To control a user’s identities, the user mapper provides three primary mechanisms:
- An object model for access tokens. Although you can create rules without understanding the object model, it might help you visualize how OneFS processes tokens.
- Rules for manipulating tokens. The rules include operators that determine what the rule does and options that determine how the action is carried out.
- An engine for processing the rules and applying them to tokens. The engine imposes some constraints on rules and processes rules in a sequence that can affect their application.
Taken together, the three mechanisms provide a framework for manipulating tokens to address use cases common to environments with several directory services:
- Merging several identities into a single token that works across protocols and includes supplemental groups from both Active Directory and LDAP
- Selecting a primary group when there are competing choices from Windows and UNIX
- Managing identities when Active Directory and LDAP serve as authentication providers; for example, you can authenticate with Active Directory but use a UNIX identity
- Managing identities when NIS and Active Directory serve as authentication providers
Each of these use cases is addressed by controlling the elements of mapping rules through the Web administration interface or the command-line interface. Also, the OneFS Platform API provides options to query or manipulate aspects of the mappings with automation.