HMC & CMC

 View Only

Enable LDAP password authentication for HMC users

By Christian Sonnemans posted Fri October 27, 2023 06:56 AM

  

This blog is meant as a how-to for enabling Ldap logon users on a HMC, that only do a password validation against an Ldap Server.

All other HMC specific user settings will remain on the local HMC user settings.
Those HMC Ldap users can verify their password by using a secure LDAP server. In this how-to I describe HMC to connect to an IBM SDS6.4 Ldap server. However is doesn’t matter if your HMC connects to a IBM or Linux (open) Ldap server, it will work for both.

Why in the first place would you like to connect to a central Ldap server? Many answers are valid here, but the main answer is security, if you have a Ldap server(s) in place then most likely you company has also a password policy in place, so that passwords are rotated frequently, or even better you have a combination of a password and an MFA key (Multi factor Authentication).
The following 3-4 steps will guide you to enable Ldap authentication for a HMC user, over a secure ssl/ldap connection.

Step 1.  Create the right certificates for the HMC’s so that they can connect via secure LDAP 636/SSL. The HMC Ldap client is Open Ldap (Linux based) so you have to create those certs in pem format.
Below an example how to convert certificates with OpenSSL to pem format.
openssl pkcs12 -in /data/ldapcert.pfx -out ldapcert.pem -clcerts

Then you have to upload those certs to the HMC, easiest method is to use scp for this see example below:

 scp ldapcert.pem existinguser@hmc:

After this you need to import those certificate(s) for each ldap server you like to use.
This can be done on het command line interface of your HMC with the following command:

getfile -t ldapcacert -l l -f /home/existinguser/cert.pem

After this command the certificate(s) are removed form the place were you copied it! Repeat this step for every certificate you like to import.

Step 2. Configure the Ldap server connections on you HMC. 
Path: Users and Security -> Systems and Console Security -> Manage LDAP
In this how-to we only configure central password authentication, so the ldap servers are only queried for passwords, we don’t use AD, but this is also possible then you have to enable both ldap and Kerberos. (I did not tested this yet).
For authentication to an Open Ldap server or to SDS6.4 you have to set the following settings: 
Enable LDAP
Primary URI (read primary Ldap server) 
Example format: ldaps://testldap1@domain:636  valid hostname in a valid domain or ip address
Backup URI (if you have a backup or peer-peer Ldap configuration).
Use Non-Anonymous binding set
Use the Following Attribute for User Distinguished Name Tree:
This is the tree on the ldap servers where the Ldap HMC passwords are stored for example:
ou=hmcuserdb,cn=aix,ou=unix,o=test,c=nl
See below a complete example of the gui interface of the HMC:

ldap settings

Step 3: Now create an HMC user, or use an existing user. 

Path: Users  and Security -> Manage User Profiles and Access -> User add or Modify.
Be aware that a HMC user must start with a character. Account that start with a number or that only exists with numbers are not working (error 255 invalid username). In case of a new user just create the user if it was a local user except now choose for Ldap Authentication. In case of an existing user switch the field form local to LAP Authentication.

Ldap user

After this step you should be able to authenticate against your Ldap server(s) with the password stored for this user. If you use IBM Ldap server you should verify if you need additional steps mentioned in step 5 below:

Validate your ldap config on the HMC can be down with:

lshmcldap -r config -v

And checking the HMC ldap user can be queried on the Ldap server(s) can be done with:

 lshmcldap -r user -v --filter "names=<Valid_Ldap_HMC_User"

This should answer something like:

name=<Valid_Ldap_HMC_User>,description=,remote_user_name=,user_properties=

Step 4. This step is only needed when you use IBM SDS as directory Ldap server.

Why? The HMC’s are using an Open Ldap (Linux client) ldap setup. Default SDS6.4 for example used together with AIX uses separate SDS6.4 Ldap client software that is not completely compatible with Open Ldap. However this software can do BOTH! It’s possible to use the default standard for AIX clients and the Open Ldap standard, but therefore you need a few extra steps on the SDS Ldap servers.

Step 4.1 On Ldap servers is a good practice to use ldif files together with a script to modify the ldap configuration, on a controlled manner, therefore use the example below to create a ldif file to modify the Ldap server(s):

cat OpenLdap.ldif

dn: cn=Front End, cn=configuration

changetype: modify

add: ibm-slapdSetEnv

ibm-slapdSetEnv: USE_OPENLDAP_PWDPOLICY_CONTROL=YES

then use the command line on the server or a script to modify the Ldap server for example on a AIX server:

/opt/IBM/ldap/V6.4/bin/idsldapmodify -Z -K /etc/security/ldap/keystore.kdb -P <passwd> -p 636 -h <hostname> -D cn=admin -w <passwd> -k -i OpenLdap.ldif

Step 5.2 Enable Pseudo DN for password verification

If you configured your ldap servers with ACL’s (access control lists) this extra step is needed to get access to the password stored on SDS.To read more about this subject check:

https://www.ibm.com/docs/en/sdse/6.4.0?topic=syntax-pseudo-dns

Again create a ldif file for example this.ldif with the following content:

dn: ou=aixuser,cn=aixsecdb,cn=aixdata,ou=unix,o=bank.local,c=nl

changetype: modify

delete: aclentry

aclentry: access-id:CN=THIS:at.userPassword:rwsc

-

add: aclentry

aclentry: access-id:CN=THIS:at.userPassword:rwsc:normal:rsc

Also modify the ldap server with this ldif input file see example below:

/opt/IBM/ldap/V6.4/bin/idsldapmodify -Z -K /etc/security/ldap/keystore.kdb -P <passwd> -p 636 -h <hostname> -D cn=admin -w <passwd> -k -i this.ldif

Hopefully this contribution to the community is helpful for other who have the same intention that I had, to make the HMC password management more secure and easier to maintain.

Any commends on this blog are appreciated! And sending me additions and commends will be read and updated. 

3 comments
31 views

Permalink

Comments

Wed November 01, 2023 03:02 AM

Hello Robert, Thanks for your comments I appreciate this, and yes, I tried to test this but our AD contains only login accounts, that starts with a number, that is not allowed on a HMC.

But the steps are almost identical accept you choose for KDC (Key Distribution Center Configuration) instead of Ldap. Be aware that working with Kerberos depends on a good, synchronized time setting (NTP). Hopefully this answer will help you?

Tue October 31, 2023 07:50 AM

Are there any examples of doing this to Windows Active Directory as your ldap server?

Fri October 27, 2023 07:30 AM

Perfect, thanks a lot!