Managing users from external directory servers

Learn how to provide or revoke access to IAS to platform and database users coming from the external directory servers.

About this task

All external users must belong to of one of the following groups so that they can log in to IAS:
  • Platform users:
    • ibmapadmin
    • ibmapusers
  • Database users:
    • bluadmin
    • bluusers
The procedure depends on the type of user that you need to add or remove from the group. Platform users are managed with the ap_external_ldap.pl utility. Database users are managed in the web console.

Procedure

  • Platform users:
    The ap_external_ldap.pl utility:
    • Runs on all the nodes.
    • Modifies the entries under [domain/ibmapext] of /etc/sssd.conf based on user inputs.
    • Enables the lookup of this domain.
    Use the following command to manage group membership:
    ap_external_ldap.pl usermod --group ibmapadmin|ibmapusers|none <USERNAME>
    where:
    ibmapadmin
    Appliance Administrator Group
    ibmapusers
    Appliance User Group
    none
    When selected, the specified user is removed from their current OS group.
    Note: The tool does not replace the LDAP group membership of the USERNAME using the value specified under --group option. The specified group gets appended to the existing LDAP groups of the USERNAME.
  • Database users:
    See the last step in the following procedures for information on how to add new database users from external LDAP: