Configuring LDAP
The tape library supports LDAP with optional RACF (Resource Access Control Facility) authentication.
Table 1 provides the configuration settings for LDAP and RACF.
| Setting | LDAP configuration | RACF configuration* |
|---|---|---|
| LDAP repository URI | Required. The URI of the LDAP server. It must start with ldap:// and end
with a port number. |
Required. Must be set to the RACF server IP address and port number. For example,
ldap://9.7.124.103:389. |
| Secondary repository URI | Optional. Must be in the same format as the primary repository URI. If you do not have a Secondary Repository URI, leave this field blank. | Optional. Must be in the same format as the primary repository URI. If you do not have a Secondary Repository URI, leave this field blank. |
| LDAP StartTLS | Optional. Allows you to enable/disable transport layer security (TLS). The TLS certificate is purchased from a certifying entity. It is a plain text file that contains information about the web server and verifies that it is indeed what it claims to be. (In this case, the web server is the library.) The TLS certificate that is stored on the tape library enables your web browser to access the tape library without challenging its validity. |
Not supported. |
| LDAP TLS certificate | Required if LDAP StartTLS is enabled. This is where you specify the path and file name of the TLS certificate file. | Not supported. |
| Service Credentials: User Name and Password | If your LDAP server does not support anonymous access (meaning access without being
authenticated to the LDAP server), you will need to provide login credentials for service users.
You can either:
|
Optional. If used, the user name must contain the full racfid. For example,
racfid=USER1,profiletype=USER,cn=RACFRefer to the User name/Group name filters setting below for more information. |
| Simple lookup | Default. Group and user LDAP distinguished names are used for authentication look-up. | Not supported. |
| Advanced search | Optional. Enables the following options, which provide more flexible searching and better performance. | Required. Must be selected. |
| Base DN | Optional. Allows you to customize the base Distinguished Name (Base DN) with which to begin your LDAP search, which will begin the search deeper in your LDAP tree for better performance. | Required. Enter cn=RACF. |
| Group name attribute | Optional. Allows you to choose what attribute in your LDAP group accounts is used to associate with a library role. | Required. Enter racfgroupid. |
| User name attribute | Optional. Allows you to customize what attribute in your LDAP user account is used for user names. | Required. Enter racfuserid. |
| Group member attribute | Optional. Allows you to customize the link between your LDAP users and groups. | Required. Enter racfgroupuserids. |
| User name/Group name filters | Optional. Useful when you want to improve your LDAP search. For example, you can create a
user attribute called remote and then allow remote access for all users that have
remote=TS4500 or remote=Diamondback |
Optional. RACF does not support LDAP-like filtering. Instead, these filters can be used with
RACF to specify the Distinguished Name (DN) pattern the tape library must use when determining which
group(s) the user belongs to during log in. When the user/group DN patterns are used in the filter fields, service login credentials are not required. The option to set a DN pattern enables the tape library to support RACF servers, which do NOT allow searching for user information (for example, to get the groups the user belongs to). Examples of DN patterns in filter fields: User name filter:
Group name filter:
|
| *(TS4500 only)TS4500 code levels prior to version 1.4.1.0 do not support RACF. If the library is configured to use RACF and is then updated with library code older than version 1.4.1.0, you may lose user interface access to the library. To avoid this issue, disable remote authentication before loading the down-level code on the library. If you do lose access, follow the Access Recovery procedure to enable the admin user account to log into the library. Remote Authentication can then be disabled via the web user interface, which will allow local users to log into the library. | ||
RACF wildcard support (TS4500 Only)
You can create local user accounts on the tape library that include the *
wildcard in the name so they can be mapped to groups of users on the RACF server. This allows you to
authenticate and assign a role to groups of users on the RACF server whose names follow the same
naming convention.
When a user on the RACF server logs in, the tape library first searches the RACF server for a group that matches a role name in the library. If a match is found, the role for that group is assigned to the user. If a match is not found, the tape library then searches its list of local mapped users.
- Use the createUser command to create a local user with a name containing the
*wildcard.
Requirements:- The user name must be enclosed in double quotes when you enter the command.
- The
*must be the last character in the user name.
- Use the viewUsers command to view a list of local users. This requires the
use of the -local option. When you view users, the prefix
mapped_is added to the user name containing the wildcard and any users that are mapped to that user account. - Use the deleteUser command to delete local users.
RACF wildcard command examples
The following example creates a local user named managers_* with the
Administrator role. All users on the LDAP server with a name starting with
managers_ will be mapped to this user account and will be authenticated and
assigned the Administrator role.
createUser –name "managers_*" –role Administrator –sendToEmail no –tempPass L0gM3InN0w
User managers_* was created successfully.
The following example returns a list of all local users defined on the tape library, including
the managers_* user and any mapped users from the RACF server who are currently
connected. The user name for each mapped RACF user has a mapped_ prefix.
viewUsers -local
Name, Locked, State, Role, Email, Last login
mapped_managers_*, , Connected, Administrator, , viernes, septiembre 28, 2018 11:22:33 AM CST
mapped_managers_jecervan, , Connected, Administrator, xyz@mx1.ibm.com, viernes, septiembre 28, 2018 11:22:33 AM CST
service, , Disconnected, Service, svc@service.com,
temporal, , Disconnected, Administrator, , lunes, noviembre 25, 2013, 09:40:22 AM CST
The following example deletes the mapped_managers_* user.
deleteUser "mapped_managers_*"
User mapped_managers_* was deleted successfully.