Enterprise directory server (LDAP)

It is possible to define users that are authenticated by using an Enterprise Directory or LDAP server. The system administrator can use the User Management task (or the Manage Enterprise Directory Server Definitions task in Hardware Management Console version 2.12.1 or earlier) to define one or more servers that can authenticate passwords for users.

This method of user authentication makes a great deal of sense for customers who already have a well established LDAP server configuration. When a user is associated with an LDAP server definition, all the rules for defining a password, its expiration, and so forth, are already in place and applied. Because an existing LDAP configuration meets the customer's security needs, the customer does not need to consider these factors when evaluating the security aspects of the Hardware Management Console.

For more secure operating characteristics, it is recommended that the Hardware Management Console is configured to use SSL communications with the LDAP server if possible. In fact, for the most secure LDAP authentication, the LDAP server should use a server-specific certificate that is signed by a trusted certificate authority. If the LDAP server's certificate is not signed by one of the well-known certificate authorities (for example, if it is signed by a corporate signing certificate), the necessary signing certificates must be imported into the HMC by using the Certificate Management task and the server definition must be configured not to tolerate self-signed or otherwise untrusted server certificates (the default).

Note: At least one user with administrator capabilities, who is not authenticated by an LDAP server, is required (for example: ACSADMIN). This requirement ensures that Hardware Management Console can still be used when the network or LDAP server fails, which would prevent authentication for users who are defined to use an LDAP server.