Configuring authentication and setting identity management modes for unified file and object access

You can configure authentication and set the identity management modes for unified file and object access using the following steps.

The identity management modes for unified file and object access are set in the object-server-sof.conf file. The default mode is local_mode.
Note: It is important to understand the identity management modes for unified file and object access and set the mode you want accordingly. Although it is possible to move from one mode to another, some considerations apply in that scenario.

The unified_mode identity management mode for unified file and object access is supported only with Active Directory (AD) with UNIX-mapped domains and LDAP authentication configurations. This mode must not be configured with local or user-defined authentication configurations.

Important: If you are using unified_mode, the authentication for both file and object access must be configured and the authentication schemes must be the same and configured with the same server. If not, the request to create object might fail with user not found error.

Use the following steps on a protocol node to configure authentication and enable unified_mode.

  1. Determine which authentication scheme best suits your requirements. You can use either LDAP or AD with UNIX-mapped domains.
    Note: Because object can be configured with only one AD domain, you need to plan which of the UNIX-mapped AD domains, in case there are trusted domains, is to be configured for object.
  2. Configure file access using the mmuserauth command as follows. 
    mmuserauth service create --data-access-method file 
--type ad --servers myADserver --idmap-role master 
--netbios-name scale --unixmap-domains 'DOMAIN(5000-20000)'
  3. Configure object access using the mmuserauth command as follows. 
    mmuserauth service create --data-access-method object –type ad
--user-name "cn=Administrator,cn=Users,dc=IBM,dc=local" --password "just4YOU" 
--base-dn "dc=IBM,DC=local" --ks-dns-name c40bbc2xn3 --ks-admin-user admin 
--servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName 
--user-objectclass organizationalPerson --user-dn "cn=Users,dc=IBM,dc=local" 
--ks-swift-user swift --ks-swift-pwd Passw0rd
  4. Change id_mgmt in the object-server-sof.conf file using the mmobj config change command as follows. 
    mmobj config change --ccrfile object-server-sof.conf --section DEFAULT 
--property id_mgmt --value unified_mode
  5. If object authentication is configured with AD, set ad_domain in the object-server-sof.conf file. 
    mmobj config change --ccrfile object-server-sof.conf --section DEFAULT 
--property ad_domain --value POLLUX
    Note: Do not specify ad_domain with LDAP configurations.

    To find the correct ad_domain name, use the following command:

    /usr/lpp/mmfs/bin/net ads lookup -S {AD_SERVER_NAME | AD_SERVER_IP} -d0

    For example, in the output of the following command, the value of the Pre-Win2k Domain field is the ad_domain.

    /usr/lpp/mmfs/bin/net ads lookup -S 192.196.79.34 -d0

...
Forest:			pollux.com
Domain:			pollux.com
Domain Controller:	win2k8.pollux.com
Pre-Win2k Domain:	POLLUX
Pre-Win2k Hostname:	WIN2K8
Server Site Name :		Default-First-Site-Name
Client Site Name :		Default-First-Site-Name
...

Your unified file and object access enabled fileset is now configured with unified_mode.

  1. List the currently configured id_mgmt mode using the mmobj config list command as follows. 
    mmobj config list --ccrfile object-server-sof.conf --section DEFAULT --property id_mgmt

Important:

  1. If the PUT requests fail in unified_mode, check if the user name is resolvable on the protocol nodes using the following command:
    id '<user_name>'

    If user name in AD is in the domain\user_name format, use the following command:

    id '<domain\><user_name>'
  2. Ensure that the ad_domain parameter is not present in the object-server-sof.conf file when LDAP is configured.
    • To list the object-server-sof.conf file contents, use the following command:
      mmobj config list --ccrfile object-server-sof.conf
    • If ad_domain is present, remove it as follows:
      1. Copy /etc/swift/object-server-sof.conf to a temporary location, say /tmp.
      2. Modify the temporary file by appending a '-' before the ad_domain parameter. This marks that parameter for deletion.
      3. Upload the modified file using the following command:
        mmobj config change --ccrfile object-server-sof.conf --merge-file /tmp/object-server-sof.conf
      4. [Optional]: Validate that ad_domain is removed from the object-server-sof.conf file by listing the file contents.
  3. Configuring file authentication with the same scheme as that of object authentication is a mandatory prerequisite before you enable the unified_mode identity management mode. In case you configure file authentication later, you must restart swift on the file server for the changes to be effective. You can do this by changing id_mgmt to local_mode and then changing it back to unified_mode using the following commands.
    mmobj config change --ccrfile object-server-sof.conf --section DEFAULT 
--property id_mgmt --value local_mode
mmobj config change --ccrfile object-server-sof.conf --section DEFAULT 
--property id_mgmt --value unified_mode
Parent topic: Administering unified file and object access
Related tasks:
Enabling the file-access object capability
Setting up the objectizer service interval
Creating or using a unified file and object access storage policy
Associating containers with unified file and object access storage policy
Creating exports on container associated with unified file and object access storage policy
Enabling object access for selected files
Example scenario - administering unified file and object access