Enabling LDAP remote authentication through the DS CLI

You can use the DS CLI to enable and configure remote authentication through a direct connection to an LDAP server.

Before you begin

The following prerequisites apply to configuring remote authentication with a direct connection to an LDAP server.
  • Access to create users and groups on your remote authentication server is required.
  • A primary LDAP repository URI is required.
  • A secondary LDAP repository URI is optional.
  • A user search base is required.

About this task

Warning: The security administrator must map the security administrator role to a remote user before remote authentication is enabled on the storage system. If remote authentication is enabled without a remote mapping for the security administrator role, the security administrator will be locked out of the storage system and unable to use the recovery key if the system loses access to encryption key servers.

Only the security administrator can manage permissions and remote mappings for the security administrator role.

Procedure

  1. Log in to the DS CLI installation directory with the administrator role and open the DS CLI command window. In the DS CLI command window, enter the HMC IP address, user name, and password.
    /opt/ibm/dscli -user admin -passwd password -hmc1 localhost
  2. To see the existing authentication policies, enter the lsauthpol command. The default initial policy is set for basic authentication, which is managed locally by the storage system.
    lsauthpol -l
  3. Create a new LDAP policy by using the mkauthpol command with the -type ldap parameter to indicate LDAP authentication. You must also provide a name for the new policy.
    mkauthpol -type ldap policy_name
  4. Log into the DS CLI with the security administrator role.
    /opt/ibm/dscli -user secadmin -passwd password -hmc1 localhost
  5. Use the addmap action with the setauthpol command to map the security administrator role to a remote user account. The -extuser parameter specifies the remote account, and the -dsgroup parameter specifies the security administrator role, secadmin.
    setauthpol -action addmap -extuser remote_user -dsgroup secadmin policy_name
  6. Log into the DS CLI with the administrator role.
    /opt/ibm/dscli -user admin -passwd password -hmc1 localhost
  7. Add one or more LDAP servers to the policy by using the setauthpol command with the -action setauthserver parameter. Use the -loc parameter to specify the URLs of the LDAP servers.
    Note: LDAP servers use the LDAP protocol if Transport Layer Security (TLS) is not used (ldap://hostname:port), and the LDAPS protocol if TLS is used (ldaps://hostname:port).
    setauthpol -action setauthserver -loc ldaps://bluepages.ibm.com:636,ldaps://bluepages2.ibm.com:636 policy_name
  8. If TLS used to connect to the LDAP server, add the truststore file to the policy. Enter the setauthpol command with the -action settruststore parameter and the -loc parameter, where the value is the location of the truststore file. Use the -pw parameter for the truststore file password.
    setauthpol -action settruststore c:\mystore\key_itso.jks -pw password
  9. Define the LDAP authentication policy by using the setauthpol command. Use the following -action parameters to define the policy:
    setuserbasedn
    The base distinguished name (DN) for user lookup.
    setauthpol -action setuserbasedn -userbasedn o=ibm.com policy_name
    setgroupbasedn
    The base distinguished name (DN) for group lookup.
    setauthpol -action setgroupbasedn -groupbasedn o=group policy_name
    setusernameattr
    The name attribute for user lookup.
    setauthpol -action setusernameattr -usernameattr mail policy_name
    setgroupnameattr
    The group name attribute for group lookup.
    setauthpol -action setgroupnameattr -groupnameattr cn policy_name
    setgroupmemberattr
    The group member attribute for group lookup.
    setauthpol -action setgroupmemberattr -groupmemberattr uniquemember policy_name
    setbinduser
    The bind user name.
    setauthpol -action setbinduser -binduser uid=001016666,c=mx,ou=bluepages,O=IBM.COM policy_name
    setbindpass
    The password for the bind user.
    setauthpol -action setbindpass -bindpass 123456 policy_name
    setuserdnph
    The placeholder for the bind user DN.
    setauthpol -action setuserdnph -userdnph {USERNAME}@company.com policy_name
    setgroupdnph
    The placeholder for the bind group DN.
    setauthpol -action setgroupdnph -groupdnph groupdnph=cn={0},cn=groups,o=company,0=com policy_name
    setusernamefilter
    The attributes for a user name filter. Enter a placeholder value such as {0} or {USERNAME}.
    setauthpol -action setusernamefilter -usernamefilter (mail={xyz}) policy_name
    setgroupnamefilter
    The attributes for a group name filter. Enter a placeholder value such as {0} or {GROUPNAME}.
    setauthpol -action setgroupnamefilter -groupnamefilter (&(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames))(cn={0})) policy_name
  10. Map DS8000® roles to users and user groups that are managed by the LDAP server by entering the setauthpol command with the -action setmap parameter. The -dsgroup parameter specifies the DS8000 role. The -extuser or -extgroup parameters specify the users and groups on the LDAP server.
    setauthpol -action addmap -extgroup Admins -dsgroup admin policy_name
  11. To allow the DS8000 administrator role to access the storage system through local authentication in addition to the users and groups that are managed by the LDAP server, use the setauthpol command with the -action setlocaladmin and -enable parameters. Enabling the administrator role to have access through local authentication allows the administrator to log in to the storage system if the LDAP server is unavailable.
    setauthpol -action setlocaladmin -enable policy_name
  12. To verify the state of the authentication policy, use the lsauthpol command. The policy should be in inactive state.
    lsauthpol policy_name
  13. To view the configuration parameters for the authentication policy, use the showauthpol command. Include the -map parameter to display the remote mappings for roles.
    showauthpol -map policy_name
  14. To test the authentication policy, use the testauthpol command. Include the -username parameter to specify a user account that is managed by the LDAP server and the -pw parameter to specify the password for the account.
    testauthpol -username user -pw password policy_name
  15. To activate the authentication policy, use the chauthpol command with the -activate parameter.
    chauthpol -activate policy_name
  16. To verify the state of the authentication policy, use the lsauthpol command. The policy should be in active state.
    lsauthpol policy_name

Results

After you complete these steps, the storage system is enabled and configured for remote authentication through a direct connection to an LDAP repository.