Configuring SAN File System to use Active Directory

This topic lists the modifications to SAN File System that are necessary to enable it to use Active Directory as its LDAP architecture.

Prerequisites

You must complete the steps in Installing Active Directory and Configuring Active Directory before completing this procedure.

Steps

  1. You have to modify the tank.properties configuration file on each SAN File System engine to reflect the Active Directory-compatible LDAP configuration. You can modify this file at SAN File System initialization using a special setupTank flag, or later by editing the tank.properties file directly.
    Attention: Running setupTank or modifying the tank.properties file incorrectly can render an existing SAN File System installation unusable.
  2. To modify the SAN File System LDAP configuration during initialization, use the -debug parameter on the setupTank command to access and modify the tank.properties file as part of the setup script:
    setupTank -debug -setmaster
  3. If you are not modifying the LDAP during configuration, use a text editor such as vi to modify the tank.properties file on each engine:
    vi /usr/tank/admin/config/tank.properties
  4. Make changes as required to the following variables in the tank. properties file:
    LDAP_SERVER=IP-address
    For IP-address, specify the IP address of the Windows® 2000 system running the Active Directory instance.
    LDAP_USER=cn=LDAP_Admin,cn=Users,dc=sanfsdom, dc=net
    For LDAP_Admin, specify the User logon name of the user created for the Administrative agent in searching Active Directory. For sanfsdom and net, substitute the parts of the domain name chosen for your SAN File System users and groups. The example uses sanfsdom.net. Represent more dotted-domain qualifications with more dc= clauses. The cn=Users clause represents the object type of this object. It is recommended that you do not change the object type unless you have Active Directory expertise.
    LDAP_PASSWD= password
    For password, substitute the password given to the LDAP_Admin user.
    LDAP_BASEDN_ROLES=cn=Users, dc=sanfsdom,dc=net
    This variable identifies the user object enabling the administrative agent to search Active Directory. Modify dc=sanfsdom,dc=net to indicate the domain name chosen for your SAN File System users and groups. The cn=Users clause represents the object type of this object. It is recommended that you do not change the object type unless you have Active Directory expertise.
    LDAP_ROLE_MEM_ID_ATTR=member
    This variable indicates to SAN File System the name of the attribute that relates the object representing a SAN File System administration role (for example, SANFS_Admins) to the user objects authorized for that role. When you use Active Directory with its default schema, this attribute must be "member".
    LDAP_USER_ID_ATTR=sAMAccountName
    This variable indicates to SAN File System the user object attribute that contains the logon name. This name corresponds to the field Active Directory calls User logon name in the New Object and Object Properties panels for User objects. It is recommended that you do not change the attribute type unless you have Active Directory expertise.
    LDAP_ROLE_ID_ATTR=description
    This variable indicates to SAN File System the group object attribute that contains the SAN File System role name. This name corresponds to the field AD calls Description in the New Object and Object Properties panels for Group objects. It is recommended that you do not change the attribute type unless you have Active Directory expertise.
    LDAP_SECURED_CONNECTION=false
    This variable indicates to SAN File System not to use SSL to connect to Active Directory.
    LDAP_CERT=
    This variable indicates to SAN File System information about the certificate needed by the AD instance to establish an SSL connection.
    Note: The user name and passwords used by administrators to access sfscli and the SAN File System Console must match the ones specified in a user object in the member relation to one of the group objects representing administration roles. See the IBM® TotalStorage® SAN File System Administrator’s Guide and Reference, (GA27-4317) for information about the methods for specifying passwords to these interfaces. If you are performing an initial installation of SAN File System, the administrator user name and password can also be set in a dot file (.tank.passwd) used by sfscli in response to prompts from within setupTank.
  5. After you change the tank.properties file, the administrative agent must be restarted on each engine in the cluster for the new settings to take effect. Use the stopCimom and startCimom commands to restart the administrative agent.
    Note: Using this simplified method for configuring Active Directory and SAN File System results in warning messages in the administrative agent log. The administrative agent generates the warning "Role name xxx is invalid" for each user object that exists in the domain that does not have a description matching one of the SAN File System role names. For this reason, following the example in this paper is not practical for a domain that is used for other applications besides SAN File System. The method presented here has to be adapted to be useful in larger scale Active Directory domains.

Postrequisites

Continue with Validating the Active Directory and SAN File System configurations.

Parent topic: Configuring LDAP using Microsoft Active Directory LDAP
Previous topic: Configuring Active Directory
Next topic: Validating the Active Directory and SAN File System configurations

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2