Manualshelf

6.3 HP StoreAll Storage File System User Guide (TA768-96093, June 2013)

ManualsBrandsHP ManualsStorageHP X9320 IB 21.6TB Network Storage System
61626364656667686970
6 Configuring authentication for SMB, FTP, and HTTP
StoreAll software supports several services for authenticating users accessing shares on StoreAll
file systems:
Active Directory (supported for SMB, FTP, and HTTP)
Active Directory with LDAP ID mapping as a secondary lookup source (supported for SMB)
LDAP (supported for SMB)
Local Users and Groups (supported for SMB, FTP, and HTTP)
Local Users and Groups can be used with Active Directory or LDAP.
NOTE: Active Directory and LDAP cannot be used together.
You can configure authentication from the GUI or CLI. When you configure authentication with
the GUI, the selected authentication services are configured on all servers. The CLI commands
allow you to configure authentication differently on different servers.
Using Active Directory with LDAP ID mapping
When LDAP ID mapping is a secondary lookup method, the system reads SMB client UIDs and
GIDs from LDAP if it cannot locate the needed ID in an AD entry. The name in LDAP must match
the name in AD without respect for case or pre-appended domain.
If the user configuration differs in LDAP and Windows AD, the LDAP ID mapping feature uses the
AD configuration. For example, the following AD configuration specifies that the primary group
for user1 is Domain Users, but in LDAP, the primary group is group1.
LDAP ConfigurationAD configuration
user1uid:user1user:
1010uidNumber:Domain Usersprimary group:
1001 (group1)gidNumber:not specifiedUNIX uid:
Domain Userscn:not specifiedUNIX gid:
1111gidNumber:
The Linux id command returns the primary group specified in LDAP:
user: user1
primary group: group1 (1001)
LDAP ID mapping uses AD as the primary source for identifying the primary group and all
supplemental groups. If AD does not specify a UNIX GID for a user, LDAP ID mapping looks up
the GID for the primary group assigned in AD. In the example, the primary group assigned in AD
is Domain Users, and LDAP ID mapping looks up the GID of that group in LDAP. The lookup
operation returns:
user: user1
primary group: Domain Users (1111)
AD does not force the supplied primary group to match the supplied UNIX GID.
The supplemental groups assigned in AD do not need to match the members assigned in LDAP.
LDAP ID mapping uses the members list assigned in AD and ignores the members list configured
in LDAP.
IMPORTANT: If the user’s primary group in AD is not resolved to a GID number from either Active
Directory or LDAP, the user will be denied access to StoreAll.
Using Active Directory with LDAP ID mapping 61