HMC & CMC

This blog is meant as a how-to for enabling Ldap logon users on a HMC, that only do a password validation against an Ldap Server.

All other HMC specific user settings will remain on the local HMC user settings.
Those HMC Ldap users can verify their password by using a secure LDAP server. In this how-to I describe HMC to connect to an IBM SDS6.4 Ldap server. However is doesn’t matter if your HMC connects to a IBM or Linux (open) Ldap server, it will work for both.

Why in the first place would you like to connect to a central Ldap server? Many answers are valid here, but the main answer is security, if you have a Ldap server(s) in place then most likely you company has also a password policy in place, so that passwords are rotated frequently, or even better you have a combination of a password and an MFA key (Multi factor Authentication).
The following 3-4 steps will guide you to enable Ldap authentication for a HMC user, over a secure ssl/ldap connection.

Step 1.  Create the right certificates for the HMC’s so that they can connect via secure LDAP 636/SSL. The HMC Ldap client is Open Ldap (Linux based) so you have to create those certs in pem format.
Below an example how to convert certificates with OpenSSL to pem format.
openssl pkcs12 -in /data/ldapcert.pfx -out ldapcert.pem -clcerts

Then you have to upload those certs to the HMC, easiest method is to use scp for this see example below:

 scp ldapcert.pem existinguser@hmc:

After this you need to import those certificate(s) for each ldap server you like to use.
This can be done on het command line interface of your HMC with the following command:

getfile -t ldapcacert -l l -f /home/existinguser/cert.pem

After this command the certificate(s) are removed form the place were you copied it! Repeat this step for every certificate you like to import.

Step 2. Configure the Ldap server connections on you HMC. 
Path: Users and Security -> Systems and Console Security -> Manage LDAP
In this how-to we only configure central password authentication, so the ldap servers are only queried for passwords, we don’t use AD, but this is also possible then you have to enable both ldap and Kerberos. (I did not tested this yet).
For authentication to an Open Ldap server or to SDS6.4 you have to set the following settings: 
Enable LDAP
Primary URI (read primary Ldap server) 
Example format: ldaps://testldap1@domain:636  valid hostname in a valid domain or ip address
Backup URI (if you have a backup or peer-peer Ldap configuration).
Use Non-Anonymous binding set
Use the Following Attribute for User Distinguished Name Tree:
This is the tree on the ldap servers where the Ldap HMC passwords are stored for example:
ou=hmcuserdb,cn=aix,ou=unix,o=test,c=nl
See below a complete example of the gui interface of the HMC:

Step 3: Now create an HMC user, or use an existing user. 

Path: Users  and Security -> Manage User Profiles and Access -> User add or Modify.
Be aware that a HMC user must start with a character. Account that start with a number or that only exists with numbers are not working (error 255 invalid username). In case of a new user just create the user if it was a local user except now choose for Ldap Authentication. In case of an existing user switch the field form local to LAP Authentication.

After this step you should be able to authenticate against your Ldap server(s) with the password stored for this user. If you use IBM Ldap server you should verify if you need additional steps mentioned in step 5 below:

Validate your ldap config on the HMC can be down with:

lshmcldap -r config -v

And checking the HMC ldap user can be queried on the Ldap server(s) can be done with:

 lshmcldap -r user -v --filter "names=<Valid_Ldap_HMC_User"

This should answer something like:

name=<Valid_Ldap_HMC_User>,description=,remote_user_name=,user_properties=

https://www.ibm.com/docs/en/sdse/6.4.0?topic=syntax-pseudo-dns

Again create a ldif file for example this.ldif with the following content:

dn: ou=aixuser,cn=aixsecdb,cn=aixdata,ou=unix,o=bank.local,c=nl

changetype: modify

delete: aclentry

aclentry: access-id:CN=THIS:at.userPassword:rwsc

-

add: aclentry

aclentry: access-id:CN=THIS:at.userPassword:rwsc:normal:rsc

Also modify the ldap server with this ldif input file see example below:

/opt/IBM/ldap/V6.4/bin/idsldapmodify -Z -K /etc/security/ldap/keystore.kdb -P <passwd> -p 636 -h <hostname> -D cn=admin -w <passwd> -k -i this.ldif

Hopefully this contribution to the community is helpful for other who have the same intention that I had, to make the HMC password management more secure and easier to maintain.

Any commends on this blog are appreciated! And sending me additions and commends will be read and updated.