Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > Anatomy of a cross-platform access token
If user-mapping rules are not configured, a user authenticating with one directory service receives full access to the identity information in other directory services when the account names are the same. For example, a user who authenticates with an Active Directory domain york\jane automatically receives identities for the corresponding UNIX user account for Jane from LDAP or NIS.
In the most common scenario, OneFS is connected to two directory services, Active Directory and LDAP. In such a case, the default mapping provides a user with a UID from LDAP and a SID from the default group in Active Directory. The user’s groups come from Active Directory and LDAP. The user’s home directory, gecos, and shell come from Active Directory.
The following examples demonstrate how OneFS builds an access token for a Windows user who authenticates with Active Directory but has a corresponding account with the same name in LDAP. User-mapping rules are not in place.
First, view a user’s token from only Active Directory by running the following command and targeting the user’s Active Directory domain account. The output shown is abridged to remove some immaterial information.
isi auth users view --user=york\\stand --show-groups
Name: YORK\stand
DN: CN=stand,CN=Users,DC=york,DC=hull,DC=example,DC=com
DNS Domain: york.hull.example.com
Domain: YORK
Provider: lsa-activedirectory-provider:YORK.HULL.EXAMPLE.COM
Sam Account Name: stand
UID: 4326
SID: S-1-5-21-1195855716-1269722693-1240286574-591111
Primary Group
ID : GID:1000000
Name : YORK\york_sh_udg
Additional Groups: YORK\sd-york space group
YORK\york_sh_udg
YORK\sd-york-group
YORK\sd-group
YORK\domain users
Next, view a user’s token from only LDAP by running the following command and targeting the user’s LDAP account. The output is abridged.
isi auth user view --user=stand --show-groups
Name: stand
DN: uid=stand,ou=People,dc=colorado4,dc=hull,dc=example,dc=com
DNS Domain: -
Domain: LDAP_USERS
Provider: lsa-ldap-provider:Unix LDAP
Sam Account Name: stand
UID: 4326
SID: S-1-22-1-4326
Primary Group
ID : GID:7222
Name : stand
Additional Groups: stand
sd-group
sd-group2
When there are no mapping rules, and when the user logs in to the cluster over SMB, OneFS authenticates the user with Active Directory and builds an access token. It prioritizes the account information from Active Directory, but appends the supplemental groups from the UNIX LDAP token to the end of the final token:
isi auth mapping token --user=york\\stand
User
Name : YORK\stand
UID : 4326
SID : S-1-5-21-1195855716-1269722693-1240286574-591111
On Disk : 4326
ZID: 1
Zone: System
Privileges: -
Primary Group
Name : YORK\york_sh_udg
GID : 1000000
SID : S-1-5-21-1195855716-1269722693-1240286574-66133
Supplemental Identities
Name : YORK\sd-york space group
GID : 1000002
SID : S-1-5-21-1195855716-1269722693-1240286574-579109
Name : YORK\sd-york-group
GID : 1000004
SID : S-1-5-21-1195855716-1269722693-1240286574-475739
Name : YORK\sd-workers
GID : 1000003
SID : S-1-5-21-1195855716-1269722693-1240286574-169779
Name : YORK\domain users
GID : 1000001
SID : S-1-5-21-1195855716-1269722693-1240286574-513
Name : Users
GID : 1545
SID : S-1-5-32-545
Name : sd-group
GID : 100001
SID : S-1-22-2-100001
Name : sd-group2
GID : 100002
SID : S-1-22-2-100002
The following items 1 through 7 refer to the labels in the preceding example:
The mapping service omits the user’s LDAP primary group. Add the primary group from LDAP to the final token by creating a user-mapping rule.
By default, when you run the isi auth mapping command with a UNIX username, OneFS looks up the UNIX user’s information from LDAP without mapping it to the UNIX user’s Active Directory account information. Why? Because OneFS gives preference to using a UID to maximize NFS performance. If OneFS showed the information from Active Directory as well, the results of the command would have visual symmetry with the result of an isi auth mapping request for an Active Directory user, which includes the information from LDAP. However, the visual symmetry would come at the expense of NFS performance.