentication

At the prompt, enter the following:

auth config ldapsam <admin_username> <ip_addr|host> <ldaps_domain>

The parameters are:

<admin_username>

Administrator user or user with admin privileges.

<ip_addr|host>

IP Address or hostname for the OpenLDAP server.

The port is not required and will be set to 636 to ensure encryption. If Appliance Controller cannot access port 636, it will redirect to port 389.

<ldaps_domain>

The ldapsam domain.

At the prompt, enter the sysadmin user’s password.
Example:
> auth config ldapsam Manager sam.example.com MYDOMAIN.COM
Please enter the password for user cn=Manager:
Configured ldapsam directory services authentication

Step 2: Apply LDAP Authentication Using a Previously Generated Keytab

With this option, an outside service — such as your IT department — will generate and supply the Kerberos keytab file for user authentication. Perform the following two tasks to configure LDAP authentication services.

Import the Kerberos Keytab File to the NAS Controller

Copy the Kerberos keytab file to the /var/upgrade directory on the Appliance Controller.
Log in to the Appliance Controller CLI.
At the prompt, enter the following command to import the keytab file in to the Appliance Controller:
auth import keytab
Example
> auth import keytab
Imported keytab /var/upgrade/krb5.keytab

Configure NAS to use the Kerberos Keytab File for LDAP authentication

After the keytab has been imported, Log in to the Appliance Controller CLI.

At the prompt, enter the following command to configure NAS to use the keytab file:

auth config ldap keytab <ip_addr|host> <ldap_domain> [<kerberos_realm>]

The parameters are:

<ip_addr|host>

IP address or hostname for the OpenLDAP server.

The port is not required and will be set to 636 to ensure encryption. If the Appliance Controller cannot access port 636, it will redirect to port 389.

<ldap_domain>

The LDAP domain.

<kerberos_realm>

(Optional) Your Kerberos realm. If you do not provide a realm name, the LDAP domain value will be used for the Kerberos realm.

Example:

> auth config ldap keytab nod.example.com EXAMPLE.COM OD.EXAMPLE.COM

Configured ldap directory services authentication

Step 3: Apply LDAP Authentication Using NAS

With this option, StorNext NAS works behind the scenes to generate and supply the Kerberos keytab file for user authentication.

Configure LDAP Using NAS

At the prompt, enter the following:

auth config ldap <admin_username> <ip_addr|host> <ldap_domain> [<kerberos_realm>]

The parameters are:

`<admin_username>`	One of the following: Administrator user. User with admin privileges. Kerberos service principal with administrator privileges.
`<ip_addr\|host>`	IP Address or hostname for the OpenLDAP server. The port is not required and will be set to 636 to ensure encryption. If StorNext NAS cannot access port 636, it will redirect to port 389.
`<ldap_domain>`	The LDAP domain.
`[<kerberos_realm>]`	(Optional) Your Kerberos realm. If you do not provide a realm name, the LDAP domain value will be used for the Kerberos realm.

At the prompt, enter the sysadmin user’s password.
Example:
> auth config ldap kadmin nod.example.com EXAMPLE.COM OD.EXAMPLE.COM
kadmin = Administrator-principal in Kerberos
nod.example.com = LDAP/Kerberos-server
EXAMPLE.COM = LDAP domain
OD.EXAMPLE.COM = Kerberos realm
Please enter the password for user kadmin/admin@OD.EXAMPLE.COM: