HMC & CMC

 View Only

LDAP Support on HMC

By Santhosh S Samaka posted Fri February 09, 2024 02:07 AM

  

Security is of paramount importance to organizations and having the necessary access controls in place plays an important part in achieving the required security compliance. HMC provides different mechanisms to enforce access controls for authentication and authorization and in this blog, we will take you through the details of LDAP (Lightweight Directory Access Protocol) support on HMC and the different options available to configure the same.

LDAP on HMC

You can enable Lightweight Directory Access Protocol (LDAP) authentication on the Hardware Management Console (HMC), This will help to view, add, and remove LDAP server details from HMC.

The two modes that are supported for LDAP configuration is listed below: 

  • LDAP authentication: The user account is created on the HMC locally. User authentication is done by an LDAP server. 
  • LDAP auto-managed (Remote User Management): The HMC user's information is maintained on the LDAP server. The HMC user account is created automatically when the user logs in for the first time on the HMC. User authentication is done by either an LDAP or a Kerberos server. 

Note: The two modes LDAP authentication and LDAP auto-managed are mutually exclusive and can be configured through the Enable LDAP for Remote Management option in the Configure LDAP panel or by using the CLI command  

chhmcldap -o s --automanage {0|1}. 

The HMC authenticates with the LDAP server by means of an anonymous connection by default. You can use the chhmcldap command to set the bind distinguished name (DN) and bind password for non-anonymous binding with the LDAP server. You can use the ldapsearch command to verify the LDAP setup on the HMC.

Pre-requisites to configure LDAP on HMC 

To use LDAP authentication for the HMC, you must complete the following prerequisites:

  • Must enable LDAP authentication from the LDAP Server Definition window. 
  • Must define an LDAP server to use for authentication by supplying at least a primary URI for the LDAP server you want. 
  • Must define the search base (distinguished name tree) for the LDAP server. 
  • Must set the user profile of each remote user to use LDAP remote authentication instead of local authentication. A user that is set to use LDAP remote authentication will always use LDAP remote authentication, even when the user logs on to the HMC locally. (You do not need to set all users to use LDAP remote authentication. You can set some user profiles so that the users can use local authentication only.) 
  • Must ensure that a working network connection exists between the HMC and the LDAP servers.

LDAP Attribute Details 

General Attributes  

You can set the LDAP configuration data in the LDAP Server Definition panel. The LDAP administrator provides information about the LDAP client connection data.

  • Enable LDAP 

Select Enable LDAP to enable LDAP authentication on this HMC by using the LDAP servers that are listed for the primary URI and the backup URI. 

  • Primary URI 

Configure an LDAP server for use in authentication on the HMC by specifying the URI.  

Specify the URI in one of the following formats:

      • ldap://ldap.example.com 
      • ldaps://ldap.example.com
  • Backup URI 

Configure a backup LDAP server for use in authentication on the HMC by supplying the URI in the one of the following formats in case primary ldap server is not reachable 

      • ldap://ldap.example.com 
      • ldaps://ldap.example.com
  •  Enable TLS Encryption (STARTTLS) 

Configure the ldap client to enable with TLS communication with server. The uri with ldaps on primary or back up with this option are mutually exclusive.  

  •  Base DN(Distinguished Name Tree) 

Use this option to locate the user record for the authenticating user. For example, ou=People,dc=example,dc=com. You can specify multiple Base DNs starting with HMC V9 R1 M920. For example, "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" 

  • Binddn/Bindpw  

Use this field if the LDAP server requires a bind DN and bind password to connect. 

  •  Attribute for User Login  

Use this field to specify the LDAP attribute that identifies the user being authenticated. For Microsoft Active Directory use sAMAccountName and for others uid as the attribute. 

  •  Scope (search scope) 

The search scope starting from base DN ( one - one level , sub–subtree). 

HMC with Auto manage attributes: 

  •  Enable LDAP for Remote User Management 

Select this option to enable LDAP authentication for a remote user on the HMC by using the LDAP server. LDAP users with the properties defined for HMC can logon to HMC and the user account is created automatically with automanage as the specified authentication type. User properties like task role, resource roles are retrieved based on the properties set in the attribute specified in the LDAP server.  Each time the user logs on, the user account is refreshed with the current user definition retrieved from the LDAP server.

  • LDAP Remote User Management Configuration 

LDAP Attribute to Retrieve User Properties 

This is to define the LDAP attribute that locates and retrieves the role and authorization properties of the user being authenticated. For example: description field of MicrosoftAD. The default attribute is ibmaixAdminPolicyEntry.

This attribute value is used to retrieve the user properties to be used in the HMC.  The required user property is taskrole. Other user properties are optional.

The user properties which are defined on the LDAP server are specified as key=value pairs that are separated by commas. All user properties, as supported in mkhmcusr and chhmcusr, are applicable to LDAP user except for description, idle_timeout, verify_timeout, authentication_type, passwd, pwage, and min_pwage.

The taskrole is a required property. Login will fail if it is not specified on User property attribute.  

The resourcerole property can have multiple roles separated by the '#' character. If the resourcerole property is defined with multiple roles, the first valid role in the list on the HMC is used for the user. If none of the specified roles are valid, the login is denied.

If the remote_user_name property is specified, and LDAP is configured with Kerberos authentication, the user will be authenticated using Kerberos upon log on to the HMC.

The auto_remove property is applicable for LDAP users only. It can be defined with following values:

0: Do not remove the user account. This is the same as not having the property specified.

1: Remove the user account on HMC if the user record on LDAP server does not exist or has an invalid taskrole.

2: Remove all auto-managed LDAP user account(s) on HMC that does not have a comparable user record on LDAP server or a valid task role. 

If you are unable to retrieve user properties due to an error, you can use the  lshmcldap -r user - v command to validate whether the properties are defined for the user on the LDAP server. 

Examples:

The HMC is configured to use LDAP server myldap.company.com to manage LDAP users using the user properties from the attribute description which is mapped to hmcuserpropsattribute of the hmc ldap property:

# lshmcldap -r config 

primary=ldap://myldap.company.com,backup=,"basedn=ou=People,dc=company,dc=com",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,binddn,bindpwset=,automanage=1,auth=ldap,s earchfilter=,scope=sub 

Configure taskrole and multiple resourserole  

taskrole=hmcviewer,resourcerole=role1#role2#role3,..

To remove the user account on HMC, if the user is no longer assigned to work on HMC, the attribute description must have the string 

taskrole=hmcviewer,resourcerole=role1#role2#role3,auto_remove=1,.. 

  •  LDAP Group Login (Optional)

Supported from HMC V10 R2 M1030 onwards

This is used to validate and authenticate from the LDAP server for the user who is mapped to a LDAP group. These user roles and properties which is associated with group are used when the HMC user is created or updated with LDAP group attribute for an automatically managed LDAP user.  

LDAP Group Login and Attribute for Group Members are mutually dependent. 

Refer Table 1 in this document. 

  •  Attributes for Group Members (Optional)

Introduced V10R2 onward. 

This is used to validate and authenticate whether user is member of a particular group on LDAP server. This parameter is valid when the HMC user is created or updated for an automatically managed LDAP user.

LDAP Group Login and Attribute for Group Members are mutually dependent.

Refer Table 1 in this document. 

  •  Use Kerberos for User Authentication 

Select this option to specify that the remote user is to be authenticated by Kerberos. This option applies only to remote user management.

  • LDAP Attribute to Retrieve Remote User ID (optional) 

Upon selection of above option, you can specify an LDAP attribute to locate and retrieve the remote authentication name from the LDAP server. For example, the attribute such as userPrincipalName. You also can define the Kerberos remote authentication name by using the attribute remote_user_name in the User Properties fill. 

How to Configure LDAP on HMC

LDAP can be configured on HMC using the GUI or CLI. With the example above, the following chhmcldap and comparable GUI panel is used to configure the LDAP.

LDAP Configuration by using the CLI command:

  • Prior to HMC V10 R2 M1030:

chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --hmcgroups testldap --scope one

  • Starting from HMC V10 R2 M1030 , you can also configure ldap server group based authentication.
    chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --scope one --groupattribute group --memberattribute member

LDAP Configuration by using the HMC UI:
 

  •  Login to HMC.
  • Users and Security > Systems and Console Security > Manage LDAP
  •  The LDAP Server Definition panel opens for you to configure the LDAP on the HMC.

Prior to HMC V10 R2 M1030

HMC V10 R2 M1030 Onward

How to configure HMC with auto-manage mode

Note : All below example shown below is with MicrosoftAD as LDAP server

To allow user to log in HMC in auto-managed mode, the user's attribute hmcuserpropsattribute must contain the following information:

Required Properties:
taskrole="A valid HMC taskrole"

Optional Properties:
resourcerole="A valid HMC resourcerole" 
remove_webui_access={0|1} 
remote_ssh_access={0|1} 
session_timeout="time-out in minutes" 
idle_timeout={time-out in minutes} 
inactivity_expiration={number of days} 
auto_remove={0|1}
 remote_user_name="Kerberos remote userID
hmcgroups={name of the hmcldapgroup}" -----(This hmcgroup parameter is only available in CLI)

Example:

If attribute description is used to specify the HMC User Properties, it would contain the following string for HMC Log-in.

description="taskrole=hmcviewer"

It could also have all HMC User Properties defined.

description="taskrole=hmcviewer, resourcerole=hmcviewer,session_timeout
=20,remote_webui_access=0,remote_ssh_access=1,auto_remove=1,remote_use r_name=user@example.com "

HMC user property configuration on LDAP Server

Execute below command with proper configuration on HMC to enable auto manage 
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description  --automanage 1

 

#lshmcldap -r user --filter names=test_ad
name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole""",remote_user_name=,"user_properties="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole"""

HMC Group configuration on LDAP Server

This parameter can be used , when ldap server has many users but only some of users need to be logged in to HMC in that case hmcgroup property can be set on LDAP server attribute.

  • Add name of the group to the field which will be mapped to –hmcuserpropsattribute

Execute below command with proper configuration on HMC to enable HMC group-based authentication.
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description  --automanage 1 --hmcgroups testldap

  • Note : In this configuration the users who have testldap hmcgroup in their Description are allowed to login to HMC.
    #lshmcldap -r user --filter names=test_ad

    name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup""",remote_user_name=,"user_properties="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup"""

LDAP Server Group configuration on HMC
   

The LDAP server group based parameters are rely on one another. In situations when several users need to inherit the same HMC properties, on the LDAP server can create a group by mapping the required HMC properties to the hmcuserpropsattribute attribute of the group.

  • Execute below command with proper configuration on HMC to enable LDAP server group-based authentication.
    chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description  --automanage 1 --groupattribute group --memberattribute member

  • Note: In this configuration user is part of an LDAP server group where hmc attributes will be mapped to description attribute of the group. Which means all the user which are in this group will inherit all the hmc properties assigned to group attribute. 
    #lshmcldap -r user --filter names=test_ad

    name=test_ad,"description="" taskrole= taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0,auto_remove=1""",remote_user_name=,"user_properties=""taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0,auto_remove=1"""

HMC commands for LDAP and User Management

chhmc - c kbdcfg

To configure Kerberos configuration.

chhmcldap

To configure or modify LDAP.

chhmcusr

To remove a HMC user account of any authentication type (local, ldap,kerberos, and automanage).

getfile

To get LDAP or Kerberos CA certificate file and store it on HMC.

ldapsearch

To test LDAP configuration data without configuring LDAP on HMC.

lshmc –r

To list Kerberos configuration.

lshmcldap

To list LDAP configuration, retrieve and validate user list from LDAP server. This can be used in conjunction with ldapsearch CLI command to verify the LDAP set up on HMC. This can be used to verify if CA certificate is being setup to communicate with LDAP server.

mkhmcusr

To create HMC local user accounts.

rmfile

rmhmcusr

To remove a HMC user account of any authentication type (local, ldap,

kerberos and automanage).

mkaccfg

To create a custom task role.

chaccfg

To change custom task role.

lsaccfg

To list HMC task roles.

Sample Commands and Operations

LDAP Configurations

  • List LDAP configuration
        The commands below can be used to list LDA configurations. There are default values for certain parameters.

lshmcldap -r config

Prior to HMC V10 R2 M1030

primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never

HMC V10 R2 M1030 onwards 

For LDAP user based auth

primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never

For LDAP server group based auth

primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never, groupattribute=group,memberattribute=member

  • Change LDAP configuration.
        The commands below can be used to change LDA configurations. There are default values for certain parameters.

Prior to HMC V10 R2 M1030

chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --scope one

HMC V10 R2 M1030 onwards 

For LDAP user based auth

chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --scope one

For LDAP server group based auth

chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --scope one --groupattribute group --memberattribute member

Prior to HMC V10 R2 M1030             

HMC V10 R2 M1030 Onwards

  • Removal of LDAP Configuration.
            LDAP comes with certain options that can be disabled as per usability purpose. 
       

To eliminate the entire configuration 
    chhmcldap -o r -r ldap
   

To eliminate only HMC group property. 
    chhmcldap -o r -r hmcgroups
   

To eliminate only LDAP server group property.
    chhmcldap -o r -r groupmemberattributes

User Configuration:
   

  • List the User on LDAP Server
        Commands to view the ldap user’s attribute on HMC

lshmcldap -r user

lshmcldap -r user --filter names=test_ad

name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup""",remote_user_name=,"user_properties user_properties=taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0"""
lshmcldap -r user | grep -ie "test_ad"
name=test_ad,"description=taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup",remote_user_name=,"user_properties=taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0"

  • Create LDAP Users on HMC
    To create users, use the steps below.

CLI

mkhmcusr -u <userid as ldap server> -a hmcsuperadmin --auth ldap

UI

Users and Roles -> Manage User Profiles and Access

 

LDAP with STARTTLS or LDAPS

    To enable SSL-based communication with the LDAP server on HMC, the server certificate needs to be imported on HMC using the following steps/commands.

  • To view the LDAP server certificate:

UI

https://<www.ldap.com>/ on any browser... click on the Lock Icon
View Certificate > Details

CLI – on any machine where openssl in installed
  openssl s_client -host www.ldap.com -port 636 -prexit -showcerts

  • Create certificate file, if content is copied via CLI
     Copy the public key in this certificate (whose content is more between begin/end certificate , 0th level certificate ) into a pem file say cert.pem /home/hscroot/cert.pem
  • Save the certificate to the user’s home location on HMC in ".pem" format

eg: LdapServerCert.pem
# cd /home/hscroot/
# ls
LdapServerCert.pem

  • Certificate can be imported to HMC using below command 
        Using the getfile command, the certificate can be imported to HMC with the following two options.

To import locally copied certificate use below command. 

getfile -t ldapcacert -l l -f /home/hscroot/LdapServerCert.pem

An SFTP server path can also be used to import certificates via getfile command.

getfile -t ldapcacert -l s -h <hostname> -u <userid> -f <filepath>

  • To view certificate configured status on HMC for LDAP

lshmcldap -r config

primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=hmcldapcert.pem,hmcgroups=,authsearch=base,tlsreqcert=never
   

  • Configure LDAP
        Use below command to set tlsreqcert which will be used by LDAP service for validation of the certificate on need basis.

chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description  --automanage 1 --hmcgroups testldap --starttls 1 --tlsreqcert never
or 
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description  --automanage 1 --hmcgroups testldap --starttls 1 --tlsreqcert try
   

  • Create local user with ldap auth (If auto manage is not enabled)
        If HMC is not enabled with automanage mode, then users have to be created on HMC manually with an authentication type of ldap.

mkhmcusr -u <shortid of user> -a hmcsuperadmin --auth ldap

  • Login to Hmc
      The user can access HMC through either CLI or GUI once all the configurations have been updated properly.
    ssh <shortid of user>@ipofhmc

Frequently Asked Questions:

  • How can an LDAP user work as HMC user?

Any user in LDAP server can work as HMC user provided the taskrole is defined as an attribute value for user in the LDAP server - “taskrole=hmcoperator”  (here  hmcoperator  is one of the HMC default task-role, for customized HMC user roles, refer man pages of mkaccfg, chaccfg and lsaccfg for details on taskrole)

  • How does HMC know which field to refer to get the HMC user property details from LDAP?

HMC admin during the configuration of LDAP on HMC, can specify “hmcuserpropsattribute” as part of chhmcldap command (can be specified when configurating from GUI as well) with the attribute name which holds the HMC properties to be retrieved from LDAP server.

More details can be found in man page for chhmcldap
Extract from Man page:

hmcuserpropsattribute
The attribute to use to retrieve the user roles and properties from the LDAP server. These user roles and properties are used when the HMC user is created or updated for an automatically managed LDAP user.

If this option is not specified when LDAP is configured, this attribute is set to ibm-aixAdminPolicyEntry.

This option is only valid for a set operation.

  • In a Microsoft AD, Multi domain configuration, for --binddn which domain controller to specify?

Specify the Root Domain in --binddn (refer man page for chhmcldap) If user records are under different sub-domains (a.k.a. directories), the option --scope sub should be included also.

  • Where can I specify the search details for user?

The --basedn can be used to specify where to start the search and order to search.

  • Where can I get sample command to configure LDAP on HMC for auto managed user?

Examples can get from man page of chhmcldap
One ex: chhmcldap -o s --primary ldaps://www.ldap.com –basedn u=People,dc=example,dc=com -
-binddn cn=HMCAdmin,dc=example,dc=com --bindpw abc1234 --loginattribute sAMAccountName –hmcuserpropsattribute description --automanage 1 --groupattribute group --memberattribute member

  • Apart from task role, are there any other HMC attributes that can be added with task role?

Yes, there are multiple optional attributes that can be mentioned. remove_webui_access={0|1}
remote_ssh_access={0|1} session_timeout="time-out in minutes" idle_timeout={time-out in minutes} inactivity_expiration={number of days} auto_remove={0|1} remote_user_name="Kerberos remote user ID" resourcerole="A valid HMC resourcerole" hmcgroup=" A valid HMC group"

See mkhmcusr man page for more info.

  • How can I set same HMC user attributes for a group of LDAP users instead of per user?

This can be handled by setting optional parameters like groupattribute and memberattribute please refer to LDAP Server Group configuration on HMC section in this document.

  • What are all the parameters need to set on HMC for group and member attributes to support different LDAP server?    

    LDAP Server

    Group Login

    Attribute for Group Members

    MicrosoftAd

    group 

    Member

    OpenLdap/Tivoli

    groupOfNames

    Member

    OpenLdap/Tivoli

    groupOfUniqueNames

    uniqueMember

    OpenLdap/Tivoli

    posixGroup

    memberUid
                                                                        Table 1

  • In case hmc user properties is set to both user and group attributes on LDAP server, which one will be prioritized? Say description field on MicrosoftAD

    Please refer to LDAP Server Group configuration on HMC section in this document.  

  • What is the advantage of using LDAP Group Login, Attributes for Group Members during automanage mode?

These parameters rely on one another. In situations when several users need to inherit the same HMC properties, on the LDAP server can create a group by mapping the required HMC properties to the hmcuserpropsattribute attribute of the group.
Command to enable LDAP server group based authentication: 

chhmcldap -o s --primary  ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description  --automanage 1 --hmcgroups testldap --scope one --groupattribute group --memberattribute member

  • When to use auto_remove HMC property for ldap users?
        Use of the auto_remove property is required if any or all auto managed LDAP users are to be automatically deleted from the HMC upon deletion from the LDAP server. By default, it is 0.

Example:  
MicrosoftAd server description attribute can set with 

taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=1,autoremove=1

  • How to import certificate if LDAP server is enabled with ldaps or starttls?
    Transfer the certificate to the user's home location and to import an LDAP server certificate to HMC, use the command below. An SFTP server path can also be used to import certificates via getfile command.

Example: 

 getfile -t ldapcacert -l l -f /home/hscroot/LdapServerCert.pem

  • How can I verify if LDAP or AD configuration is setup correctly in the HMC?

The LDAP configuration and user retrieval can be tested using the following HMC commands

lshmcldap -r config -- To list and validate command configuration errors.
lshmcldap -r user -- To list users on ldap server along with necessary ldap attributes. 
lshmcldap -r user -v --filter "names=ldap_user_id" -- To test user retrieval from LDAP server and validate HMC user properties. Any failure to retrieval of details implies issue with configuration or communication to LDAP Server from HMC.

Refer to man pages for any other questions on HMC user management or Kerberos or LDAP. Reach out to us in case of any other help required.

In summary, HMC provides a wide set of options to configure users with LDAP based authentication and can be setup based on your organization requirements.

Contacting the PowerVM Team

Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions

0 comments
35 views

Permalink