No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

File Access and Protocols Feature Guide 13

OceanStor 18500 V3 and 18800 V3 Mission Critical Storage System V300R003

This document describes the implementation principles and application scenarios of the NAS feature. Also, it explains how to configure and manage NAS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring a Storage System to Add It to a Domain

(Optional) Configuring a Storage System to Add It to a Domain

This section describes how to add the storage system to a domain such as an LDAP or NIS domain.

(Optional) Configuring a Storage System to Add It to an LDAP Domain

This section describes how to add the storage system to an LDAP domain.

Configuration Process

This section introduces the process of configuring an LDAP user or user group.

Figure 2-4 shows the process of configuring the LDAP domain authentication.
Figure 2-4  Process of configuring a storage system to add it to an LDAP domain

Preparing Configuration Data of the LDAP Domain

Collect the configuration data of an LDAP domain server in advance to add storage systems to the LDAP domain.

LDAP Domain Parameters

LDAP data is organized in a tree structure that clearly lays out organizational information. A node on this tree is called as Entry. Each Entry has a distinguished name (DN). The DN of an Entry is composed of the Base DN and RDN. The Base DN refers to the position of the parent node where the Entry resides on the tree, and the RDN refers to an attribute that distinguishes the Entry from others such as UID or CN.

LDAP directories function as file system directories. For example, directory dc=redmond,dc=wa,dc=microsoft,dc=com can be regarded as the following path of a file system directory: com\microsoft\wa\redmond. In another example of directory cn=user1,ou=user,dc=example,dc=com, cn=user1 indicates a username and ou=user indicates the organization unit of an Active Directory (AD), that is, user1 is in the user organization unit of the example.com domain.

The following figure shows data structure of an LDAP server:

Table 2-7 describes meanings of LDAP entry acronyms.
Table 2-7  Meanings of LDAP entry acronyms

Acronym

Meaning

o

Organization

ou

Organization Unit

c

Country Name

dc

Domain Component

sn

Surname

cn

Common Name

What Is OpenLDAP?

OpenLDAP is a free and open implementation of LDAP that is now widely used in various popular Linux releases. OpenLDAP requires licenses.

OpenLDAP mainly consists of the following four components:
  • slapd: an independent LDAP daemon
  • slurpd: an independent LDAP update and replication daemon
  • Library implementing LDAP
  • Tool software and illustration client
The OpenLDAP installation package can be found here on the Userbooster website: http://www.userbooster.de/en/download/openldap-for-windows.aspx.
NOTE:
The OpenLDAP installation package is not provided on the OpenLDAP website. The installation package supports the following Windows operating systems: Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, Windows 7, Windows 8, and Windows Server 2012.
Obtaining LDAP Configuration Data in Windows
Using OpenLDAP as an example, the following steps describe how to obtain LDAP configuration data.
NOTE:

For V300R003, in Windows operating systems, you can only obtain the LDAP configuration data by installing OpenLDAP and the LDAP service provided by the AD domain is not supported.

  1. Open the OpenLDAP installation directory.
  2. Find the slapd.conf system configuration file.
  3. Use the text editing software to open the configuration file and search for the following fields:
    suffix   "dc=example,dc=com"
    rootdn  "cn=Manager,dc=example,dc=com"
    
    rootpw    XXXXXXXXXXXX
    
    • dc=example,dc=com corresponds to Base DN on the storage system configuration page.
    • cn=Manager,dc=example,dc=com corresponds to Bind DN on the storage system configuration page.
    • XXXXXXXXXXXX corresponds to Bind Password on the storage system configuration page. If the password is the ciphertext, contact LDAP server administrators to obtain the password.
  4. Find configuration files (with .ldif as the file name extension) of users and user groups that need to access storage systems.
    NOTE:

    LDAP Interchange Format (LDIF) is one of the most common file formats for LDAP applications. It is a standard mechanism that represents directories in the text format, and it allows users to import data to and export data from the directory server. LDIF files store LDAP configurations and directory contents, and you can obtain parameter information from LDIF files.

  5. Use text editing software to open the configuration file and find the DNs of a user and a user group that correspond to User Directory and Group Directory respectively on the storage system configuration page.
    #root on the top
    dn: dc=example,dc=com
    dc: example
    objectClass: domain
    objectClass: top
    #First organization unit name: user
    dn: ou=user,dc=example,dc=com
    ou: user
    objectClass: organizationalUnit
    objectClass: top
    #Second organization unit name: groups
    dn: ou=group,dc=example,dc=com
    ou: groups
    objectClass: organizationalUnit
    objectClass: top
    #The first user represents user1 that belongs to organization unit user in the organizational structure topology.
    dn: cn=user1,ou=user,dc=example,dc=com
    cn: user1
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    sn: user1
    uid: user1
    uidNumber: 2882
    gidNumber: 888
    homeDirectory: /export/home/ldapuser
    loginShell: /bin/bash
    userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
    #The second user represents user2 that belongs to organization unit user in the organizational structure topology.
    dn: cn=user2,ou=user,dc=example,dc=com
    cn: user2
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    sn: client
    uid: client
    uidNumber: 2883
    gidNumber: 888
    homeDirectory: /export/home/client
    loginShell: /bin/bash
    userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
    #The first user group represents group1 that belongs to organization unit group in the organizational structure topology. The group contains user1 and user2.
    dn: cn=group1,ou=group,dc=example,dc=com
    cn: group1
    gidNumber: 888
    memberUid: user1#Belongs to the group.
    memberUid: user2#Belongs to the group.
    objectClass: posixGroup
    
Obtaining LDAP Configuration Data in Linux

Using OpenLDAP as an example, the following steps describe how to obtain LDAP configuration data.

  1. Log in to an LDAP server as user root.
  2. Run the cd /etc/openldap command to go to the /etc/openldap directory.
    linux-ldap:~ # cd /etc/openldap
    linux-ldap:/etc/openldap #
  3. Run the ls command to view system configuration file slapd.conf and the configuration file (with .ldif as the file name extensions the file name extension) of users and user groups who want to access storage systems.
    linux-ldap:/etc/openldap #ls
    example.ldif ldap.conf schema slap.conf slap.con slapd.conf
  4. Run the cat command to open system configuration file slapd.conf where you can view related parameters.
    linux-ldap:/etc/openldap #cat slapd.conf
    
    suffix   "dc=example,dc=com"
    rootdn  "cn=Manager,dc=example,dc=com"
    
    rootpw    XXXXXXXXXXXX
    
    • dc=example,dc=com corresponds to Base DN on the storage system configuration page.
    • cn=Manager,dc=example,dc=com corresponds to Bind DN on the storage system configuration page.
    • XXXXXXXXXXXX corresponds to Bind Password on the storage system configuration page. If the password is in cipher text, contact LDAP server administrators to obtain the password.
  5. Run the cat command to open the example.ldif file. Find the DNs of a user and a user group that correspond to User Directory and Group Directory respectively on the storage system configuration page. For details about description of parameters, see Example of LDIF Files in Windows.
Configuring LDAP Domain Authentication Parameters

This section describes how to add a storage system to an LDAP domain by configuring the storage system.

Prerequisites

  • An LDAP domain has been set up.
  • Associated configurations have been completed, and required data is ready.
NOTE:
  • OceanStor 18500 V3/18800 V3 storage system can be connected to the LDAP server through the service port (ethernet port or logical port) only.
  • The OceanStor 18500 V3/18800 V3 can be connected to only one LDAP server.
Precautions

You are advised to use physical isolation and end-to-end encryption to ensure security of data transfer between clients and LDAP domain servers.

You are advised to configure a static IP address for the Lightweight Directory Access Protocol (LDAP) server. If a dynamic IP address is configured, security risks may exist.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > Domain Authentication.
  3. In the LDAP Domain Settings area, configure the LDAP domain authentication parameters. The related parameters are shown in Table 2-8 below.



    Table 2-8  Parameters of the LDAP domain

    Parameter

    Description

    Value

    Primary Server Address

    IP address of an LDAP domain server.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.1.10

    Standby Server Address 1

    IP address of standby LDAP server 1.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.1.11

    Standby Server Address 2

    IP address of standby LDAP server 2.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.1.12

    Port

    Port used by the system to communicate with the LDAP domain server.

    The default port number of the LDAP server is 389, and the default port number of the LDAPS server is 636.

    [Value Range]

    A valid port ranges from 1 to 65535.

    [Example]

    389

    Protocol

    Protocol used by the system to communicate with the LDAP domain server.

    • LDAP: indicates that the system uses the standard LDAP protocol to communicate with the LDAP domain server.
    • LDAPS: indicates that the system uses the LDAP over SSL to communicate with the LDAP domain server if the LDAP domain server supports the SSL.
    NOTE:
    Before selecting the LDAPS protocol, import the CA certificate file for the LDAP domain server. If an LDAP server is required to authenticate the storage system, import the certificate file and private key file.

    [Example]

    LDAP

    Base DN

    Distinguished Name (DN) that specifies LDAP for searching.

    [Rule]

    A DN consists of Relative Distinguished Names (RDN), which are separated from each other using commas (,). For example: testDn=testDn,xxxDn=xxx.

    [Format]

    xxx=yyy, separated by commas (,).

    [Example]

    dc=admin,dc=com

    Bind DN

    Name of a bond directory.
    NOTE:

    To access content, you must use the directory for searching.

    [Rule]

    A DN consists of RDNs, which are separated from each other using commas (,). For example: testDn=testDn,xxxDn=xxx.

    [Format]

    xxx=yyy, separated by commas (,).

    [Example]

    cn=ldapuser01,ou=user,dc=admin,dc=com

    Bind Password

    Password for accessing the bond directory.

    NOTE:

    Simple password may cause security risk. Complicated password is recommended, for example, password contains uppercases, lowercases, digits and special characters.

    [Example]

    !QAZ2wsx

    Confirm Bind Password

    Confirm password used by the system to log in to the LDAP domain server.

    [Example]

    !QAZ2wsx

    User Directory

    User DN configured by the LDAP domain server.

    [Example]

    ou=user,dc=admin,dc=com

    Group Directory

    User group DN configured by the LDAP domain server.

    [Example]

    ou=Groups,dc=admin,dc=com

    Search Timeout Duration (seconds)

    The timeout duration of client waiting for the search result from server. The default value is 3 seconds.

    [Example]

    3

    Connection Timeout Duration (seconds)

    The timeout duration of client connecting with server. The default value is 3 seconds.

    [Example]

    3

    Idle Timeout Duration (seconds)

    Duration after which the LDAP server and client have no communication with each other, the connection is down. The default value is 30 seconds.

    [Example]

    30

  4. Click Save. The LDAP domain authentication configuration is completed.

    NOTE:

    Click Restore to Initial to initialize the LDAP domain authentication.

(Optional) Generating and Exporting a Certificate on the Storage System

This section describes how to generate and export a certificate required for configuring domain authentication on the storage system.

Context

  • The certificate generated on the storage system is not signed and requires to be signed on the signature server.
  • If you use a third-party tool to export certificate request files, save the exported private key file as well. These files, together with the signed certificate and CA certificate, are imported to the storage system when the certificates are verified on the storage system.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Set Certificate Type to Domain authentication certificate and click Generate and Export.

    The Save As dialog box is displayed. Select a path to save the certificate and click Save.

Follow-up Procedure

After the domain authentication certificate is exported, sign the signature on it.
(Optional) Signing the Authentication Certificate and Exporting the CA Certificate

After a domain authentication certificate is exported, it takes effect only after it is signed by a third-party signing server. the CA certificate should be exported at the same time.

After the domain authentication certificate is exported, sign on the certificate based on actual conditions and export the CA certificate for follow-up procedures.

(Optional) Importing the Certificate and CA Certificate to the Storage System

This chapter introduces how to import the authentication certificate and CA certificate to the storage system to active the authentication certificate.

Prerequisites

  • The signed certificate and CA certificate already exist.
  • If the certificate file is exported and signed by a third-party tool, ensure that the private key file exists.

Context

If the certificate file is exported and signed by a third-party tool, import the private key file when you import and activate the certificate and CA certificate.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.
    1. After the certificate has been signed by the server, click Import and Activate.

      The Import Certificate dialog box is displayed.

    2. Set Certificate Type to Domain authentication certificate and import the signed certificate and CA certificate. Table 2-9 lists the parameters and the explanations.

      Table 2-9  Certificate parameters

      Parameter

      Description

      Value

      Certificate Type

      Type of a certificate

      [Example]

      Domain authentication certificate

      Certificate File

      Certificate file that has been exported and signed.

      [Example]

      None

      CA Certificate File

      Certificate file of a server.

      [Example]

      None

      Private Key File

      Private key file of a device.

      [Example]

      None

    3. Click OK.
      The Warning dialog box is displayed.
    4. Carefully read the content of the dialog box, select I have read and understood the consequences associated with this operation, and click OK.
      The Success dialog box is displayed.
    5. Click OK.
      The certificate has been successfully imported and activated.

(Optional) Configuring a Storage System to Add It to a NIS Domain

This section describes how to add the storage system to an NIS domain.

Preparing Data of the NIS Domain Environment

Configuration data of NIS servers needs to be collected in advance to add storage systems to the NIS domain.

Why NIS Domains?

In the UNIX shared mode, all nodes that provide the sharing service need to maintain related configuration files such as /etc/hosts and /etc/passwd. As a result, great efforts are required to maintain these configuration files. For example, if you add a new node to the shared network, all UNIX-based systems need to update their /etc/hosts files to include the name of the new node. The new node may need to access all other nodes, so all the systems need to modify their /etc/passwd files. The above operations are time-consuming and tedious when the number of nodes are more than 10.

The network information service (NIS) developed by SUN Microsystem uses a single system (NIS server) to manage and maintain the files containing information about host names and user accounts, providing references for all the systems configured as NIS clients. When NIS is used, if you want to add a host to the shared network, you only need to modify a related file on the NIS server and transfer the modification to other nodes on the network.



shows the relationship between the NIS server and other hosts.

Working Principles

When NIS is configured, the ASCII files in the NIS domain are converted to NIS database files (or mapping table files). Hosts in the NIS domain query and parse the NIS database files to perform operations such as authorized access and updates. For example, common password file /etc/passwd of a UNIX host is converted to the following NIS database files:

Parameters

An NIS domain is a logical group of nodes that use the same NIS. A physical network includes multiple NIS domains and nodes with the same domain name belong to one NIS domain.

NIS domain–related files are saved in a subdirectory of /var/yp on the NIS server. The subdirectory name corresponds to the NIS domain name, for example, the files mapped to the research domain are saved in /var/yp/research.

The system super administrator can run the /usr/bin/domainname command to rename a domain in interactive mode. Common users can run the domainname command without parameters to obtain the default domain name of the local system.

Data Preparation Checklist
In order to add the storage system to NIS domain environment smoothly, for the data that needs to be used in the configuration process, please prepare in advance or plan according to the actual situation. Table 2-10 describes the data to be obtained before configuration.
Table 2-10  Data to be obtained

Item

How to Obtain/Example

Domain Name

Domain name of a server which contains 1 to 63 letters, digits, and hyphens (-), and cannot start or end with a hyphen (-). The domain names of different levels contains a maximum of 63 characters and must be separated by periods (.).

Please contact the administrator of the domain server.

[Example]

test.com

Primary Server Address

IP address or domain name of primary NIS domain server.

Please contact the administrator of the domain server.

[Example]

192.168.0.100

www.test.com

Standby Server Address 1 (Optional)

IP address or domain name of standby NIS server 1.

Please contact the administrator of the domain server.

[Example]

192.168.0.101

www.test.com

Standby Server Address 2 (Optional)

IP address or domain name of standby NIS server 2.

Please contact the administrator of the domain server.

[Example]

192.168.0.102

www.test.com

Configuring NIS Domain Authentication Parameters

If an NIS domain server is deployed on the customers' network, add the system to the NIS domain. After the system is added to the NIS domain, the NIS domain server can authenticate NFS clients when they attempt to access the system share resources.

Prerequisites

An NIS domain server has been deployed and properly connected.
NOTE:
  • OceanStor 18500 V3/18800 V3 storage system can be connected to the NIS server through the service port (Ethernet port or logical port) only. And it requires all the controllers can communicate with the AD server.
  • OceanStor 18500 V3/18800 V3 storage system can be connected to only one NIS server.
You have logged in to the DeviceManager as an administrator that has the permission. The following administrators have the permission:
  • Super administrator
  • Administrator

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > Domain Authentication.
  3. Select Enable to enable the NIS domain authentication.

    NOTE:

    NIS domain authentication does not support the transfer of encrypted data. Therefore, NIS domain authentication may cause security risks.

  4. In the NIS Domain Settings area, configure the NIS domain authentication parameters. The related parameters are shown in Table 2-11 below.



    Table 2-11  Parameters of the NIS domain

    Parameter

    Description

    Value

    Domain Name

    Domain name of a server.

    [Rule]

    Contains 1 to 63 letters, digits, and hyphens (-), and cannot start or end with a hyphen (-). The domain names of different levels contain a maximum of 63 characters and must be separated by periods (.).

    [Example]

    site

    Primary Server Address

    NIS domain server IP address.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.0.100

    Standby Server Address 1

    IP address of standby NIS server 1.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.0.101

    Standby Server Address 2

    IP address of standby NIS server 2.

    NOTE:
    Ensure that the IP address is reachable. Otherwise, user authentication commands and network commands will time out.

    [Example]

    192.168.0.102

  5. Click Save. The NIS domain authentication configuration is completed.

    NOTE:

    Click Restore to Initial to initialize the NIS domain authentication.

Translation
Download
Updated: 2019-08-14

Document ID: EDOC1000084098

Views: 32817

Downloads: 72

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next