1. Oracle ZFS Storage Appliance Security Guide, Release OS8.8.x
  2. Oracle ZFS Storage Appliance Security Guide
  3. Directory Services

Directory Services

This section describes the directory services that can be configured on Oracle ZFS Storage Appliance and their security ramifications.

Network Information Service

Network Information Service (NIS) is a name service for centralized directory management. Oracle ZFS Storage Appliance can act as a NIS client for users and groups so that NIS users can log in to FTP and HTTP/WebDAV. NIS users can also be granted privileges for appliance administration. Oracle ZFS Storage Appliance supplements NIS information with its own privilege settings.

Lightweight Directory Access Protocol

Oracle ZFS Storage Appliance uses Lightweight Directory Access Protocol (LDAP) to authenticate both administrative users as well as some data services users (FTP, HTTP). LDAP-over-SSL security is supported by the appliance. LDAP is used to retrieve information about users and groups and is used in the following ways:

  • Provides user interfaces that accept and display names for users and groups.

  • Maps names to and from users and groups, for data protocols like NFSv4 that use names.

  • Defines group membership for use in access control.

  • Optionally, carries authentication data used for administrative and data access authentication.

LDAP connections can be used as an authentication mechanism. For example, when a user attempts to authenticate to Oracle ZFS Storage Appliance, the appliance can attempt to authenticate to the LDAP server as that user as a mechanism for verifying the authentication.

There are a variety of controls for LDAP connection security:

  • Appliance-to-server authentication:

    • Appliance is anonymous

    • Appliance authenticates using user's Kerberos credentials

    • Appliance authenticates using specified "proxy" user and password

  • Server-to-appliance authentication (ensuring that the correct server has been contacted):

    • Unsecured

    • Server is authenticated using Kerberos

    • Server is authenticated using a TLS certificate

Data carried over an LDAP connection is encrypted if Kerberos or TLS is used, but otherwise is not encrypted. When TLS is used, the first connection at configuration time is not secured. The server's certificate is collected at that time and is used to authenticate later production connections.

It is not possible to import a Certificate Authority certificate to be used to authenticate multiple LDAP servers, nor is it possible to import a particular LDAP server's certificate manually.

Only raw TLS (LDAPS) is supported. STARTTLS connections, which start on an unsecured LDAP connection and then change over to a secured connection, are not supported. LDAP servers that require a client certificate are not supported.

Identity Mapping

Clients can access file resources on Oracle ZFS Storage Appliance using SMB or NFS, and each has a unique user identifier. SMB/Windows users have Security Descriptors (SIDs) and UNIX/Linux users have User IDs (UIDs). Users can also be members of groups that are identified by Group SIDs for Windows users or Group IDs (GIDs) for UNIX/Linux users.

In environments where file resources are accessed using both protocols, it is often desirable to establish identity equivalences where, for example, a UNIX user is equivalent to an Active Directory user. This is important for determining access rights to file resources on the appliance.

There are different types of identity mapping that involve Directory Services, such as Active Directory, LDAP, and NIS. Care should be taken to follow the security best practices for the directory service being used.

Identity Management for UNIX

Microsoft offers a feature called Identity Management for UNIX (IDMU). This software is available for Windows Server 2003 and is bundled with Windows Server 2003 R2 and later. This feature is part of what was formerly called Services for UNIX, in its unbundled form.

The primary use of IDMU is to support Windows as a NIS/NFS server. IDMU lets the administrator specify a number of UNIX-related parameters: UID, GID, login shell, home directory, and similar for groups. These parameters are made available using AD through a schema similar to but not the same as RFC 2307, and through the NIS service.

When the IDMU mapping mode is used, the identity mapping service uses these UNIX attributes to establish mappings between Windows and UNIX identities. This approach is very similar to directory-based mapping, except the identity mapping service queries the property schema established by the IDMU software instead of allowing a custom schema. When this approach is used, no other directory-based mapping can be used.

Directory-based Mapping

Directory-based mapping involves annotating an LDAP or Active Directory object with information about how the identity maps to an equivalent identity on the opposite platform. These extra attributes associated with the object must be configured.

Name-based Mapping

Name-based mapping involves creating various rules that map identities by name. These rules establish equivalences between Windows identities and UNIX identities.

Ephemeral Mapping

If a name-based mapping rule does not apply for a particular user, that user is given temporary credentials through an ephemeral mapping unless they are blocked by a deny mapping. When a Windows user with an ephemeral UNIX name creates a file on the system, Windows clients accessing the file using SMB see that the file is owned by that Windows identity. However, NFS clients see that the file is owned by “nobody”.