Mixed mode operation and LDAP servers

File Service Administration Guide for Hitachi NAS Platform

Version
14.9.x
Audience
anonymous
Part Number
MK-92HNAS006-31

The storage server supports mixed mode access for file systems, meaning that a mapping is required between the file system permissions and owners in order to ensure consistent security and access. NIS/LDAP services allow the server to locate and map users and permissions based on an existing NIS/LDAP service on the network, instead of creating a local account on the storage server.

On an existing LDAP service, one of the following methods is typically used for allowing the server to locate and map users and permissions:
  • RFC 2307 / RFC 2307bis schemas

    RFC 2307 defines a standard convention for the storage and retrieval of user and group mapping information from an LDAP server. If your site uses the RFC 2307 (or RFC 2307bis) schema, and you configure your storage server/cluster to support both mixed mode operations and LDAP services, it is assumed that you have already loaded the RFC 2307 schema into your directory, and that you have already provisioned the user objects appropriately. This is the default method.

  • Microsoft Active Directory schema

    This setting configures your server to operate with Microsoft Active Directory 2012 and newer using the default Active Directory schema.

You can also configure the server to operate with two deprecated Microsoft LDAP services:

  • Microsoft Windows Services for UNIX (SFU) schema
  • Microsoft Identity Management for UNIX (IMU) schema
To ensure optimum performance when your server/cluster is configured to support both mixed mode operations and LDAP services, the most optimized configuration includes the creation of indexes in the LDAP service for attributes queried by the storage server. To ensure fastest responses to queries, exact-match indexes should be configured on the LDAP server for the attributes to be searched. The LDAP server on your network should index at least the following attributes:
Objects that: RFC 2307 Class Active Directory Class (also IMU and SFU) Map to NIS Class
Describe user accounts posixAccount user posixAccount
Describe the group identifier posixGroup group posixGroup
Attributes for: RFC 2307 Attribute Active Directory Attribute Services for UNIX Attribute Identity Management for Unix Attribute Map to NIS Attribute
User ID/login name

uid sAMAccountName sAMAccountName uid memberUid
User ID number uidNumber uidNumber msSFU30UidNumber uidNumber uidNumber
Group name cn sAMAccountName cn cn memberNisNetgroup
Group ID number gidNumber gidNumber msSFU30GidNumber gidNumber gidNumber

To track indexing performance, you can use the ldap-stats command, which permits you to monitor response times for LDAP queries. It is necessary to first let the storage server complete some successful user lookups so that some statistical data can be gathered. In a short period of time, however, you should be able to determine whether any of the attributes are not indexed.