Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS User Mapping: Mapping Identities Across Authentication Providers > Dumping a map of AD groups for LDAP
In a multiprotocol storage system with a permissions model that works with UNIX POSIX mode bits and Windows ACLs, permissions management becomes a nontrivial task. It requires analysis and planning to integrate Active Directory and LDAP with OneFS.
Before you set up your file shares, you should analyze and document the access requirements for your directory tree. If possible, avoid intertwining trees for different groups of users, such as engineering and marketing. You should also consider separating directory trees by protocol, creating a tree for your SMB users and another for your NFS users.
Adding applications to the requirements increases managerial complexity, and one way to simplify the complexity is to avoid mixing directory trees for NFS applications with trees for SMB applications or users. As a best practice, separate the directory trees for NFS applications from your SMB trees and from your NFS trees for users.
If you do mix directory trees for SMB users with those for NFS users, as most administrators do, try to integrate your Active Directory and LDAP systems before you set up your directory tree. In particular, you should strive to properly synchronize your LDAP groups with your Active Directory groups. OneFS automatically matches an Active Directory group with an LDAP group when the relative distinguished name of the group is the same.
One strategy is, of course, to use the user mapping service to combine groups from AD and LDAP into a single identity. But an advanced strategy to avoid a dependence on the mapping service is to export from Active Directory a map of your Active Directory groups, convert them to the LDAP Data Interchange Format (LDIF), and then ingest the LDIF contents into your LDAP server. The method is particularly useful if Active Directory is not using RFC 2307 attributes. Windows Server 2003 and Windows Server 2008, for instance, include a command-line tool named LDIFDE for exporting information in LDIF from Active Directory.
The result adds your independent group records from AD to LDAP, so that all your Linux and UNIX users receive the same GIDs and SIDs as your Windows users. It also gives you a chance to resolve GID collisions before they affect your PowerScale cluster.