Configuring user authentication from an external user registry to the Local Management Interface

Edit online

Use the LMI Authentication Configuration page to configure, reconfigure, or unconfigure users from an external user registry to authenticate to the local management interface of the virtual appliance.

Before you begin

Make sure to add the required users to the external user registry on IBM® Security Directory Server or Microsoft Active Directory before you work from this configuration page.

About this task

Configure, reconfigure, or unconfigure external authentication to enable users that are included in the external user registry to access the local management interface (LMI) of the virtual appliance.

Table 1. LMI Authentication configuration details
Action LMI Authentication configuration options
Configure
Host name
Specify the name of the server that hosts the directory server.

The acceptable formats for the host name are IPv4, FQDN, and IPv6. For example, igildap.example.com.

Port
Specify the directory server port.

For example, 389.

SSL
Flag this check box to apply SSL encryption to the connection with this server.

If you select this option, you are also prompted to accept the default digital certificate.

Principal DN
Specify the principal distinguished name.

For example, cn=root.

Password
Specify the password for the principal distinguished name.
LMI Authentication DN Location
Specify the directory server DN location.

For example, dc=com.

User filter
Specify which users in the external registry can access the LMI. For example,
  • For Directory Server, 
    (&(uid=%v)(objectclass=inetOrgPerson))
    uses user IDs (uid) and the inetOrgPerson object class to find the users. At run time, %v is replaced with the uid attribute of each user, which must be a unique key within the same object class in LDAP.
  • For Active Directory, 
    (&(sAMAccountName=%v)(objectclass=organizationalPerson)))
    uses user account names (sAMAccountName) and the organizationalPerson object class to find the users.
Group filter
Use group names to specify which users in the external registry can access the LMI. For example,
  • For Directory Server, use:
    (&(cn=%v)(objectclass=groupOfNames))
    The filter looks up groups in the directory service based on their common name (CN). At runtime, %v is replaced by the group name. The object class can be groupOfNames, groupOfUniqueNames, or groupOfURLs.
    You can specify multiple object classes. For example, 
    (&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
  • For Active Directory, use:
    (&(cn=%v)(objectcategory=CN=Group,CN=Schema,
CN=Configuration,DC=DN location of Active Directory)))
Reconfigure
Host name
Specify the name of the server that hosts the directory server.

The acceptable formats for the host name are IPv4, FQDN, and IPv6. For example, igildap.example.com.

Port
Specify the directory server port.

For example, 389.

SSL
Flag this check box to apply SSL encryption to the connection with this server.

If you select this option, you are also prompted to accept the default digital certificate.

Principal DN
Specify the principal distinguished name.

For example, cn=root.

Password
Specify the password for the principal distinguished name.
LMI Authentication DN Location
Specify the directory server DN location.

For example, dc=com.

User filter
Specify which users in the external registry can access the LMI. For example,
  • For Directory Server, 
    (&(uid=%v)(objectclass=inetOrgPerson))
    uses user IDs (uid) and the inetOrgPerson object class to find the users. At run time, %v is replaced with the uid attribute of each user, which must be a unique key within the same object class in LDAP.
  • For Active Directory, 
    (&(sAMAccountName=%v)(objectclass=organizationalPerson)))
    uses user account names (sAMAccountName) and the organizationalPerson object class to find the users.
Group filter
Use group names to specify which users in the external registry can access the LMI. For example,
  • For Directory Server, in 
    (&(cn=groupName)((objectclass=groupOfNames))
    groupName is the name of a group that is defined in Directory server. The object class can be groupOfNames, groupOfUniqueNames, or groupOfURLs.
    You can specify multiple object classes. For example, 
    (&(cn=groupName)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
  • For Active Directory, in 
    (&(cn=groupName)(objectcategory=CN=Group,CN=Schema,
CN=Configuration,DC=DN location of Active Directory)))
    groupName is the name of a group that is defined in Directory Server.

Procedure

  1. From the top-level menu of the virtual appliance dashboard, click Manage > System Settings > Management Authentication.
  2. In the LMI Authentication Configuration pane, select Configure.
  3. In the LMI Authentication Configuration Details window, specify the expected variables.
    For more information, see Table 1.
  4. Select Save Configuration.
  5. Optional: Reconfigure an existing LMI Authentication configuration.
    1. From the LMI Authentication Configuration table, select the LMI Authentication configuration record.
    2. Click Reconfigure.
    3. In the Edit LMI Authentication Configuration Details window, edit the configuration variables.
      For more information, see Table 1.
    4. Click Save Configuration.
  6. Optional: Unconfigure an existing LMI Authentication configuration.
    1. From the LMI Authentication Configuration table, select the LMI Authentication configuration record.
    2. Click Unconfigure.
    3. Click Yes to confirm the deletion.