Remote Authentication

Remote authentication allows users to authenticate to the system using credentials that are stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign more passwords. Instead, you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access to enforce password policies more efficiently, and to separate user management from storage management.

A remote user is authenticated on a remote LDAP server. A remote user does not need to be added to the list of users on the system, although they can be added to configure optional SSH keys. For remote users, an equivalent user group must be created on the system with the same name and role as the group on the remote LDAP server. Remote users cannot access the system when the remote LDAP server is down. In that case, a local user account must be used until the LDAP service is restored. Remote users have their groups that are defined by the remote authentication server.

Using the management GUI

To configure remote authentication with LDAP, complete these steps:
  1. In the management GUI, select Settings > Security > Remote Authentication.
  2. Select Configure Remote Authentication.
  3. Select LDAP.
  4. Select the type of LDAP server that is used for authentication.
  5. Select one of the following security options:
    LDAP with StartTLS
    Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS or SSL. The initial connection to the directory server is decrypted but can be used on systems that do not have port 636 available.
    LDAPS
    Select this option to secure LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted.
    LDAP with no security
    Select this option to transport data in clear text format without encryption.
  6. Specify optional service credentials or modify advanced LDAP settings. The following LDAP attributes can be configured:
    User attribute
    For all server types, users are authenticated with a username that is defined with the LDAP user attribute. This attribute must exist in your LDAP schema and must be unique for each of your users. Active Directory users can also authenticate by using their user principal names (UPN) or NT login names.
    Group attribute
    Authenticated users are assigned roles according to their LDAP group memberships. The groups to which a user belongs are stored in the LDAP group attribute. This attribute value can be the distinguished name of each group, or a colon-separated list of user group names.
    Audit log attribute
    If an LDAP user completes an audited action, the contents of the audit log attribute are recorded in the audit log.
  7. Click Next.
  8. Define up to six LDAP servers to use for authentication. Multiple servers can be configured to provide access to different sets of users for redundancy. You can also configure which servers are preferred to authenticate users. You can specify either IP addresses or domain name for the LDAP servers. If you specify a fully qualified domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
    Note: The system does not support using LDAP referrals to find related LDAP servers. Each required LDAP server must be explicitly configured on the system.
  9. Configure user groups on the system to match groups that are configured on the remote authentication service. For each user group on the authentication service, a corresponding user group must be created with the same name. In the management GUI, complete these steps:
    1. Select Access > Users > Create User Groups.
    2. On the Create User Group page, enter the following information:
      Group Name
      Enter the name of the group that is on the remote LDAP server. The name of the group on the system must match.
      Ownership Group
      If ownership groups are configured on your system, you can select an ownership group for the user group.
      Remote Authentication
      Select LDAP.
      Multifactor authentication
      Select On to enable second-factor authentication for remote users on the system. These users authenticate with the first factors that are stored on the remote LDAP server and then are required to provide a second factor to access the system through a supported authentication service.
    3. Click Create.
    4. Remote users are defined on the remote authentication service. Only remote users who require access to the command-line interface using a Secure Shell (SSH) key, need to be created. To create remote users, who require access to the command-line interface, select Access > Users by Groups > Create User.
    5. On the Create User page, enter the following information:
      Name
      Enter a name for the user.
      Authentication mode
      Select Remote.
      SSH key
      For remote users who require to access the system, select the public SSH key which stored locally on the system.
    6. Click Create. Repeat these steps for all remote users.
  10. Verify your LDAP configuration. To test authentication to the LDAP servers, select Test LDAP Authentication and enter corresponding credentials for the user.

Using the command-line interface

To enable user authentication with LDAP by using the command-line interface, follow these steps:
  1. Configure LDAP by entering the chldap command.
    This command provides default settings for both IBM Security Directory Server and Microsoft Active Directory. To configure authentication with IBM Security Directory Server schema defaults and Transport Layer Security (TLS), for example, enter the following command:
    chldap -type itds -security tls
    LDAP configuration can be inspected with the lsldap command.
    Note: Use TLS so that transmitted passwords are encrypted.
  2. Specify the mkldapserver command to define up to six LDAP servers to use for authentication.
    Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings that are configured with chldap.
    Note: The system does not support using LDAP referrals to find related LDAP servers. Each LDAP server that is required must be explicitly configured on the system.
    To configure an LDAP server with an SSL certificate and users in the cn=users,dc=company,dc=com subtree, for example, enter the following command:
    mkldapserver -ip 9.71.45.108 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem
    If you have a DNS server configured on the system, you can also specify a domain name in the -ip parameter. For example:
    mkldapserver -ip myldap.myco.com -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem

    You can also configure which servers are preferred to authenticate users.

    Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to change the configured LDAP servers.

  3. Configure user groups on the system by matching those user groups that are used by the authentication service.

    For each group of interest that is known to the authentication service, a system user group must be created with the same name and with the remote setting enabled. If members of a group that is called sysadmins, for example, require the system administrator (admin) role, enter the following command:

    mkusergrp -name sysadmins -remote -role Administrator

    If none of the user groups match a system user group, the user cannot access the system.

  4. Verify your LDAP configuration by using the testldapserver command.
    To test the connection to the LDAP servers, enter the command without any options. A user name can be supplied with or without a password to test for configuration errors. To process a full authentication attempt against each server, enter the following commands:
    testldapserver -username username -password 'password'
  5. Enter the following command to enable LDAP authentication:
    chauthservice -type ldap -enable yes
  6. Configure users who do not require Secure Shell (SSH) key access.
    Delete system users who must use the remote authentication service and do not require SSH key access.
    Remember: A superuser cannot be deleted or use the remote authentication service.
  7. Configure users who require SSH key access.

    All system users who use the remote authentication service and require SSH key access must have remote settings that are enabled and a valid SSH key that is configured on the system.

  8. Specify the type of security to use when communicating with LDAP servers.

    Specify tls to enable TLS. Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS. The initial connection to the directory server is unencrypted but can be used on systems that do not have port 636 available.

    Specify ssl to enable SSL security. This option secures LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted. The default value is none.