RFC2307 and RFC2307Bis

Overview of RFC2307 and RFC2307bis

RFC2307 and RFC2307bis are standards that define how to store UNIX and Linux user and group information in an LDAP directory. These standards enable the integration of UNIX/Linux systems with directory services, such as Active Directory or other LDAP-based directories, allowing centralized management of user and group identities.

• RFC2307: Defines schema for storing user and group information in LDAP directories, including attributes like uid, gid, homeDirectory, and loginShell.
• RFC2307bis: An extension of RFC2307 that introduces additional attributes and changes to better support POSIX compliance and improve flexibility. It includes support for managing group memberships with multi-valued attributes.

Setting Up RFC2307 and RFC2307bis on FSx for OpenZFS

FSx for OpenZFS supports integration with Active Directory (AD), which can use RFC2307 or RFC2307bis schemas to store UNIX user and group information. Here’s how to set up and configure FSx for OpenZFS with RFC2307 or RFC2307bis:

Prerequisites

1. Active Directory Domain: You must have an Active Directory domain set up and accessible.
2. LDAP Tools: Tools to manage and view LDAP entries (e.g., ldapsearch, ldapmodify).

Steps to Configure FSx for OpenZFS with RFC2307 or RFC2307bis

1. Create or Update User and Group Entries in AD:

• Ensure that UNIX attributes are correctly populated in AD for users and groups.
• Use the Active Directory Users and Computers console to manage these attributes.
• For RFC2307: Populate attributes like uidNumber, gidNumber, unixHomeDirectory, loginShell.
• For RFC2307bis: Additionally, populate posixGroup, memberUid, gidNumber, and other relevant attributes.

2. Install and Configure LDAP Client on the Linux/UNIX Systems:

• Install LDAP client utilities (e.g., libnss-ldap, libpam-ldap, nscd).
• Configure /etc/nsswitch.conf to use LDAP for passwd, group, and shadow lookups.
• Update /etc/ldap.conf or /etc/sssd/sssd.conf to point to the LDAP server and define the appropriate search bases.

3. Integrate FSx for OpenZFS with AD:

• When creating the FSx for OpenZFS file system, join it to your AD domain: Ensure that the AD integration parameters include domain name, AD admin credentials, and organizational unit (OU) where the FSx for OpenZFS object should be placed.

4. Configure FSx for OpenZFS to Use RFC2307 or RFC2307bis:

• Use the FSx management console or CLI to specify the LDAP server (your AD) and relevant schemas.
• Ensure the file system's NFS configuration supports LDAP for UID/GID resolution.

Example Configuration Files /etc/nsswitch.conf:

passwd:     files ldap
group:      files ldap
shadow:     files ldap

/etc/ldap.conf (or /etc/sssd/sssd.conf):

base dc=example,dc=com
uri ldap://ldap.example.com
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
pam_password md5

# For RFC2307
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one

# For RFC2307bis
nss_base_passwd ou=Users,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one

Testing and Verification

1. Verify LDAP Configuration:

Use getent passwd and getent group to ensure that UNIX user and group information is being correctly retrieved from LDAP.

2. Test FSx for OpenZFS Access:

• Mount the FSx for OpenZFS file system on a UNIX/Linux client.
• Check file and directory ownerships and permissions to verify that UID and GID mappings are working correctly.

By following these steps, you can successfully configure FSx for OpenZFS with RFC2307 or RFC2307bis, enabling centralized management of UNIX/Linux user and group identities through Active Directory.