You can use a Kerberos server for authentication on your storage system.
To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=kerberos auth.group.mapping=<value> auth.kerberos.<attribute>=<value> auth.group.<realm name>.<attribute>=<value>
A full example is shown below:
auth.server.type=kerberos auth.group.mapping=true auth.kerberos.default_realm=example.com auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockskew=300 auth.kerberos.timeout=10 auth.group.example.com.protocol=ldaps auth.group.example.com.port=636 auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.example.com.searchpw=password auth.group.example.com.basedn=CN=Users,DC=domain,DC=local
The Kerberos attributes are defined in the following table.
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.server.type | Type of an authentication server. Specify kerberos. | Required | None |
auth.group.mapping | Information about whether to work together with an authorization server
|
Optional | false |
auth.kerberos.default_realm | Default realm name | Required | None |
auth.kerberos.dns_lookup.kdc |
This is a switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server. Specify "false" (Searches with the host name and port number). Do not specify "true" (Searches with the information registered in the SRV records in the DNS server). |
Optional | false |
auth.kerberos.clockskew | The acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating.
Must be between 0 and 300 seconds. |
Optional1 | 300 |
auth.kerberos.timeout | The number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs. | Optonal1 | 10 |
auth.kerberos.realm_name | Realm identifier name
Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. The value specified here is called <realm_name> hereafter. |
Optional2 | None |
auth.kerberos.<realm _name>.realm | The realm name set to the Kerberos server. | Optional2 | None |
auth.kerberos.<realm_name>.kdc | The host name, the IPv4 address, and the port number of the Kerberos server. Specify these in the format of "<Host name or IP address>[:Port number]". | Optional2 | None |
Notes:
|
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.group.<realm_na me>.protocol |
LDAP protocol to use. Specify "ldaps" (Uses LDAP over SSL/TLS). Do not specify "starttls" (Uses StartTLS). |
Required | None |
auth.group.<realm_name>.port | A port number of the LDAP server.
Must be between 1 and 65535. |
Optional1 | 389 |
auth.group.<realm_name>.searchdn | DN of the user for searching. | Required2 | None |
auth.group.<realm_name>.searchpw | Password of the user for searching. Specify the same password that is registered in the LDAP server. | Required | None |
auth.group.<realm_name>.basedn | BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN. | Optional2 | abbr |
auth.group.<realm_name>.timeout | Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs. | Optional1 | 10 |
auth.group.<realm_name>.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5. | Optional1 | 1 |
auth.group.<realm_name>.retry.times | Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry. | Optional1 | 3 |
Notes:
|