You can use a Kerberos server for authentication on your storage system.
To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=kerberos auth.group.mapping=<value> auth.kerberos.<attribute>=<value> auth.group.<realm name>.<attribute>=<value>
A full example is shown below:
auth.server.type=kerberos auth.group.mapping=true auth.kerberos.default_realm=example.com auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockskew=300 auth.kerberos.timeout=10 auth.group.example.com.protocol=ldaps auth.group.example.com.port=636 auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.example.com.searchpw=password auth.group.example.com.basedn=CN=Users,DC=domain,DC=local
The Kerberos attributes are defined in the following table.
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.server.type | Type of authentication server. Specify kerberos. | Required | None |
auth.group.mapping | Information about whether to work together with an authorization server:
|
Optional | false |
auth.kerberos.default_realm | Default realm name | Required | None |
auth.kerberos.dns_lookup.kdc |
Switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server. Specify false (searches with the host name and port number). Do not specify true (searches with the information registered in the SRV records in the DNS server). |
Optional | false |
auth.kerberos.clockskew | Acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating. Must be between 0 and 300 seconds. |
Optional1 | 300 |
auth.kerberos.timeout | Number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs. |
Optonal1 | 10 |
auth.kerberos.realm_name | Realm identifier name (referred to as <realm_name>) Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. |
Optional2 | None |
auth.kerberos.<realm _name>.realm | Realm name set to the Kerberos server. | Optional2 | None |
auth.kerberos.<realm_name>.kdc | Host name, the IPv4 address, and port number of the Kerberos server. Specify these in the format of <Host name or IP address>[:Port number]. | Optional2 | None |
Notes:
|
Attribute | Description | Required / Optional | Default value |
---|---|---|---|
auth.group.<realm_na me>.protocol |
LDAP protocol to use. Specify ldaps (uses LDAP over SSL/TLS). Do not specify starttls (uses StartTLS). |
Required | None |
auth.group.<realm_name>.port | Port number of the LDAP server. Must be between 1 and 65535. |
Optional1 | 389 |
auth.group.<realm_name>.searchdn | DN of the user for searching. | Required2 | None |
auth.group.<realm_name>.searchpw | Password of the user for searching. Specify the same password that is registered in the LDAP server. | Required | None |
auth.group.<realm_name>.basedn | BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN. | Optional2 | abbr |
auth.group.<realm_name>.timeout | Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs. |
Optional1 | 10 |
auth.group.<realm_name>.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5. |
Optional1 | 1 |
auth.group.<realm_name>.retry.times | Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry. |
Optional1 | 3 |
Notes:
|