Authentication considerations
To enable read and write access to directories and files for the users on the IBM Spectrum Scale™ system, you must configure user authentication on the system. Only one user authentication method, and only one instance of that method, can be supported.
The following authentication services can be configured with the IBM
Spectrum Scale system for
file protocol access:
- Microsoft Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Network Information Service (NIS) for NFS client access
- User defined
The following authentication services can be configured with the IBM
Spectrum Scale system for
object access:
- Microsoft Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Local authentication
- User defined
The following matrix gives a quick overview of the supported authentication
configurations for both file and object access.
- ✓: Supported
- X: Not supported
- NA: Not applicable
| Authentication method | ID mapping method | SMB | SMB with Kerberos | NFSV3 | NFSV3 with Kerberos | NFSV4 | NFSV4 with Kerberos | Object |
|---|---|---|---|---|---|---|---|---|
| User-defined | User-defined | NA | NA | NA | NA | NA | NA | NA |
| LDAP with TLS | LDAP | ✓ | NA | ✓ | NA | ✓ | NA | ✓ |
| LDAP with Kerberos | LDAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | NA |
| LDAP with Kerberos and TLS | LDAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | NA |
| LDAP without TLS and without Kerberos | LDAP | ✓ | NA | ✓ | NA | ✓ | NA | ✓ |
| AD | Automatic | ✓ | ✓ | X | X | X | X | ✓ |
| AD | RFC2307 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| AD | LDAP | ✓ | ✓ | ✓ | X | X | X | ✓ |
| NIS | NIS | NA | NA | ✓ | NA | ✓ | NA | NA |
| Local | None | NA | NA | NA | NA | NA | NA | ✓ |
Note:
- The ID mapping option that is given in this table is only applicable for file access. Ignore the ID mapping details that are listed in the table if you are looking for the supported configurations for object access.
- In the User-defined mode, the customer is free to choose the authentication and ID mapping methods for file and object and manage on their own. That is, the authentication needs to be configured by the administrator outside of the IBM Spectrum Scale commands and ensure that it is common and consistent across the cluster.
- If LDAP-based authentication is used, ACL management for SMB is not supported.
The following diagram shows the high-level overview of the authentication
configuration.
Figure 1. High-level overview of protocol user authentication
The authentication requests that are received from the client systems are handled by the corresponding services in the IBM Spectrum Scale system. For example, if a user needs to access the NFS data, the NFS services resolves the access request by interacting with the corresponding authentication and ID mapping servers.
