Home > Storage > PowerScale (Isilon) > Product Documentation > Protocols > PowerScale OneFS NFS Design Considerations and Best Practices > Identity management and authentication
It is important to understand the identity management and authentication methods before implementing NFS to your environment. Identity management provides a location to store user information, tell where a user is. Authentication is a process that validates the identity of a user. In OneFS, the identity management and authentication is offered by authentication providers. OneFS supports the following methods for authenticating user:
Use Active Directory service and LDAP for ease of user identity and access management.
Active Directory (AD)
Active Directory is implemented by Microsoft that provides several services: LDAP, Kerberos, and DNS. The primary reason for a PowerScale cluster to join an AD domain is to provide user/group identity management and authentication. Active Directory service is used to authenticate all Windows clients and users. OneFS is compliant with RFC2307, therefore in a multiprotocol environment it is recommended to integrate AD with OneFS to provide a centralized identity management and authentication.
RFC2307 allows you to implement unified authentication for UNIX and Windows Active Directory accounts by associating a user ID (UID), group ID (GID), home directory, and shell with an Active Directory object.
Windows Server supported some variations of these schema extensions in versions before Windows 2003 R2 with Microsoft Services for UNIX. Windows 2003 R2 and later versions provide full RFC 2307 support. This means that, when configured, the standard UNIX attributes exist in the schemas of domains created with Windows 2003 R2 and later.
To use Active Directory as authentication provider for NFS service. You need to configure the OneFS and Active Directory for RFC2307 compliance, and integration with AD for NFS is also needed on the NFS client side. For more details about how to enable RFC2307 for OneFS and Active Directory, refer to the blog article. For more details about how to integrate Linux client with AD for NFS, refer to the associated official documentations, for example, refer to Red Hat Windows Integration Guide for Red Hat Linux distribution.
Lightweight Directory Access Protocol (LDAP)
OneFS cluster can also be configured to use LDAP as the authentication provider. The LDAP service in a OneFS cluster supports the following features:
To enable a Linux client using LDAP, you can refer to the corresponding Linux distribution official documentation, for example, refer to Red Hat System-level Authentication Guide for Red Hat Linux distribution.
Network Information Service (NIS)
The NIS is a directory services protocol designed by Sun Microsystems. It has inherent limitations, especially in the areas of scalability and security. So it is usually replaced by LDAP unless your environment has been using NIS for a long time.
Local users and groups
The OneFS cluster supports local users and groups for authentication. You can create local users and groups accounts directly on the cluster. Local authentication can be useful for a test environment or if there is no directory service available.
In a multi-protocol environment, there are usually multi-authentication providers with Active Directory for Windows client’s access and LDAP for Linux or UNIX client’s access. If a user exists in both Active Directory and LDAP, it is required to configure a user-mapping rule for the user to have enough permission to access files. You can use isi auth mapping create/view to create or view the user mapping rules.