If VAST Cluster is connected to two external authorization providers, one of the providers is always set to be the POSIX primary provider. If both providers have POSIX user attributes, then in case of any conflict between POSIX attributes that are retrieved from the providers, the POSIX primary takes precedence over the other provider.
Setting the POSIX primary provider enables you to make sure that conflicting query results are resolved in favor of the provider that stores the correct POSIX attributes for users. For more detail about how providers are queried, see Understanding User Management and Authorization.
By default, the first provider that is configured on the cluster is set to be the POSIX primary provider. If you configure a second provider, you can set that one as the POSIX primary provider instead. You can change the POSIX primary provider at any time.
Every LDAP or NIS auth provider has a setting called "POSIX Primary" which can be true or false. When you create an Active Director (AD) provider, an LDAP provider is implicitly created as well, which is where this setting is defined that AD provider. The POSIX Primary setting indicates whether or not each provider is currently the POSIX Primary provider.
In the VAST Web UI this setting is displayed for each provider on the LDAP or NIS tab of the User Management page.
The current POSIX primary provider is indicated in the VAST Web UI by a "true" value in the POSIX primary column for the provider, on the NIS tab for a NIS provider or on the LDAP tab for an LDAP/AD provider.
Note
The POSIX primary setting for an Active Directory provider is shown on the LDAP tab, in the configuration record for the LDAP connection to the Active Directory service (not on the Active Directory tab).
If you have an additional LDAP provider besides the joined Active Directory, you will see two LDAP records on the LDAP tab, one showing the LDAP connection details for each provider.
In the VAST CLI, the POSIX Primary setting is displayed in the output of:
For example:
vcli: admin> ldap show --id 3
+------------------------+---------------------------------------------------+
| ID | 3 |
| URLs | ['ldap://company-ad.com'] |
| Port | 389 |
| Bind-DN | cn=admin,ou=users,dc=mydomain,dc=local |
| Search-Base | dc=mydomain,dc=local |
| Group-Search-Base | dc=mydomain,dc=local |
| Method | simple |
| State | CONNECTED |
| Gid-number | gidNumber |
| Uid | distinguishedName |
| Uid-number | uidNumber |
| Uid-member | member |
| Posix-account | user |
| Posix-group | group |
| Use TLS | False |
| POSIX Primary Provider | True |
| Match-user | distinguishedName |
+------------------------+---------------------------------------------------+
In the User Management page, go to the LDAP tab for an LDAP server or the NIS tab for a NIS server.
Click the Actions button (
) for the provider's LDAP or NIS record and select POSIX Primary from the Actions menu.-
Click Yes to confirm the action.
The POSIX Primary setting for the provider changes from false to true.
To set a NIS provider as the POSIX Primary provider, run nis list to retrieve the provider's ID and then run nis set_primary_provider:
vcli: admin> nis set_primary_provider --id ID
To set an LDAP/AD provider as the POSIX Primary provider, run ldap list to retrieve the provider's ID and then run ldap set_primary_provider:
vcli: admin> ldap set_primary_provider --id ID
Comments
0 comments
Article is closed for comments.