LDAP configuration

The SAN File System administrative agent relies on your LDAP installation to authenticate and authorize each administrative operation based on your authentication model. This support requires that the LDAP service be readily available when an administrator command is issued. If the LDAP service cannot be reached, the administrative operation fails with an authentication error. Therefore, you need to ensure that your LDAP service has high availability.

SAN File System requires some configuration of the LDAP server to use LDAP to authenticate SAN File System administrators. In general, this configuration requires that you provide the following types of information:

Network
You must identify the machine on which the LDAP server is running (and port if not running in the default port normally used by the LDAP server). SAN File System authorization of the LDAP server also requires an authorized LDAP user name. The authorized LDAP user name must be able to browse the LDAP tree where the users and roles are stored.
Users
All administrative users must have an entry in the LDAP database. They must have the same objectClass and make use of one attribute to consistently store the administrator’s login user ID. They must contain a "user ID" type of attribute.
Roles
Each of the roles that you plan to use must have an entry in the LDAP database. These roles must have the same parent distinguished name (DN). Each must have an attribute containing the string that describes its role: Administrator, Backup, Operator, or Monitor. Finally, each must support an attribute that can contain multiple values, one value for each DN of the role occupant.

You define these four roles in the LDIF file. You can change the default values of these roles to values that are unique to your organization.

You can use the worksheet in Table 1 to compile this information. You also need to import an LDIF file.

The procedures to set up three possible LDAP infrastructures are provided as examples of how to configure LDAP. Those examples might differ from your configuration, but can provide some helpful guidance. The three LDAP configuration alternatives are:
Table 1. LDAP planning worksheet
Description Example value Your value
IP address 9.42.164.125  
Port numbers 389 insecure; 636 secure  
Authorized LDAP user name cn=root  
Authorized LDAP password secret (default for IBM® Directory Server)  
Attribute containing login user ID uid for IBM Directory Server and OpenLDAP; sAMAccountName for MS Active Directory  
Role parent DN dn: ou=Roles, o=yourOrg objectclass: organizationalUnit  
Attribute containing role name cn  
Attribute for role occupants roleOccupant for IBM Directory Server and OpenLDAP; description for Microsoft® Active Directory  

Parent topic: Preparing your environment

Related information
Configuring LDAP using OpenLDAP
Configuring LDAP using IBM Directory Server Version 5.1
Configuring LDAP using Microsoft Active Directory LDAP

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2