Set up the hosts to retrieve user's group-IDs information

Content Software for File CLI Reference

Version
4.2.x
Audience
anonymous
Part Number
MK-HCSF001-03

For the hosts that are part of the interface group, you can set the host to retrieve the user's group-IDs information in any method that is part of the environment.

You can also set the group resolution by joining the AD domain, the Kerberos domain, or using LDAP with a read-only user.

Configure the sssd on the host to serve as a group IDs provider. For example, you can configure the sssd directly using LDAP, or as a proxy to a different nss group IDs provider.

Example: set sssd directly for nss services using LDAP with a read-only user

[sssd]
services = nss
config_file_version = 2
ldap_search_base = dc=example,dc=com

# The DN used to search the ldap directory with.
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com

# The password of the bind DN.
ldap_default_authtok = password

If you use another method than the sssd, but with a different provider, configure an sssd proxy on each relevant host. The proxy is used for the Content Software for File container to resolve the groups by any method defined on the host.

To configure sssd proxy on a host, use the following:

# install sssd
yum install sssd

# set up a proxy for weka in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka

[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none

# the name of the nss lib to be proxied, e.g. ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap
Note: All users must be present and resolved in the method used in the sssd for the groups resolution. In the above example, using an LDAP-only provider, local users (such as a local root) that are not present in LDAP do not receive their groups resolved and they are denied. For such users or applications, add the LDAP user.