LDAP configuration for the Hardware Management Console (HMC)

chhmcldap -o s --automanage {0|1}

• Enable LDAP: Select Enable LDAP to enable LDAP authentication on this HMC by using the LDAP servers that are listed for the primary URI and the backup URI.
• Primary URI: Configure an LDAP server for use in authentication on this HMC by specifying the URI. The LDAP server can be Microsoft Active Directory, Tivoli, or Open LDAP. Specify the URI in one of the following formats:
  • Use the format ldap://ldap.example.com to define a server that uses STARTTLS for SSL encryption.
  • Use the format ldaps://ldap.example.com:636 to define a server that uses LDAP over SSL. Note: If you use this format, STARTTLS cannot be enabled.
  • The getfile command can be used to deploy an LDAP Certificate Authority (CA) certificate file on the HMC. The certificate must use a key size and algorithms that comply with TLS 1.2 protocol.
    • **NOTE** The LDAP configuration on the HMC must be completed before applying the certificate, and the HMC must be using LDAPS or STARTTLS for the getfile import to complete without error.
  • To troubleshoot issues with LDAPS and a CA cert, review this document on How to test the CA certificate and LDAP connection over SSL/TLS.
• Backup URI: Configure a backup LDAP server for use in authentication on this HMC by supplying the URI in the one of the following formats:
  • Use the format ldap://ldap.example.com to define a server using STARTTLS for SSL encryption.
  • Use the format ldaps://ldap.example.com:636 to define a server using LDAP over SSL (Secure LDAP). Note: If you use this format, STARTTLS cannot be enabled.
• Bind DN: The DN to use for binding to the LDAP server when the LDAP server is configured to use non-anonymous binding. The bind DN must be specified in LDAP format (e.g. cn=admin,dc=yourorg,dc=com).
• Bind Password: The password to use when binding to the LDAP server when the LDAP server is configured to use non-anonymous binding.
• Enable SSL Encryption (STARTTLS): Select Enable SSL Encryption (STARTTLS) to enable Transport Layer Security on the connection between the HMC and the LDAP server. TLS provides data confidentiality (meaning that data cannot be read by third parties) or data integrity protection (meaning protection from tampering).
• Use the Following Attribute for the User Login: Use this field to specify the LDAP attribute that identifies the user being authenticated. The attribute that you specify is compared to the user's user ID to locate the correct record to verify the user's provided password. The default attribute is uid. For Microsoft Active Directory, use sAMAccountName as the attribute.
• Locate by Searching the Following Distinguished Name Tree( BaseDN ): Use this field to specify the search base, also known as the distinguished name tree for the LDAP server that is used to locate the user record to authenticate the user. For example: dc=example,dc=com. Click "Add" to add more than one distinguished name tree to the LDAP server. All the distinguished name trees that are added by the user is displayed in a list. If you want to delete an entry in the list, select the distinguished name tree and click Remove.
• Specify the search scope to use: Use this field to specify the search scope in LDAP format which will be used to locate the user record for the authenticating user. Allowed values are: one and sub.

• Select this option to enable LDAP authentication for a remote user of this HMC by using the LDAP servers that are listed for the primary URI and the backup URI.When you select this option, an LDAP user with properties defined for the HMC can log on to the HMC when the HMC is configured to use an LDAP server. The user account is created automatically and automanage is the specified authentication type based on the user properties retrieved from the attribute that you specify in the LDAP Attributes to Retrieve User Properties field. Each time the user logs on, the user account is refreshed with the current user definition retrieved from the LDAP server.

• Use this field to define the LDAP attribute that locates and retrieves the role and authorization properties of the user being authenticated. For example, you might specify a character attribute such as description. The default attribute is ibm-aixAdminPolicyEntry. The User Properties attribute value is retrieved for the user properties that are used on the HMC.
  • The required user property is the taskrole property. Other user properties are optional and, if available, are used to create the user account on the HMC automatically when they are applicable. The user properties which are defined on the LDAP server are specified as key=value pairs that are separated by commas. All user properties, as supported in mkhmcusr and chhmcusr, are applicable to LDAP user with the exception of description, idle_timeout, verify_timeout, authentication_type, passwd, pwage, andmin_pwage. The taskrole is a required property. If you do not specify a taskrole property, the user cannot log on to the HMC. However, the user can still be manually created on the HMC to use the LDAP authentication as it is done in the earlier versions.
  • The resourcerole property can have multiple roles separated by the '#' character. You can define LDAP users with multiple resource roles by separating each role with the '#' character. If the resourcerole property is defined with multiple roles, the first valid role in the list on the HMC is used for the user. If none of the specified roles are valid, the login is denied.
  • If the remote_user_name property is specified, and LDAP is configured with Kerberos authentication, the user will be authenticated using Kerberos upon log on to the HMC.
  • The auto_remove property is applicable for LDAP users only. It can be defined with following values:
    • 0: Do not remove the user account. This is the same as not having the property specified.
    • 1: Remove the user account on HMC if the user record on LDAP server does not exist or has an invalid taskrole.
    • 2: Remove all auto-managed LDAP user account(s) on HMC that does not have a comparable user record on LDAP server or a valid taskrole.
  • The hmcgroups property allows LDAP users to be tagged to one or multiple user groups that are allowed to log in to the HMC. Multiple group names must be separated by "#". For example: hmcgroups=dev1#dev2. The HMC must have the groups configured in the LDAP configuration in addition to being passed in as a user property. This can be done with the chhmcldap command. For example to only allow users in groups group1 and group2 to log in:
    • Run:

      • chhmcldap -o s --hmcgroups group1,group2

    • Check that a user that is part of group1 or group2 is returning the correct property:

      • lshmcldap -r user --filter "names=user"

    • Output should contain hmcgroups=group1 or hmcgroups=group2
    • The HMC will only allow this for automanaged users.
• Additional Search Filter (Optional): Use this field to specify a filter to use for limiting the search of the LDAP server for the user ID of the user being authenticated. Using this option is useful when you have a large number of LDAP users and want to decrease the amount of time for retrieving the user ID.

• LDAP Group Login (Optional): In HMC version v10.r2.1030 or higher, the LDAP Group Login field is applicable only when remote user management is enabled. You can specify a value for the LDAP Group Login field when you configure the LDAP server so that you can retrieve the group login information for a specific user from the LDAP server when required. If you specify a value for this field, the user is validated for the LDAP group. You can specify the LDAP Group Login field only when you need a user to be validated for a LDAP group otherwise, you can set this field to an empty value and the user will not be validated for any LDAP group.

• Attributes for Group Members (Optional): In HMC version v10.r2.1030 or higher, the LDAP Group Member Login field is applicable only when remote user management is enabled. You can specify a value for the LDAP Group Member Login field when you configure the LDAP server so that you can retrieve the member information for a specific user when required. If you specify a value for this field, the user is validated as a member of a specific LDAP group on the LDAP server. You can specify the LDAP Group Member Login field only when you need a user to be validated as a member of a LDAP group otherwise you can set this field to an empty value and the user will not be validated as a member for any LDAP group.

  Note: The LDAP Group Login attribute and LDAP Group Member Login attribute are mutually dependent. You must configure both the attributes to validate a user as a member of a specific LDAP group. If user does not exist in any group, then hmcuserpropsattribute of user will be assigned from ldap user account. If user exists in any group, then priority will be given to group hmcuserpropsattribute attribute to fetch HMC properties. If group description attribute is empty, then priority will be given to user level attribute. If both are empty, then authentication will fail. If the user is in multiple groups, then we consider property of first group in list where it has taskrole in its description. Mappings shown below:

• If you are unable to retrieve user properties due to an error, you can use the lshmcldap -r user -v command to validate whether the properties are defined for the user on the LDAP server. For example to list LDAP users uname1 and uname2 and output command execution details to stderr:

lshmcldap -r user --filter ""names=uname1,uname2"" -v

tail -n 50 /var/log/messages

ldapsearch -h <primary server URI> -p <port> -b <basedn> -D <binddn> -W -x -s <scope> [searchfilter] [attributes to display]
ldapsearch -H <ldap host:port> -b <basedn> -D <binddn> -W -x -s <scope> [searchfilter] [attributes to display]

scp mycert hscroot@HMC_IP:/home/hscroot
export LDAPTLS_CACERT=/home/hscroot/mycert 
ldapsearch -H <ldap host:port> -b <basedn> -D <binddn> -W -x -s <scope> -v [searchfilter] [attributes to display]