If LDAP is enabled, it is important to create at least one external authentication policy
to permit access by an IBM® service representative.
About this task
Before a service event, create at least one external authentication policy for IBM service personnel access. Use these instructions to create a
policy for service personnel access. IBM service representatives can operate locally or remotely.
You can create different LDAP policies and assigned custom roles for local and remote IBM service representatives, which are based on how those
personnel access the machine and what permissions they require.Important: By default,
when LDAP is enabled, the TS7700 can be accessed only through
the LDAP server with a valid user ID and password combination. All local and remote access to the
TS7700 is controlled through
secured (encrypted) or plain text authentication. If the LDAP server is not accessible, the TS7700 is not accessible. Therefore,
it is recommended that you allow IBM service personnel to
connect without LDAP credentials, as described in the following steps.
Procedure
-
Create a Direct LDAP policy for IBM service
personnel.
-
On the management interface, go to .
-
Select Add Direct LDAP Policy from the Select
Action drop-down list.
-
Click Go.
-
Check the options you want to enable for IBM Service Representative access.
These settings become active only when the associated policy is assigned to a cluster. You can
check both options.
Important: These options permit IBM Service Representatives to access
a cluster as if no external (SAS or LDAP) policy was in force. When enabled, they create a mechanism
by which an IBM Service Representative can reset an authentication policy to resolve a lockout
scenario. If no option is checked, IBM Service personnel must log in to the cluster using LDAP
credentials obtained from the system administrator. If no option is checked and the LDAP server is
inaccessible, IBM Service Representatives cannot access the cluster.
- Allow IBM support to connect if they have physical access (Recommended)
- Check this box to allow an IBM Service Representative to log in physically without LDAP
credentials to connect to the cluster. At least one IBM Service Representative must have direct,
physical access to the cluster. An onsite IBM Representative can grant temporary remote access to an
offsite IBM Representative. This is the recommended option.
- Allow IBM support to connect remotely
- Check this box to allow an IBM Service Representative to log in remotely without LDAP
credentials to connect to the cluster.
- Required:
Define the following required Direct LDAP values:
- Policy Name
- Primary Server URL
- Base Distinguish Name
- User name Attribute
- Optional:
Define any of the following optional Direct LDAP values:
- Alternative Server URL
- Group Member Attribute
- Group Name Attribute
- User name filter
- Group Name filter
- Direct LDAP User Distinguished Name
- Direct LDAP Password
-
Click OK.
-
Define a Custom Role for use by IBM service
personnel.
-
On the management interface, go to.
-
Select the check box next to the Custom Role you want to define.
-
Select Properties from the Select Action
drop-down list.
-
Click Go.
-
Name the Custom Role with a name that is easily identified as for use by IBM service representatives.
-
Select a role template that is based on the tasks you want to assign to this service role.
Refer to the management interface Roles and permissions help page for role
descriptions. (Roles & permissions)
-
In the Roles and Assigned Permissions table, check the box next to any
additional tasks that are permitted for this service role. Be sure to check the box next to the
Service Login task at the bottom of this table. If this task is not checked,
IBM service personnel might not have access to adequate
troubleshooting information.
-
Click Submit Changes.
-
Modify the new Direct LDAP policy to assign it the Custom Role you created.
-
On the management interface, go to .
-
Select the radio button next to the Direct LDAP Policy Name you created in Step 1.
-
Select Modify from the Select Action drop-down
list.
-
Click Go.
-
Navigate to the External Policy Users/Groups table.
-
Select Add User from the Select Action drop-down
list.
-
Click Go.
-
Enter a user name that can be easily identified as for use by IBM service representatives.
-
Select the name of the Custom Role you created from the Role drop-down
list.
-
Select all clusters in the grid from the Clusters Access table.
-
Click OK.
-
Record the Direct LDAP Policy name, user name, and password that is created for IBM service representatives. Store this login information where it
can be easily accessed during a service event.
Results
When LDAP authentication is enabled, management interface access is controlled by the LDAP
server. Service access requires the user to authenticate through the normal service login and then
authenticate again by using the IBM service representative
Direct LDAP Policy.