Print Email PDF

User-Defined Identity Mappings

IN THIS ARTICLE 

Outlines how to map user identities between Active Directory and LDAP on your cluster

NOTE: The RFC2307 values described here are the preferred method of mapping identities between Active Directory and LDAP.

REQUIREMENTS

  • Cluster running Qumulo Core 2.11.1 or later
  • Command line (CLI) tools installed via API & Tools tab

RESTRICTIONS

User-defined identity mappings have the following restrictions:

  • Mappings can only be set or retrieved by the admin user
  • POSIX attributes must not be enabled in the Qumulo Active Directory configuration
  • Mappings must be one-to-one
  • No down_level_logon_name can be associated with more than one ldap_name, nor may any ldap_name be associated with more than one down_level_logon_name

PROCESS

With the release of Qumulo Core 2.11.1, system administrators can create a map of user identities between Active Directory and LDAP environments to create a single unified identity for the two. This feature is useful in environments where a storage administrator wants to grant common access permissions to files or directories to a user that uses both SMB and NFS, but the Active Directory server doesn't have knowledge about UIDs or GIDs (POSIX extensions).

The ability to set user-defined identity mappings is exposed via the auth_set_user_defined_mappings command, which takes input via stdin or as a JSON file in the following format:

mappings.json
[

   {
       "down_level_logon_name": "DOMAIN\\Alice.Cooper",
       "ldap_name": "acoop"
   },
   {
       "down_level_logon_name": "DOMAIN\\Joan.Jett",
       "ldap_name": "jjett"
   }
]

NOTE: The "ldap_name" corresponds to the value of the "login name" attribute configured in your LDAP schema. By default, this attribute is "uid" (which should not be confused with "uidNumber").

You can enable the configured mappings in mappings.json for the cluster via the qq CLI:

qq auth_set_user_defined_mappings --file mappings.json

To view the current user-defined mappings, run the following command:

qq auth_get_user_defined_mappings
[
   {
       "down_level_logon_name": "DOMAIN\\Alice.Cooper",
       "ldap_name": "acoop"
   },
   {
       "down_level_logon_name": "DOMAIN\\Joan.Jett",
       "ldap_name": "jjett"
   }
]

To see a user's new expanded identity, administrators can run the following command providing the SID, UID number, or GID number.

qq auth_get_all_related_identities

If correctly configured, the administrator should be able to see both UIDs and GIDs from LDAP and SIDs from Active Directory:

qq auth_get_all_related_identities
[
   {
       "id_type": "NFS_UID",


       "value": "2105"
   },


   {
       "id_type": "NFS_GID",


       "value": "2105"
   },


   {
       "id_type": "NFS_GID",


       "value": "10123"
   },


   {
       "id_type": "SMB_SID",


       "value": "S-1-5-32-1234"
   },


   {
       "id_type": "SMB_SID",


       "value": "S-1-5-32-4321"
   },
]

To remove a user-defined mapping, create an empty JSON file, for example, mappings.json.

[

]

Next, run the following command to remove the mapping.

qq auth_set_user_defined_mappings --file mappings.json

RESOLUTION

You should now be able to successfully configure user-defined identity mapping between Active Directory and LDAP in Qumulo Core.

ADDITIONAL RESOURCES

QQ CLI: LDAP and Certificates

Required Active Directory RFC2307 Values for NFS/SMB Multi-Mode Permissions Management

  

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.