Configuring for service personnel access when LDAP is enabled

If LDAP is enabled, it is important to create at least one external authentication policy to permit access by an IBM® service representative.

About this task

Before a service event, create at least one external authentication policy for IBM service personnel access. Use these instructions to create a policy for service personnel access. IBM service representatives can operate locally or remotely. You can create different LDAP policies and assigned custom roles for local and remote IBM service representatives, which are based on how those personnel access the machine and what permissions they require.
Important: By default, when LDAP is enabled, the TS7700 can be accessed only through the LDAP server with a valid user ID and password combination. All local and remote access to the TS7700 is controlled through secured (encrypted) or plain text authentication. If the LDAP server is not accessible, the TS7700 is not accessible. Therefore, it is recommended that you allow IBM service personnel to connect without LDAP credentials, as described in the following steps.

Procedure

  1. Create a Direct LDAP policy for IBM service personnel.
    1. On the management interface, go to Access > Security Settings.
    2. Select Add Direct LDAP Policy from the Select Action drop-down list.
    3. Click Go.
    4. Check the options you want to enable for IBM Service Representative access.
      These settings become active only when the associated policy is assigned to a cluster. You can check both options.
      Important: These options permit IBM Service Representatives to access a cluster as if no external (SAS or LDAP) policy was in force. When enabled, they create a mechanism by which an IBM Service Representative can reset an authentication policy to resolve a lockout scenario. If no option is checked, IBM Service personnel must log in to the cluster using LDAP credentials obtained from the system administrator. If no option is checked and the LDAP server is inaccessible, IBM Service Representatives cannot access the cluster.
      Allow IBM support to connect if they have physical access (Recommended)
      Check this box to allow an IBM Service Representative to log in physically without LDAP credentials to connect to the cluster. At least one IBM Service Representative must have direct, physical access to the cluster. An onsite IBM Representative can grant temporary remote access to an offsite IBM Representative. This is the recommended option.
      Allow IBM support to connect remotely
      Check this box to allow an IBM Service Representative to log in remotely without LDAP credentials to connect to the cluster.
    5. Required: Define the following required Direct LDAP values:
      • Policy Name
      • Primary Server URL
      • Base Distinguish Name
      • User name Attribute
    6. Optional: Define any of the following optional Direct LDAP values:
      • Alternative Server URL
      • Group Member Attribute
      • Group Name Attribute
      • User name filter
      • Group Name filter
      • Direct LDAP User Distinguished Name
      • Direct LDAP Password
    7. Click OK.
  2. Define a Custom Role for use by IBM service personnel.
    1. On the management interface, go to Access > Roles & Permissions.
    2. Select the check box next to the Custom Role you want to define.
    3. Select Properties from the Select Action drop-down list.
    4. Click Go.
    5. Name the Custom Role with a name that is easily identified as for use by IBM service representatives.
    6. Select a role template that is based on the tasks you want to assign to this service role. Refer to the management interface Roles and permissions help page for role descriptions. (Roles & permissions)
    7. In the Roles and Assigned Permissions table, check the box next to any additional tasks that are permitted for this service role. Be sure to check the box next to the Service Login task at the bottom of this table. If this task is not checked, IBM service personnel might not have access to adequate troubleshooting information.
    8. Click Submit Changes.
  3. Modify the new Direct LDAP policy to assign it the Custom Role you created.
    1. On the management interface, go to Access > Security Settings.
    2. Select the radio button next to the Direct LDAP Policy Name you created in Step 1.
    3. Select Modify from the Select Action drop-down list.
    4. Click Go.
    5. Navigate to the External Policy Users/Groups table.
    6. Select Add User from the Select Action drop-down list.
    7. Click Go.
    8. Enter a user name that can be easily identified as for use by IBM service representatives.
    9. Select the name of the Custom Role you created from the Role drop-down list.
    10. Select all clusters in the grid from the Clusters Access table.
    11. Click OK.
  4. Record the Direct LDAP Policy name, user name, and password that is created for IBM service representatives. Store this login information where it can be easily accessed during a service event.

Results

When LDAP authentication is enabled, management interface access is controlled by the LDAP server. Service access requires the user to authenticate through the normal service login and then authenticate again by using the IBM service representative Direct LDAP Policy.