Originally posted by: Kumar Swamy H
Yes, any user in LDAP can become HMC user, provided one of the String attribute of User should have mandatory HMC property “,taskrole=hmcoperator” (here hmcoperator is one of the HMC default task-role, for customized HMC user roles, refer man pages of mkaccfg, chaccfg, and lsaccfg for details on taskrole.
HMC admin during the configuration of LDAP on HMC, can specify “—hmcuserpropsattribute” as part of chhmcldap command (similar is present in GUI as well). Here specific the attribute name which holds the HMC properties to be retrieved from LDAP server.
More details can be found in man page for chhmcldap.
Extract from Man page:
[--hmcuserpropsattribute
The attribute to use to retrieve the user roles and properties from the LDAP server. These user roles and properties are used when the HMC user is created or updated for an automatically managed LDAP user.
If this option is not specified when LDAP is configured, this attribute is set to ibm-aixAdminPolicyEntry.
This option is only valid for a set operation.]
Specify the Root Domain in –binddn (refer man page for chhmcldap) If user records are under different sub-domains (a.k.a. directories), the option --scope sub should be included also.
The –basedn can use to specific all the where to start the search and order to search.
Examples can be got from man page for chhmcldap command.
One ex: chhmcldap -o s --primary ldaps://example.com –basedn u=People,dc=example,dc=com --binddn cn=HMCAdmin,dc=example,dc=com --bindpw abc1234 --loginattribute sAMAccountName –hmcuserpropsattribute description --automanage 1
Note: in this example “description” is the LDAP user attribute with contains the “,taskrole=xxx” xxx is valid taskrole.
Yes, there are multiple optional attributes that can be mentioned.
remove_webui_access={0|1}
remote_ssh_access={0|1}
session_timeout="time-out in minutes"
idle_timeout={time-out in minutes}
inactivity_expiration={number of days}
auto_remove={0|1}
remote_user_name="Kerberos remote user ID"
resourcerole="A valid HMC resourcerole"
hmcgroup=" A valid HMC group"
See mkhmcusr man page " for more information about hmcgroup property.
How can I determine the priority of allowing the user to log into HMC if the LDAP server has group of user?
Yes, HMC allows LDAP groups to be used to further control what HMC(s) user(s) can log in. Refer to chhmcldap man pages for more info about hmcgroups.
The LDAP configuration and user retrieval can be tested using the following HMC commands
Refer lshmcldap man page for information about lshmcldap command.
lshmcldap -r config -v
-- To list and validate command configuration errors.
lshmcldap -r user -v
lshmcldap -r user -v --filter "names=ldap_user_id"
-- To test user retrieval from LDAP server and validate HMC user properties. Any failure to retrieval of details implies issue with configuration or communication to LDAP Server from HMC.
