When enabling NFS Volume Services, you have the option to integrate NFS Volume Services with an LDAP Server. This option is provided to enhance the security of your files.

By default, when a user binds an NFS volume service to their application, he or she can provide an arbitrary user ID and group ID (i.e., UID & GID). There is no validation on what is entered, so a malicious user that knows the UID or GID of another user or group could use this as a way to mount that other user or group's files.

When integrated with LDAP, the option to specify a UID and GID is removed. Instead, users must enter their LDAP credentials. These credentials are checked and only when they are valid will they be used to mount the NFS volume. This behavior prohibits the malicious user in the previous scenario from mounting another user or group's files without that user's credentials.

Product Version: 2.2

When LDAP support is enabled for NFS Volume Services, you are prompted for the following information.

• A service account
• The service account login & password
• The LDAP host & port
• The distinguished name for the organizational unit on your LDAP server where your users reside.

This information is combined with the information a user provides when creating and binding their services.

• A user creates an NFS volume service & provides the NFS server and mount information.
• A user binds the NFS volume service to their app. The binding provides the mount path inside the container and also provides the user's LDAP credentials.

The NFS Volume Services driver uses all of this information as it mounts NFS volumes as the application container is started. When a container is starting, the volume services driver is responsible for mounting the NFS volume.

With LDAP enabled, it will take the following steps to mount the volume.

1. It makes a connection to the LDAP server & port defined in the NFS Volume Services configuration from Ops Manager. It connects with the service account and password.
2. When connected, it executes an LDAP search starting at the OU (organizational unit) specified in the NFS Volume Services configuration in the Ops Manager and recursively looks through the subtree. It uses the filter (&(objectClass=User)(cn=<username>) where username is the username entered by the user as they bind the volume service to their app. The filter is not configurable at this time.
3. If the search from the previous step returns a user, the Volume Services driver will then attempt to bind to the LDAP server as this user with the password that was specified by the user when the user bound the volume service to his or her app.
4. If the driver is successful in binding with the user's credentials, it will then take the uid and gid from that user's LDAP record.
5. The driver will mount the NFS volume using the UID and GID that were retrieved from LDAP. If the mount operation is successful, the container will continue its start up process.

If any of the steps above fail, for example the user cannot be found or binding as the user fails, the driver will fail and this will cause the application container to fail to start. Details about why the mount failed can be found in the nfsv3driver logs on the Cell where the application container attempted to start.

It is not strictly necessary to have LDAP integrated with your NFS server. The NFS Volume Services driver is simply looking at the UID or GID attributes on the LDAP record for a user. These are standard attributes, so as long as they are populated in your environment, the NFS Volume Services driver should be able to work properly.

If your NFS server is not integrated with LDAP, you may encounter issues where the uid/gid in LDAP do not match the uid/gid of user accounts on your NFS server. In this case, the NFS Volume Services driver should still be able to mount the volume, but permissions could be wrong and you may not be able to read/write files on the volume. For that reason it is best for your NFS server to be integrated with LDAP if you are going to integrate NFS Volume Services with LDAP.