Print Email PDF

Mapping User Identities between Active Directory and LDAP on a Qumulo Cluster

NOTE: The RFC2307 values described here are the preferred method of mapping identities between Active Directory and LDAP.

REQUIREMENTS

  • Cluster running Qumulo Core 2.11.1 or later
  • Command line (CLI) tools installed via API & Tools tab

RESTRICTIONS

User-defined identity mappings have the following restrictions:

  • Mappings can only be set or retrieved by the admin user
  • POSIX attributes must not be enabled in the Qumulo Active Directory configuration
  • Mappings must be one-to-one
  • No down_level_logon_name can be associated with more than one ldap_name, nor may any ldap_name be associated with more than one down_level_logon_name

PROCESS

With the release of Qumulo Core 2.11.1, system administrators can create a map of user identities between Active Directory and LDAP environments to create a single unified identity for the two. This feature is useful in environments where a storage administrator wants to grant common access permissions to files or directories to a user that uses both SMB and NFS, but the Active Directory server doesn't have knowledge about UIDs or GIDs (POSIX extensions).

The ability to set user-defined identity mappings is exposed via the auth_set_user_defined_mappings command, which takes input via stdin or as a JSON file in the following format:

mappings.json
[

   {
       "down_level_logon_name": "DOMAIN\\Alice.Cooper",
       "ldap_name": "acoop"
   },
   {
       "down_level_logon_name": "DOMAIN\\Joan.Jett",
       "ldap_name": "jjett"
   }
]

NOTE: The "ldap_name" corresponds to the value of the "login name" attribute configured in your LDAP schema. By default, this attribute is "uid" (which should not be confused with "uidNumber").

You can enable the configured mappings in mappings.json for the cluster via the qq CLI:

qq auth_set_user_defined_mappings --file mappings.json

To view the current user-defined mappings, run the following command:

qq auth_get_user_defined_mappings
[
   {
       "down_level_logon_name": "DOMAIN\\Alice.Cooper",
       "ldap_name": "acoop"
   },
   {
       "down_level_logon_name": "DOMAIN\\Joan.Jett",
       "ldap_name": "jjett"
   }
]

To see a user's new expanded identity, administrators can run the following command providing the SID, UID number, or GID number.

qq auth_get_all_related_identities

If correctly configured, the administrator should be able to see both UIDs and GIDs from LDAP and SIDs from Active Directory:

qq auth_get_all_related_identities
[
   {
       "id_type": "NFS_UID",


       "value": "2105"
   },


   {
       "id_type": "NFS_GID",


       "value": "2105"
   },


   {
       "id_type": "NFS_GID",


       "value": "10123"
   },


   {
       "id_type": "SMB_SID",


       "value": "S-1-5-32-1234"
   },


   {
       "id_type": "SMB_SID",


       "value": "S-1-5-32-4321"
   },
]

To remove a user-defined mapping, create an empty JSON file, for example, mappings.json.

[

]

Next, run the following command to remove the mapping.

qq auth_set_user_defined_mappings --file mappings.json
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.