Identity and Access Control

Owned by Former user (Deleted)
Last updated: Apr 13, 2023 by Sean HastertVersion comment
4 min read

You can use Identity and Access Control to configure the following:

idmapd configuration

The idmapd.conf configuration file consists of several sections, initiated by strings of the form [General] and [Mapping]. Each section may contain lines of the form. 

Parameter

Definition

Pipefs directory

LDAP server directory.

domain name

The local NFSv4 domain name. An NFSv4 domain is a namespace with a unique username<>UID and groupname<>GID mapping. (Default: Host's fully-qualified DNS domain name)

Nobody user

Local user name to be used when a mapping cannot be completed.

Nobody group

Local group name to be used when a mapping cannot be completed.

LDAP Server

LDAP Server enables the configuration of the fields of the LDAP configuration.

Buurst's SoftNAS provides support for NFSv4 Kerberos and LDAP Support, which enables multi-user security access rights to files and directories managed by the SoftNAS filer.

worddav306869f07558e6d3fb8625f723c17e86.png

OpenLDAP Server Configuration

LDAP Server configuration allows the establishment of a connection between OpenLDAP and domain users.


Parameter

Description

Root DN for LDAP database

The domain of the local domain controller that hosts the users.

The directory starts out completely empty, without even a root structure present. Initializing the directory with a root record and other supporting directory sub-structures (i.e., sub-directories) is required before adding any user data.

Administration login DN

By default, Active Directory does not allow anonymous LDAP connections. To change this, to enter the DN of a user that's allowed to connect to the server and read all user and group data. Unless a special user account has already been created for this purpose, an easy choice is to use the built-in administrator account. By default, the administrator DN is in the form cn=Administrator,dc=<Local Domain>.

Administration password

Existing Administration password.

New administration password

Create a new password for OpenLDAP directory management.

Indexes to cache

Number of indexes to cache to improve performance tuning for user lookups.

Database entries to cache

Number of database entries to cache to improve performance tuning for user lookups.

Access control options

Setting which determines access control setting between SoftNAS and the LDAP server.

Maximum number of search results

Max. number of search results for user lookups.

Maximum time for searches

Max. amount of time for user lookup searches.

Encryption Options

Encryption options enables generation of an SSL Certificate. It enables the creation of a self-signed certificate for the LDAP system.

worddav463b08abdb3bb544145692fb0da8125a.png

LDAP Access Control

This is where you can grant different access permissions on a per Object basis.

worddav8bc0642d144c7ffabae4bb749a29da3d.png

Manage LDAP Schema

The LDAP schema determines which object classes and attributes can be stored in the LDAP database. This page allows administrators to decide which schema types are supported by the server - but be careful de-selecting any entries that are used by existing objects.

Create Tree

This page provided a convenient way to create DN that will be the base of a new tree in the database. It can also create an example user or email alias under the tree as an object template.


Parameter

Description

Name for new DN

Name of the new Domain name to be created.

Create example object under new DN?

Setting which determines if a new object will be created under the newly created tree.

One of the following:

  • Unix user
  • Unix user with mail
  • Unix group
  • Address mapping

LDAP Client

LDAP Clients enables the configuration of required fields of LDAP Client configuration.
 
SoftNAS provides support for NFSv4 Kerberos and LDAP Support, which enables multi-user security access rights to files and directories managed by the SoftNAS deployment.

LDAP Server Configuration

  1. The IP address of the LDAP Server is provided to configure a link to the client.
  2. Specify a port number for LDAP traffic. 
  3. Specify a protocol for your LDAP traffic.
  4. Specify the desired protocol version, or set to default.
  5. Configure a connection time limit - either set to default, or enter a number (in seconds).
  6. Add a login for non-root users ( or allow anonymous user access)
  7. Provide the password for your non-root user.
  8. Add a login for the root user.
  9. Provide the password for your root user.
  10. Select whether to use encrypted connection.
  11. Verify LDAP SSL Certificate.
  12. Browse to and select the CA Certificate File, if there is one. 


image2017-7-21_19-50-12.png

LDAP Search Bases

In this section you can set the Base DN (Domain Name)  for every service you want to discover LDAP records for. Enter the Base Domain Name for each service you wish to add. 

Users can define the search depth within the search base.

  1. If the Default is selected, the entire sub-tree will be searched, meaning the search will drill down through each group or organization, and search within them.
  2. A one level search means that the search will go through any groups found within, but will not go through any sub-groups within those groups.
  3. A base only search will not search any groups within the search base.

Users can also set a search filter, to filter records by an LDAP attribute or attribute's value.

Authentication Options

  1. Additional LDAP filter to help find users in the LDAP.
  2. Attribute name to extract the username from.
  3. LDAP group DN to force membership for every LDAP user.
  4. Attribute name of the LDAP group to discover members of this group.
  5. Password storage method.

Services Using LDAP

In this section you will be able to choose which services will look up records in the LDAP.

LDAP Browser

Until connected to the LDAP server, the LDAP browser will be unable to connect (seen in the first screenshot here).

Once connected, you will see the Child objects and attributes displayed (seen here in the second screenshot).

Configuring Kerberos

The Kerberos helps in communicating over a non-secure network to prove identity to one another in a secure manner. Configure Kerberos from SoftNAS.

Configuring Kerberos Panel

Set the path to the Kerberos configuration file in the Kerberos module configuration.

  1. To do so, click the Module Config link.
    The Configuration for Kerberos5 Module page will be displayed. 
    1. Enter the path for the Kerberos5 configuration file in the text entry box.

    2. Click the Save button.

    The Kerberos module will be configured.