IDSYS documents are JSON-formatted objects and are specific to the back-end identity management system: Active Directory, LDAP, and Linux PAM.
...
| Code Block | ||
|---|---|---|
| ||
{"ldap": {
"name": "idsys-ad",
"description": "Active Directory example configuration",
"protocol" : "ldaps",
"ldaphost": "ad.mycompany.com",
"ldapport": "636",
"adminDN": "cn=BINDUSER,ou=Applications,dc=mycompany,dc=com",
"adminPassword": "BINDPASSWORD",
"userBase": "ou=Users,dc=mycompany,dc=com",
"groupBase": "ou=Groups,dc=mycompany,dc=com",
"uidAttribute":"sAMAccountName",
"userFilter":"objectclass=*",
"groupMemberDNAttr": "member",
"cookieName": "token",
"tokenPath": "/.TOKEN/",
"tokenAdmin" : "caringoadmin@"
} } |
LDAP and AD Fields
These are the fields within the IDSYS document specific to the LDAP or Active Directory back-end identity management system.
...
There are no fields within the IDSYS document specific to the PAM back-end identity management system. Follow this process to implement identity management if using PAM:
Because the
rootuser (uid=0) on this Content Gateway server cannot be used to authenticate to the Gateway, create another user (such assuperuser@admindomain.example.com) on this server for this purpose.Copy and paste this example into the IDSYS document:
/etc/caringo/cloudscaler/idsys.json.Code Block language xml {"pam": { "name" : "idsys-pam", "description": "PAM identity management configuration", "cookieName": "token", "tokenPath": "/.TOKEN/", "tokenAdmin": "superuser@admindomain.example.com" } }Update the
tokenAdminto match the authentication user.
Modifying IDSYS
The root IDSYS configuration is stored in the idsys.json file on the Gateway server's disk so it is always available and an administrator can always modify it. This prevents locking oneself out of the storage cluster. Changes to the local file take effect without the need to restart the Gateway.
...
The IDSYS inheritance also works at the field level. Tenant and storage domain IDSYS documents can choose to override specific fields. The value is inherited by the tenant and domain levels if tokenAdmin is defined in the Root IDSYS and not in the tenant or domain IDSYS. The Root IDSYS may define the LDAP adminDN and adminPassword and allows the tenant and domain IDSYS documents to override the userBase and groupBase values.
Single Company
In this scenario, the company has one identity management system, there is one tenant per business unit, and each business unit has one or more storage domains. This scenario is likely with a private cloud serving a single company. The configuration in this scenario is the Root IDSYS defining the configuration of the identity management system and there are no IDSYS definitions for the tenants and storage domains. Therefore, the tenants and storage domains inherit from the Root IDSYS using a single source of users and groups.
Service Provider / Distributed Company
In this scenario, a storage MSP, or a large company with business units each with separate identity management systems and multiple user/group sources. The configuration in this scenario is the Root IDSYS defining the cluster administrator users and groups and the Tenant IDSYS documents defining the users and groups for each client or business unit. The storage domains do not define an IDSYS so they inherit the definition from the tenant and share the users and groups with the other storage domains owned by the tenant.
Service Provider with Resellers
This is an extension of the previous scenario except each tenant can be a reseller offering storage domains to separate, unrelated companies. In this case, each storage domain defined an IDSYS that overrides the Tenant IDSYS allowing a different set of users and groups for each storage domain. This scenario is not mutually exclusive with the previous one: a hybrid of the two is possible where some domains override the IDSYS of the tenant, and others do not.
...
It may be required to fully qualify the user and group principal names to verify correct policy resolution. In access control policies and x-owner-meta headers, a "fully qualified" principal has a tenant name or storage domain appended directly to the name:
user | non-qualified | Principal from the same IDSYS scope as the content |
|---|---|---|
user@domain | fully qualified | Principal from a specific storage domain's IDSYS scope |
user+tenant | fully qualified | Principal from a specific tenant's IDSYS scope |
user@ | fully qualified | Principal from root scope |
...