Configuring authentication and setting identity management modes for unified file and object access
You can configure authentication and set the identity management modes for unified file and object access using the following steps.
The identity management modes for unified file and object
access are set in the object-server-sof.conf file.
The default mode is local_mode.
Note: It is important
to understand the identity management modes for unified file and object
access and set the mode you want accordingly. Although it is possible
to move from one mode to another, some considerations apply in that
scenario.
The unified_mode identity management mode for unified file and object access is supported only with Active Directory (AD) with UNIX-mapped domains and LDAP authentication configurations. This mode must not be configured with local or user-defined authentication configurations.
Important: If you are
using unified_mode, the authentication for both file
and object access must be configured and the authentication schemes
must be the same and configured with the same server. If not, the
request to create object might fail with user not found error.
Use the following steps on a protocol node to configure authentication and enable unified_mode.
Your unified file and object access enabled fileset is now configured with unified_mode.
Important:
- If the PUT requests fail in unified_mode,
check if the user name is resolvable on the protocol nodes using the
following command:
id '<user_name>'
If user name in AD is in the domain\user_name format, use the following command:
id '<domain\><user_name>'
- Ensure that the ad_domain parameter is not
present in the object-server-sof.conf file when
LDAP is configured.
- To list the object-server-sof.conf file contents,
use the following command:
mmobj config list --ccrfile object-server-sof.conf
- If ad_domain is present, remove it as follows:
- Copy /etc/swift/object-server-sof.conf to a temporary location, say /tmp.
- Modify the temporary file by appending a '-' before the ad_domain parameter. This marks that parameter for deletion.
- Upload the modified file using the following command:
mmobj config change --ccrfile object-server-sof.conf --merge-file /tmp/object-server-sof.conf
- [Optional]: Validate that ad_domain is removed from the object-server-sof.conf file by listing the file contents.
- To list the object-server-sof.conf file contents,
use the following command:
- Configuring file authentication with the same scheme as that of
object authentication is a mandatory prerequisite before you enable
the unified_mode identity management mode. In
case you configure file authentication later, you must restart swift
on the file server for the changes to be effective. You can do this
by changing id_mgmt to local_mode and
then changing it back to unified_mode using the following
commands.
mmobj config change --ccrfile object-server-sof.conf --section DEFAULT --property id_mgmt --value local_mode mmobj config change --ccrfile object-server-sof.conf --section DEFAULT --property id_mgmt --value unified_mode