Security is of paramount importance to organizations and having the necessary access controls in place plays an important part in achieving the required security compliance. HMC provides different mechanisms to enforce access controls for authentication and authorization and in this blog, we will take you through the details of LDAP (Lightweight Directory Access Protocol) support on HMC and the different options available to configure the same.
LDAP on HMC
You can enable Lightweight Directory Access Protocol (LDAP) authentication on the Hardware Management Console (HMC), This will help to view, add, and remove LDAP server details from HMC.
The two modes that are supported for LDAP configuration is listed below:
- LDAP authentication: The user account is created on the HMC locally. User authentication is done by an LDAP server.
- LDAP auto-managed (Remote User Management): The HMC user's information is maintained on the LDAP server. The HMC user account is created automatically when the user logs in for the first time on the HMC. User authentication is done by either an LDAP or a Kerberos server.
Note: The two modes LDAP authentication and LDAP auto-managed are mutually exclusive and can be configured through the Enable LDAP for Remote Management option in the Configure LDAP panel or by using the CLI command
chhmcldap -o s --automanage {0|1}.
The HMC authenticates with the LDAP server by means of an anonymous connection by default. You can use the chhmcldap command to set the bind distinguished name (DN) and bind password for non-anonymous binding with the LDAP server. You can use the ldapsearch command to verify the LDAP setup on the HMC.
Pre-requisites to configure LDAP on HMC
To use LDAP authentication for the HMC, you must complete the following prerequisites:
- Must enable LDAP authentication from the LDAP Server Definition window.
- Must define an LDAP server to use for authentication by supplying at least a primary URI for the LDAP server you want.
- Must define the search base (distinguished name tree) for the LDAP server.
- Must set the user profile of each remote user to use LDAP remote authentication instead of local authentication. A user that is set to use LDAP remote authentication will always use LDAP remote authentication, even when the user logs on to the HMC locally. (You do not need to set all users to use LDAP remote authentication. You can set some user profiles so that the users can use local authentication only.)
- Must ensure that a working network connection exists between the HMC and the LDAP servers.
LDAP Attribute Details
General Attributes
You can set the LDAP configuration data in the LDAP Server Definition panel. The LDAP administrator provides information about the LDAP client connection data.
Select Enable LDAP to enable LDAP authentication on this HMC by using the LDAP servers that are listed for the primary URI and the backup URI.
Configure an LDAP server for use in authentication on the HMC by specifying the URI.
Specify the URI in one of the following formats:
-
-
- ldap://ldap.example.com
- ldaps://ldap.example.com
- Backup URI
Configure a backup LDAP server for use in authentication on the HMC by supplying the URI in the one of the following formats in case primary ldap server is not reachable
-
- Enable TLS Encryption (STARTTLS)
Configure the ldap client to enable with TLS communication with server. The uri with ldaps on primary or back up with this option are mutually exclusive.
- Base DN(Distinguished Name Tree)
Use this option to locate the user record for the authenticating user. For example, ou=People,dc=example,dc=com. You can specify multiple Base DNs starting with HMC V9 R1 M920. For example, "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\"
Use this field if the LDAP server requires a bind DN and bind password to connect.
Use this field to specify the LDAP attribute that identifies the user being authenticated. For Microsoft Active Directory use sAMAccountName and for others uid as the attribute.
The search scope starting from base DN ( one - one level , sub–subtree).
HMC with Auto manage attributes:
- Enable LDAP for Remote User Management
Select this option to enable LDAP authentication for a remote user on the HMC by using the LDAP server. LDAP users with the properties defined for HMC can logon to HMC and the user account is created automatically with automanage as the specified authentication type. User properties like task role, resource roles are retrieved based on the properties set in the attribute specified in the LDAP server. Each time the user logs on, the user account is refreshed with the current user definition retrieved from the LDAP server.
- LDAP Remote User Management Configuration
LDAP Attribute to Retrieve User Properties
This is to define the LDAP attribute that locates and retrieves the role and authorization properties of the user being authenticated. For example: description field of MicrosoftAD. The default attribute is ibmaixAdminPolicyEntry.
This attribute value is used to retrieve the user properties to be used in the HMC. The required user property is taskrole. Other user properties are optional.
The user properties which are defined on the LDAP server are specified as key=value pairs that are separated by commas. All user properties, as supported in mkhmcusr and chhmcusr, are applicable to LDAP user except for description, idle_timeout, verify_timeout, authentication_type, passwd, pwage, and min_pwage.
The taskrole is a required property. Login will fail if it is not specified on User property attribute.
The resourcerole property can have multiple roles separated by the '#' character. If the resourcerole property is defined with multiple roles, the first valid role in the list on the HMC is used for the user. If none of the specified roles are valid, the login is denied.
If the remote_user_name property is specified, and LDAP is configured with Kerberos authentication, the user will be authenticated using Kerberos upon log on to the HMC.
The auto_remove property is applicable for LDAP users only. It can be defined with following values:
0: Do not remove the user account. This is the same as not having the property specified.
1: Remove the user account on HMC if the user record on LDAP server does not exist or has an invalid taskrole.
2: Remove all auto-managed LDAP user account(s) on HMC that does not have a comparable user record on LDAP server or a valid task role.
If you are unable to retrieve user properties due to an error, you can use the lshmcldap -r user - v command to validate whether the properties are defined for the user on the LDAP server.
Examples:
The HMC is configured to use LDAP server myldap.company.com to manage LDAP users using the user properties from the attribute description which is mapped to hmcuserpropsattribute of the hmc ldap property:
# lshmcldap -r config
primary=ldap://myldap.company.com,backup=,"basedn=ou=People,dc=company,dc=com",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,binddn,bindpwset=,automanage=1,auth=ldap,s earchfilter=,scope=sub
Configure taskrole and multiple resourserole
taskrole=hmcviewer,resourcerole=role1#role2#role3,..
To remove the user account on HMC, if the user is no longer assigned to work on HMC, the attribute description must have the string
taskrole=hmcviewer,resourcerole=role1#role2#role3,auto_remove=1,..
- LDAP Group Login (Optional)
Supported from HMC V10 R2 M1030 onwards
This is used to validate and authenticate from the LDAP server for the user who is mapped to a LDAP group. These user roles and properties which is associated with group are used when the HMC user is created or updated with LDAP group attribute for an automatically managed LDAP user.
LDAP Group Login and Attribute for Group Members are mutually dependent.
Refer Table 1 in this document.
- Attributes for Group Members (Optional)
Introduced V10R2 onward.
This is used to validate and authenticate whether user is member of a particular group on LDAP server. This parameter is valid when the HMC user is created or updated for an automatically managed LDAP user.
LDAP Group Login and Attribute for Group Members are mutually dependent.
Refer Table 1 in this document.
- Use Kerberos for User Authentication
Select this option to specify that the remote user is to be authenticated by Kerberos. This option applies only to remote user management.
- LDAP Attribute to Retrieve Remote User ID (optional)
Upon selection of above option, you can specify an LDAP attribute to locate and retrieve the remote authentication name from the LDAP server. For example, the attribute such as userPrincipalName. You also can define the Kerberos remote authentication name by using the attribute remote_user_name in the User Properties fill.
How to Configure LDAP on HMC
LDAP can be configured on HMC using the GUI or CLI. With the example above, the following chhmcldap and comparable GUI panel is used to configure the LDAP.
LDAP Configuration by using the CLI command:
- Prior to HMC V10 R2 M1030:
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --hmcgroups testldap --scope one
- Starting from HMC V10 R2 M1030 , you can also configure ldap server group based authentication.
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --scope one --groupattribute group --memberattribute member
LDAP Configuration by using the HMC UI:
- Login to HMC.
- Users and Security > Systems and Console Security > Manage LDAP
- The LDAP Server Definition panel opens for you to configure the LDAP on the HMC.
Prior to HMC V10 R2 M1030
HMC V10 R2 M1030 Onward
How to configure HMC with auto-manage mode
Note : All below example shown below is with MicrosoftAD as LDAP server
To allow user to log in HMC in auto-managed mode, the user's attribute hmcuserpropsattribute must contain the following information:
Required Properties:
taskrole="A valid HMC taskrole"
Optional Properties:
resourcerole="A valid HMC resourcerole"
remove_webui_access={0|1}
remote_ssh_access={0|1}
session_timeout="time-out in minutes"
idle_timeout={time-out in minutes}
inactivity_expiration={number of days}
auto_remove={0|1}
remote_user_name="Kerberos remote userID
hmcgroups={name of the hmcldapgroup}" -----(This hmcgroup parameter is only available in CLI)
Example:
If attribute description is used to specify the HMC User Properties, it would contain the following string for HMC Log-in.
description="taskrole=hmcviewer"
It could also have all HMC User Properties defined.
description="taskrole=hmcviewer, resourcerole=hmcviewer,session_timeout
=20,remote_webui_access=0,remote_ssh_access=1,auto_remove=1,remote_use r_name=user@example.com "
HMC user property configuration on LDAP Server
Execute below command with proper configuration on HMC to enable auto manage
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description --automanage 1
#lshmcldap -r user --filter names=test_ad
name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole""",remote_user_name=,"user_properties="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole"""
HMC Group configuration on LDAP Server
This parameter can be used , when ldap server has many users but only some of users need to be logged in to HMC in that case hmcgroup property can be set on LDAP server attribute.
- Add name of the group to the field which will be mapped to –hmcuserpropsattribute
Execute below command with proper configuration on HMC to enable HMC group-based authentication.
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description --automanage 1 --hmcgroups testldap
-
Note : In this configuration the users who have testldap hmcgroup in their Description are allowed to login to HMC.
#lshmcldap -r user --filter names=test_ad
name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup""",remote_user_name=,"user_properties="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup"""
LDAP Server Group configuration on HMC
The LDAP server group based parameters are rely on one another. In situations when several users need to inherit the same HMC properties, on the LDAP server can create a group by mapping the required HMC properties to the hmcuserpropsattribute attribute of the group.
- Execute below command with proper configuration on HMC to enable LDAP server group-based authentication.
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description --automanage 1 --groupattribute group --memberattribute member
-
Note: In this configuration user is part of an LDAP server group where hmc attributes will be mapped to description attribute of the group. Which means all the user which are in this group will inherit all the hmc properties assigned to group attribute.
#lshmcldap -r user --filter names=test_ad
name=test_ad,"description="" taskrole= taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0,auto_remove=1""",remote_user_name=,"user_properties=""taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0,auto_remove=1"""
HMC commands for LDAP and User Management
chhmc - c kbdcfg
|
To configure Kerberos configuration.
|
chhmcldap
|
To configure or modify LDAP.
|
chhmcusr
|
To remove a HMC user account of any authentication type (local, ldap,kerberos, and automanage).
|
getfile
|
To get LDAP or Kerberos CA certificate file and store it on HMC.
|
ldapsearch
|
To test LDAP configuration data without configuring LDAP on HMC.
|
lshmc –r
|
To list Kerberos configuration.
|
lshmcldap
|
To list LDAP configuration, retrieve and validate user list from LDAP server. This can be used in conjunction with ldapsearch CLI command to verify the LDAP set up on HMC. This can be used to verify if CA certificate is being setup to communicate with LDAP server.
|
mkhmcusr
|
To create HMC local user accounts.
|
rmfile
|
|
rmhmcusr
|
To remove a HMC user account of any authentication type (local, ldap,
kerberos and automanage).
|
mkaccfg
|
To create a custom task role.
|
chaccfg
|
To change custom task role.
|
lsaccfg
|
To list HMC task roles.
|
Sample Commands and Operations
LDAP Configurations
- List LDAP configuration
The commands below can be used to list LDA configurations. There are default values for certain parameters.
lshmcldap -r config
Prior to HMC V10 R2 M1030
primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never
HMC V10 R2 M1030 onwards
For LDAP user based auth
primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never
For LDAP server group based auth
primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never, groupattribute=group,memberattribute=member
- Change LDAP configuration.
The commands below can be used to change LDA configurations. There are default values for certain parameters.
Prior to HMC V10 R2 M1030
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --scope one
HMC V10 R2 M1030 onwards
For LDAP user based auth
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --scope one
For LDAP server group based auth
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --scope one --groupattribute group --memberattribute member
Prior to HMC V10 R2 M1030
HMC V10 R2 M1030 Onwards
- Removal of LDAP Configuration.
LDAP comes with certain options that can be disabled as per usability purpose.
To eliminate the entire configuration
chhmcldap -o r -r ldap
To eliminate only HMC group property.
chhmcldap -o r -r hmcgroups
To eliminate only LDAP server group property.
chhmcldap -o r -r groupmemberattributes
User Configuration:
- List the User on LDAP Server
Commands to view the ldap user’s attribute on HMC
lshmcldap -r user
lshmcldap -r user --filter names=test_ad
name=test_ad,"description="" taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup""",remote_user_name=,"user_properties user_properties=taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0"""
lshmcldap -r user | grep -ie "test_ad"
name=test_ad,"description=taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1,resourcerole=testresourcerole,hmcgroups=testgroup",remote_user_name=,"user_properties=taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=0"
- Create LDAP Users on HMC
To create users, use the steps below.
CLI
mkhmcusr -u <userid as ldap server> -a hmcsuperadmin --auth ldap
UI
Users and Roles -> Manage User Profiles and Access
LDAP with STARTTLS or LDAPS
To enable SSL-based communication with the LDAP server on HMC, the server certificate needs to be imported on HMC using the following steps/commands.
- To view the LDAP server certificate:
UI
https://<www.ldap.com>/ on any browser... click on the Lock Icon
View Certificate > Details
CLI – on any machine where openssl in installed
openssl s_client -host www.ldap.com -port 636 -prexit -showcerts
- Create certificate file, if content is copied via CLI
Copy the public key in this certificate (whose content is more between begin/end certificate , 0th level certificate ) into a pem file say cert.pem /home/hscroot/cert.pem
- Save the certificate to the user’s home location on HMC in ".pem" format
eg: LdapServerCert.pem
# cd /home/hscroot/
# ls
LdapServerCert.pem
- Certificate can be imported to HMC using below command
Using the getfile command, the certificate can be imported to HMC with the following two options.
To import locally copied certificate use below command.
getfile -t ldapcacert -l l -f /home/hscroot/LdapServerCert.pem
An SFTP server path can also be used to import certificates via getfile command.
getfile -t ldapcacert -l s -h <hostname> -u <userid> -f <filepath>
- To view certificate configured status on HMC for LDAP
lshmcldap -r config
primary=ldaps://www.ldap.com,backup=,"basedn=""cn=testuser,dc=test,dc=ibm,dc=com"",""cn=testuser1,dc=test,dc=ibm,dc=com""",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=uid,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=one,tlscacert=hmcldapcert.pem,hmcgroups=,authsearch=base,tlsreqcert=never
- Configure LDAP
Use below command to set tlsreqcert which will be used by LDAP service for validation of the certificate on need basis.
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description --automanage 1 --hmcgroups testldap --starttls 1 --tlsreqcert never
or
chhmcldap -o s --primary ldap://www.ldap.com --basedn cn=testuser,dc=test,dc=ibm,dc=com --binddn cn=testadmin,cn=testuser,dc=test,dc=ibm,dc=com --bindpw password --loginattribute sAMAccountName --hmcuserpropsattribute description --automanage 1 --hmcgroups testldap --starttls 1 --tlsreqcert try
- Create local user with ldap auth (If auto manage is not enabled)
If HMC is not enabled with automanage mode, then users have to be created on HMC manually with an authentication type of ldap.
mkhmcusr -u <shortid of user> -a hmcsuperadmin --auth ldap
- Login to Hmc
The user can access HMC through either CLI or GUI once all the configurations have been updated properly.
ssh <shortid of user>@ipofhmc
Frequently Asked Questions:
- How can an LDAP user work as HMC user?
Any user in LDAP server can work as HMC user provided the taskrole is defined as an attribute value for user in the LDAP server - “taskrole=hmcoperator” (here hmcoperator is one of the HMC default task-role, for customized HMC user roles, refer man pages of mkaccfg, chaccfg and lsaccfg for details on taskrole)
- How does HMC know which field to refer to get the HMC user property details from LDAP?
HMC admin during the configuration of LDAP on HMC, can specify “hmcuserpropsattribute” as part of chhmcldap command (can be specified when configurating from GUI as well) with the attribute name which holds the HMC properties to be retrieved from LDAP server.
More details can be found in man page for chhmcldap
Extract from Man page:
hmcuserpropsattribute
The attribute to use to retrieve the user roles and properties from the LDAP server. These user roles and properties are used when the HMC user is created or updated for an automatically managed LDAP user.
If this option is not specified when LDAP is configured, this attribute is set to ibm-aixAdminPolicyEntry.
This option is only valid for a set operation.
- In a Microsoft AD, Multi domain configuration, for --binddn which domain controller to specify?
Specify the Root Domain in --binddn (refer man page for chhmcldap) If user records are under different sub-domains (a.k.a. directories), the option --scope sub should be included also.
- Where can I specify the search details for user?
The --basedn can be used to specify where to start the search and order to search.
- Where can I get sample command to configure LDAP on HMC for auto managed user?
Examples can get from man page of chhmcldap
One ex: chhmcldap -o s --primary ldaps://www.ldap.com –basedn u=People,dc=example,dc=com -
-binddn cn=HMCAdmin,dc=example,dc=com --bindpw abc1234 --loginattribute sAMAccountName –hmcuserpropsattribute description --automanage 1 --groupattribute group --memberattribute member
- Apart from task role, are there any other HMC attributes that can be added with task role?
Yes, there are multiple optional attributes that can be mentioned. remove_webui_access={0|1}
remote_ssh_access={0|1} session_timeout="time-out in minutes" idle_timeout={time-out in minutes} inactivity_expiration={number of days} auto_remove={0|1} remote_user_name="Kerberos remote user ID" resourcerole="A valid HMC resourcerole" hmcgroup=" A valid HMC group"
See mkhmcusr man page for more info.
- How can I set same HMC user attributes for a group of LDAP users instead of per user?
This can be handled by setting optional parameters like groupattribute and memberattribute please refer to LDAP Server Group configuration on HMC section in this document.
- What are all the parameters need to set on HMC for group and member attributes to support different LDAP server?
LDAP Server
|
Group Login
|
Attribute for Group Members
|
MicrosoftAd
|
group
|
Member
|
OpenLdap/Tivoli
|
groupOfNames
|
Member
|
OpenLdap/Tivoli
|
groupOfUniqueNames
|
uniqueMember
|
OpenLdap/Tivoli
|
posixGroup
|
memberUid
|
Table 1
-
In case hmc user properties is set to both user and group attributes on LDAP server, which one will be prioritized? Say description field on MicrosoftAD
Please refer to LDAP Server Group configuration on HMC section in this document.
-
What is the advantage of using LDAP Group Login, Attributes for Group Members during automanage mode?
These parameters rely on one another. In situations when several users need to inherit the same HMC properties, on the LDAP server can create a group by mapping the required HMC properties to the hmcuserpropsattribute attribute of the group.
Command to enable LDAP server group based authentication:
chhmcldap -o s --primary ldaps://www.ldap.com --basedn "\"cn=testuser,dc=test,dc=ibm,dc=com\",\"cn=testuser1,dc=test,dc=ibm,dc=com"\" --binddn cn=testadmin,cn=testuser,dc=corp,dc=ibm,dc=com --loginattribute uid --hmcuserpropsattribute description --automanage 1 --hmcgroups testldap --scope one --groupattribute group --memberattribute member
- When to use auto_remove HMC property for ldap users?
Use of the auto_remove property is required if any or all auto managed LDAP users are to be automatically deleted from the HMC upon deletion from the LDAP server. By default, it is 0.
Example:
MicrosoftAd server description attribute can set with
taskrole=hmcoperator,remote_webui_access=1,remote_ssh_access=1,autoremove=1
- How to import certificate if LDAP server is enabled with ldaps or starttls?
Transfer the certificate to the user's home location and to import an LDAP server certificate to HMC, use the command below. An SFTP server path can also be used to import certificates via getfile command.
Example:
getfile -t ldapcacert -l l -f /home/hscroot/LdapServerCert.pem
- How can I verify if LDAP or AD configuration is setup correctly in the HMC?
The LDAP configuration and user retrieval can be tested using the following HMC commands
lshmcldap -r config -- To list and validate command configuration errors.
lshmcldap -r user -- To list users on ldap server along with necessary ldap attributes.
lshmcldap -r user -v --filter "names=ldap_user_id" -- To test user retrieval from LDAP server and validate HMC user properties. Any failure to retrieval of details implies issue with configuration or communication to LDAP Server from HMC.
Refer to man pages for any other questions on HMC user management or Kerberos or LDAP. Reach out to us in case of any other help required.
In summary, HMC provides a wide set of options to configure users with LDAP based authentication and can be setup based on your organization requirements.
Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more? Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions