7.1 Understanding the NSS AD Support
Beginning with OES 2015, like the eDirectory users, Active Directory users can also natively access the NSS resources, administer those resources, and provision rights for Active Directory trustees. OES 2015 or later enables you to join to an Active Directory domain and provide seamless access to Active Directory identities for using NSS resources. OES does not duplicate identities across eDirectory and Active Directory, thus enabling users in an Active Directory environment to access NSS resources without having the users exist in eDirectory. This solution is termed as Novell Storage Services Active Directory (NSS AD) Support.
To understand NSS AD, it is essential to know how NSS resource access was until OES 11 SP2 and how it is with OES 2015 or later.
7.1.1 NSS Resource Access Until OES 11 SP2
The following illustration, in a nutshell, depicts how authentication, authorization, and file access was until OES 11 SP2.
File Access
In the traditional OES file access model, Windows and Linux workstations use the CIFS protocol for file access. Client for Open Enterprise Server software for both Windows and Linux uses the NetWare Core Protocol (NCP) to provide the file services and Macintosh workstations communicate using AFP or CIFS. To access NSS resources using FTP, SSH, and SCP, users must be LUM-enabled.
Authentication
Only eDirectory is supported as an identity source. All file service access is controlled by eDirectory authentication.
Authorization
The authorization to access NSS resources using NCP and CIFS happens at the respective protocols level. On the other hand, users trying to access NSS resources using AFP, FTP, SSH, and SCP are authorized at NSS file system level.
Management Tools and Interfaces
OES provides the following set of management interfaces and tools to manage your network.
Rights Management: iManager, rights utility, NCPCON utilities, Client for Open Enterprise Server for Windows and Novell Client for Linux
User Management: iManager
Storage Management: iManager, NRM (DST Policy Management, primary shadow volume management and so on), NSSMU, and NLVM.
7.1.2 NSS Resource Access with OES 2015 or Later
The following diagram, in a nutshell, depicts how authentication, authorization, and file access is with OES 2015 or later.
File Access
With OES 2015 SP1 or later, Active Directory users can authenticate to Active Directory and natively access NSS resources using the CIFS and FTP protocol. NSS file access for Active Directory users using NCP and AFP is not supported.
There is no change in the way how file access happens for eDirectory users. To know more about file access for eDirectory users, see File Access under Section 7.1.1, NSS Resource Access Until OES 11 SP2.
Authentication
With OES 2015 or later, both eDirectory and Active Directory are supported as an identity source, and OES enables the NSS file system to accept Active Directory identities as trustees.
CIFS identifies the type of user trying to access the NSS resource and authenticates the user using the respective identity source. For example, when an Active Directory user attempts to access NSS resource, authentication is controlled by Active Directory using kerberos. On the other hand, for eDirectory users, authentication is controlled by eDirectory.
Authentication of eDirectory users using NCP, AFP, FTP, SSH, and SCP is controlled by eDirectory.
Authorization
For both eDirectory and Active Directory users using CIFS, the authorization happens at the NSS level.
For eDirectory users using NCP, the authorization happens at NCP level. For eDirectory users using AFP, FTP, SSH, and SCP, the authorization happens at the NSS level.
Management Tools and Services
OES 2015 introduced some new tools which are used along with the existing tools to manage your network.
Rights Management: NFARM (AD only), iManager (eDirectory only), rights utility (supports AD and eDirectory), Client for Open Enterprise Server for Windows and Novell Client for Linux (eDirectory only), NCPCON utilities (eDirectory only).
User Management: iManager (only eDirectory). The Active Directory user management is using the native AD tools like MMC (Microsoft Management Console).
Storage Management: iManager, NRM (DST Policy Management, primary shadow volume management and so on), NSSMU and NLVM.
User and ACL Mapping: OES User Rights Management (NURM) is a tool that helps to create and save the mapping of eDirectory and Active Directory users. It is then used to assign ACLs and write them on to NSS media. After mapping, every AD identity that has been mapped to an eDirectory user, group, or container will get the same rights on the NSS resource as that of an eDirectory identity.
Identity Translator: Novell Identity Translator (NIT) is an identity translator that generates or fetches UIDs based on the configuration and allows eDirectory and Active Directory users to access NSS resources natively. For more information, see Section 7.5, About Novell Identity Translator (NIT).