Gateway Auth Integrations¶
Enabling and Configuring LDAP¶
LDAP is a protocol used for communication with directory services such as Active Directory. To enable LDAP and configure it for your SwiftStack Gateway, go to the Manage Gateway page and click on the LDAP tab. Check the Ldap Enabled box and new options will appear.
To configure LDAP provide the following information:
- Ldap server list:
- Enter the IP address of the LDAP server. If there is more than one LDAP server IP address, separate them with commas.
- Ldap server port:
- The standard LDAP port is 389. If your organization uses a non-standard port number to connect to your LDAP servers, please replace the default with the correct number.
- Ldap version:
- The default version number for LDAP will be listed as 3, if you wish to use version 2 you are able to select it instead.
- Ldap base dn:
- Enter the base Domain Name (DN) that will be used for LDAP user searches.
- Example: dc=example,dc=com
- Ldap bind dn:
- The bind DN is the user on the LDAP server permitted to search the LDAP directory.
- Example: cn=admin1, ou=Users ,dc=example,dc=com
- Ldap bind password:
- Enter the password for the bind DN (LDAP user).
- Ldap scope:
This field allows you to set how far down the LDAP tree to search for a user. There are three scopes levels that can be selected from the drop-down menu:
- subtree: Search all entries at or below the base DN in the LDAP tree
- one-level: Search all entries of the LDAP tree exactly one level below the base DN, but not including the base DN.
- base: Only search the base level of the LDAP tree
- Ldap timeout:
- Set to a default of 5, the timeout is how many seconds allowed for a search when an LDAP user attempts to connect to the gateway.
- Ldap bind timeout:
- Set to a default of 5 seconds, this timeout is for attempting to bind to an LDAP server.
- Ldap referrals:
- This option is deprecated and will be removed in a future release.
- Ldap group lookups:
- Check this box if your LDAP directory is structured to support group permissions. When using group lookups, only LDAP users who are a member of the defined group may access Swift.
Once LDAP is enabled and configured, click the Submit button. After you deploy this new configuration, users will be able to connect to your Gateway using LDAP authentication.
Active Directory¶
To enable Active Directory (AD) authentication to your Gateway, go to the “Manage Gateway” page and click on the CIFS tab on the left menu. Then check the “AD enabled” box, and more AD related options will appear.
- Cifs realm:
- Provide the user name location (the AD realm) to auth against, often this is your organization's domain name (eg. corp.example.com).
- Kerberos admin server:
- Provide the FQDN of the Kerberos server, often it is configured as the AD domain controller. (e.g., pdc.corp.example.com)
- Cifs browser announce:
- This field is for the IP address, or subnet, of the AD Master Browser. This is required in order for the configured shares to show up when browsing.
- Cifs id mapping:
You can choose from the strategies below for id mapping. This configuration section controls how Windows SID mapping to Unix UID and GID is performed. The three supported choices determine how the mapping is performed.
- id_mgmt: This allows the gateway to use the UID and GID from a properly configured Identity Management for Unix on an AD configuration.
- ldap: The gateway will use a designated LDAP server for id mapping.
- rid: This strategy will automatically create Unix UID and GID identifiers for users in your AD Domain. The gateway will then identify who owns files and who has access rights using those identifiers.
- Cifs id schema:
- Required field displays when “id_mgmt” is selected for Cifs id mapping. The options are rfc2307 or sfu. Rfc2307 is the current formatting standard used in AD with Windows Server 2008 and up. SFU is available for legacy support of Windows Server 2003 schema.
- Cifs id range min:
- the lowest UID or GID value (often 500) used by your organization for AD.
- Cifs id range max:
- Should be set to a reasonably high number, that is greater than the largest planned UID and GID value for your organization (e.g., 3000000).
Once AD is enabled and configured, click the Submit button. After you deploy this new configuration, you will need to have the Gateway join the AD domain. Once you do that, users will be able to connect to your Gateway using AD authentication.
Joining Your Gateway To AD¶
After you have deployed a configuration with AD enabled to your Gateway, you need to run a command on that Gateway to join to AD. Connect to your Gateway with ssh, and run the following command with root permissions:
ad_join -d $ADMIN_USERNAME -r $DC_SERVER
Or, if you prefer to enter the password programmatically instead of typing it interactively, you can use
ad_join -d $ADMIN_USERNAME -r $DC_SERVER -p $PASSWORD
Variables:
- $ADMIN_USERNAME is the username of your Active Directory Administrator
- $DC_SERVER is the (fully qualified) hostname or IP of your Active Directory Domain Controller.
Note
You must specify the hostname or IP of an actual Domain Controller, not a DNS alias.
- $PASSWORD is the Active Directory Administrator's password. If you do not specify this option, you will be asked to enter it interactively.
Next Step¶
Proceed to Accessing your Gateway.
