This topic lists the modifications to SAN File System that are
necessary to enable it to use Active Directory as its LDAP architecture.
Prerequisites
You must complete the steps in Installing Active Directory and Configuring
Active Directory before completing this procedure.
Steps
- You have to modify the tank.properties configuration file on each
SAN File System engine to reflect the Active Directory-compatible LDAP configuration.
You can modify this file at SAN File System initialization using a special
setupTank flag, or later by editing the tank.properties file directly.
Attention: Running setupTank or modifying the tank.properties
file incorrectly can render an existing SAN File System installation unusable.
- To modify the SAN File System LDAP configuration during initialization,
use the -debug parameter on the setupTank command
to access and modify the tank.properties file as part of the setup script:
setupTank -debug -setmaster
- If you are not modifying the LDAP during configuration, use a text
editor such as vi to modify the tank.properties file on each engine:
vi /usr/tank/admin/config/tank.properties
- Make changes as required to the following variables in the tank.
properties file:
- LDAP_SERVER=IP-address
- For IP-address, specify the IP address of the Windows® 2000
system running the Active Directory instance.
- LDAP_USER=cn=LDAP_Admin,cn=Users,dc=sanfsdom, dc=net
- For LDAP_Admin, specify the User logon name of the user created for the
Administrative agent in searching Active Directory. For sanfsdom and net,
substitute the parts of the domain name chosen for your SAN File System users
and groups. The example uses sanfsdom.net. Represent more dotted-domain qualifications
with more dc= clauses. The cn=Users clause represents the object type of this
object. It is recommended that you do not change the object type unless you
have Active Directory expertise.
- LDAP_PASSWD= password
- For password, substitute the password given to the LDAP_Admin user.
- LDAP_BASEDN_ROLES=cn=Users, dc=sanfsdom,dc=net
- This variable identifies the user object enabling the administrative agent
to search Active Directory. Modify dc=sanfsdom,dc=net to indicate the domain
name chosen for your SAN File System users and groups. The cn=Users clause
represents the object type of this object. It is recommended that you do not
change the object type unless you have Active Directory expertise.
- LDAP_ROLE_MEM_ID_ATTR=member
- This variable indicates to SAN File System the name of the attribute that
relates the object representing a SAN File System administration role (for
example, SANFS_Admins) to the user objects authorized for that role. When
you use Active Directory with its default schema, this attribute must be "member".
- LDAP_USER_ID_ATTR=sAMAccountName
- This variable indicates to SAN File System the user object attribute that
contains the logon name. This name corresponds to the field Active Directory
calls User logon name in the New Object and Object Properties panels for User
objects. It is recommended that you do not change the attribute type unless
you have Active Directory expertise.
- LDAP_ROLE_ID_ATTR=description
- This variable indicates to SAN File System the group object attribute
that contains the SAN File System role name. This name corresponds to the
field AD calls Description in the New Object and Object Properties panels
for Group objects. It is recommended that you do not change the attribute
type unless you have Active Directory expertise.
- LDAP_SECURED_CONNECTION=false
- This variable indicates to SAN File System not to use SSL to connect to
Active Directory.
- LDAP_CERT=
- This variable indicates to SAN File System information about the certificate
needed by the AD instance to establish an SSL connection.
Note: The user name and passwords used by administrators to
access sfscli and the SAN File System Console must match the ones specified
in a user object in the member relation to one of the group objects representing
administration roles. See the IBM® TotalStorage® SAN File System Administrator’s
Guide and Reference, (GA27-4317) for information about the methods for specifying
passwords to these interfaces. If you are performing an initial installation
of SAN File System, the administrator user name and password can also be set
in a dot file (.tank.passwd) used by sfscli in response to prompts from within
setupTank.
- After you change the tank.properties file,
the administrative agent must be restarted on each engine in the cluster for
the new settings to take effect. Use the stopCimom and startCimom commands
to restart the administrative agent.
Note: Using this simplified
method for configuring Active Directory and SAN File System results in warning
messages in the administrative agent log. The administrative agent generates
the warning "Role name xxx is invalid" for each user object that exists
in the domain that does not have a description matching one of the SAN File
System role names. For this reason, following the example in this paper is
not practical for a domain that is used for other applications besides SAN
File System. The method presented here has to be adapted to be useful in larger
scale Active Directory domains.
Postrequisites
Continue with Validating the Active Directory and SAN File System
configurations.