Remote Authentication
Remote authentication allows users to authenticate to the system using credentials that are stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign more passwords. Instead, you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access to enforce password policies more efficiently, and to separate user management from storage management.
A remote user is authenticated on a remote LDAP server. A remote user does not need to be added to the list of users on the system, although they can be added to configure optional SSH keys. For remote users, an equivalent user group must be created on the system with the same name and role as the group on the remote LDAP server. Remote users cannot access the system when the remote LDAP server is down. In that case, a local user account must be used until the LDAP service is restored. Remote users have their groups that are defined by the remote authentication server.
Using the management GUI
- In the management GUI, select .
- Select .
- Select LDAP.
- Select the type of LDAP server that is used for authentication.
- Select one of the following security options:
- LDAP with StartTLS
- Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS or SSL. The initial connection to the directory server is decrypted but can be used on systems that do not have port 636 available.
- LDAPS
- Select this option to secure LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted.
- LDAP with no security
- Select this option to transport data in clear text format without encryption.
- Specify optional service credentials or modify advanced LDAP settings. The following LDAP
attributes can be configured:
- User attribute
- For all server types, users are authenticated with a username that is defined with the LDAP user attribute. This attribute must exist in your LDAP schema and must be unique for each of your users. Active Directory users can also authenticate by using their user principal names (UPN) or NT login names.
- Group attribute
- Authenticated users are assigned roles according to their LDAP group memberships. The groups to which a user belongs are stored in the LDAP group attribute. This attribute value can be the distinguished name of each group, or a colon-separated list of user group names.
- Audit log attribute
- If an LDAP user completes an audited action, the contents of the audit log attribute are recorded in the audit log.
- Click Next.
- Define up to six LDAP servers to use for authentication. Multiple servers can be configured to
provide access to different sets of users for redundancy. You can also configure which servers are
preferred to authenticate users. You can specify either IP addresses or domain name for the LDAP
servers. If you specify a fully qualified
domain name, a DNS server must be configured on your system. To configure a DNS server for the
system, select
.
You can also use the mkdnsserver command to configure DNS
servers.Note: The system does not support using LDAP referrals to find related LDAP servers. Each required LDAP server must be explicitly configured on the system.
- Configure user groups on the system to match groups that are configured on the remote
authentication service. For each user group on the authentication service, a corresponding user
group must be created with the same name. In the management GUI, complete these steps:
- Select .
- On the Create User Group page, enter the following information:
- Group Name
- Enter the name of the group that is on the remote LDAP server. The name of the group on the system must match.
- Ownership Group
- If ownership groups are configured on your system, you can select an ownership group for the user group.
- Remote Authentication
- Select LDAP.
- Multifactor authentication
- Select On to enable second-factor authentication for remote users on the system. These users authenticate with the first factors that are stored on the remote LDAP server and then are required to provide a second factor to access the system through a supported authentication service.
- Click Create.
- Remote users are defined on the remote authentication service. Only remote users who require access to the command-line interface using a Secure Shell (SSH) key, need to be created. To create remote users, who require access to the command-line interface, select .
- On the Create User page, enter the following information:
- Name
- Enter a name for the user.
- Authentication mode
- Select Remote.
- SSH key
- For remote users who require to access the system, select the public SSH key which stored locally on the system.
- Click Create. Repeat these steps for all remote users.
- Verify your LDAP configuration. To test authentication to the LDAP servers, select Test LDAP Authentication and enter corresponding credentials for the user.
Using the command-line interface
To enable user authentication with LDAP by using the command-line interface, follow these steps:- Configure LDAP by entering the chldap command.This command provides default settings for both IBM Security Directory Server and Microsoft Active Directory. To configure authentication with IBM Security Directory Server schema defaults and Transport Layer Security (TLS), for example, enter the following command:
chldap -type itds -security tls
LDAP configuration can be inspected with the lsldap command.Note: Use TLS so that transmitted passwords are encrypted. - Specify the mkldapserver command to define up to six LDAP servers to use for
authentication.Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings that are configured with chldap.Note: The system does not support using LDAP referrals to find related LDAP servers. Each LDAP server that is required must be explicitly configured on the system.To configure an LDAP server with an SSL certificate and users in the
cn=users,dc=company,dc=com
subtree, for example, enter the following command:mkldapserver -ip 9.71.45.108 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem
If you have a DNS server configured on the system, you can also specify a domain name in the -ip parameter. For example:mkldapserver -ip myldap.myco.com -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem
You can also configure which servers are preferred to authenticate users.
Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to change the configured LDAP servers.
- Configure user groups on the system by matching those user groups that are used by the
authentication service.
For each group of interest that is known to the authentication service, a system user group must be created with the same name and with the remote setting enabled. If members of a group that is called
sysadmins
, for example, require the system administrator (admin) role, enter the following command:mkusergrp -name sysadmins -remote -role Administrator
If none of the user groups match a system user group, the user cannot access the system.
- Verify your LDAP configuration by using the testldapserver command.To test the connection to the LDAP servers, enter the command without any options. A user name can be supplied with or without a password to test for configuration errors. To process a full authentication attempt against each server, enter the following commands:
testldapserver -username username -password 'password'
- Enter the following command to enable LDAP authentication:
chauthservice -type ldap -enable yes
- Configure users who do not require Secure Shell (SSH) key access.Delete system users who must use the remote authentication service and do not require SSH key access.Remember: A superuser cannot be deleted or use the remote authentication service.
- Configure users who require SSH key access.
All system users who use the remote authentication service and require SSH key access must have remote settings that are enabled and a valid SSH key that is configured on the system.
- Specify the type of security to use when communicating with LDAP servers.
Specify tls to enable TLS. Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS. The initial connection to the directory server is unencrypted but can be used on systems that do not have port 636 available.
Specify ssl to enable SSL security. This option secures LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted. The default value is none.