Configuring LDAP
Use the information in this topic to view or change CMM2 LDAP (lightweight directory access protocol) settings.
Support for LDAP protocol version 3 (RFC-2251)
Support for the standard LDAP client APIs (RFC-1823)
Support for the standard LDAP search filter syntax (RFC-2254)
Support for Lightweight Directory Access Protocol (v3) Extension for Transport Layer Security (RFC-2830)
Microsoft Active Directory (Windows 2008 and later)
Microsoft Active Directory Application Mode (Windows 2008 and later)
Microsoft Lightweight Directory Service (Windows 2008 and later)
Novell eDirectory Server, version 8.7 and 8.8
OpenLDAP Server 2.1, 2.2, 2.3 and 2.4
To configure LDAP with commands, see ldapcfg command.
To import an LDAP certificate, see External authentication of certificates.
Login Permission Attribute
When a user is authenticated through an LDAP server successfully, the login permissions for the user must be retrieved. To retrieve the login permissions, the search filter that is sent to the server must specify the attribute name that is associated with login permissions. The Login Permission Attribute field specifies the attribute name. If this field is left blank, the user is assigned a default of read-only permissions, assuming that the user passes the user and group authentication.
The attribute value that is returned by the LDAP server searches for the keyword string IBMRBSPermissions=. This keyword string must be immediately followed by a bit string that is entered as 12 consecutive 0s or 1s. Each bit represents a set of functions. The bits are numbered according to their positions. The left-most bit is bit position 0, and the right-most bit is bit position 11. A value of 1 at a bit position enables the function that is associated with that bit position. A value of 0 at a bit position disables the function that is associated with that bit position.
The string IBMRBSPermissions=010000000000 is a valid example. The IBMRBSPermissions= keyword is used to allow it to be placed anywhere in this field. This enables the LDAP administrator to reuse an existing attribute; therefore, preventing an extension to the LDAP schema. This also enables the attribute to be used for its original purpose. You can add the keyword string anywhere in this field. The attribute that you use can allow for a free-formatted string. When the attribute is retrieved successfully, the value that is returned by the LDAP server is interpreted according to the information in the following table.
Bit position | Function | Explanation |
0 | Deny Always | The user always fails authentication. This function can be used to block a particular user or users associated with a particular group. |
1 | Supervisor Access | The user is given administrator privileges, including viewing any page, making changes to any field, and doing any action provided by the interface. When this bit is set, there is no need to set the other bits. |
2 | Read Only Access | The user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions). Note This bit comes with the lowest precedence, and will be ignored when any other bit is set. |
3 | Networking and Security | The user is allowed to modify configuration in the Security, Network Protocols, and Network Interface interfaces of the Management Module, and also modify the IP configuration parameters for I/O modules in the I/O Module Tasks Management interface. |
4 | User Account Management | The user is allowed to add/modify/delete users and change the Global Login Settings in the Login Profiles interface. |
5 | Node Remote Console Access | The user has access to the remote video console of a compute node with keyboard and mouse. |
6 | Node Remote Console and Virtual Media Access | The user has access to the remote video console of a compute node with keyboard and mouse control, and can also access the virtual media features of that remote node. |
7 | Node and I/O Module Power/Restart Access | The user is allowed to power-on and restart the compute nodes and I/O modules. These functions are available in Node Tasks Power/Restart and I/O Module Tasks Admin/Power/Restart interface. |
8 | Basic Configuration | The user is allowed to modify basic configuration parameters of the MM (General Settings and Alerts) and compute nodes ( ). |
9 | Ability to Clear Event Logs | The user is allowed to clear the event logs. Everyone can view the event logs, but this particular permission is required to clear the logs. |
10 | Advanced Adapter Configuration | The user has no restrictions when configuring the MM, compute nodes, I/O Modules, and VPD. In addition, the user has administrative access to the following advanced functions:
|
11 - 15 | Version Number |
|
16 | Deny Always Role | The user always fails authentication. This function can be used to block a particular user or users associated with a particular group. |
17 | Supervisor Role | The user has full read/write access to everything. Note When this bit is set, there is no need to turn on any other authority levels. |
18 | Operator Role | The user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions). Note This bit comes with the lowest precedence, and will be ignored when any other bit is set. |
19 | Chassis Operator Role | The user is allowed to:
Note Saving MM configuration to chassis requires |
20 | Chassis User Account Management Role | The user is allowed to:
Note Changing the global login settings requires the |
21 | Chassis Log Account Management Role | The user is allowed to:
Note Every user is allowed to view the event logs, but this particular role is required to clear the logs or to change the log policy settings, which are located on the top of the event log page. |
22 | Chassis Configuration Role | The user is allowed to:
|
23 | Chassis Administration Role | The user is allowed to:
|
24 | Blade Operator Role | The user is allowed to read node information, but not to modify it. |
25 | Node Remote Presence Role | The user has access to Remote Control interface and the functions provided on the interface, including remote console (KVM) and remote disk. The user is also allowed to issue the CLI console command to start a SOL session to a node. |
26 | Node Configuration Role | The user is allowed to modify and save any node configuration parameter (except parameters in the SOL configuration interface). For example, node names, node policy settings, disabling/enabling SOL for individual nodes under Serial Over LAN status interface. |
27 | Node Administration Role | The user is allowed to power on/off and restart nodes, activate standby nodes, update firmware, or modify node LEDs. |
28 | Switch Operator Role | The user is allowed to browse the status and properties of I/O modules, and ping I/O modules. |
29 | Switch Configuration Role | The user is allowed to:
|
30 | Switch Administration Role | The user is allowed to:
|
31 | Node 1 Scope | The user has access to the node in slot 1. |
32 | Node 2 Scope | The user has access to the node in slot 2. |
33 | Node 3 Scope | The user has access to the node in slot 3. |
34 | Node 4 Scope | The user has access to the node in slot 4. |
35 | Node 5 Scope | The user has access to the node in slot 5. |
36 | Node 6 Scope | The user has access to the node in slot 6. |
37 | Node 7 Scope | The user has access to the node in slot 8. |
38 | Node 8 Scope | The user has access to the node in slot 8. |
39 | Node 9 Scope | The user has access to the node in slot 9. |
40 | Node 10 Scope | The user has access to the node in slot 10. |
41 | Node 11 Scope | The user has access to the node in slot 11. |
42 | Node 12 Scope | The user has access to the node in slot 12. |
43 | Node 13 Scope | The user has access to the node in slot 13. |
44 | Node 14 Scope | The user has access to the node in slot 14. |
45 | Chassis Scope | The user has access to the chassis and management module. |
46 | I/O Module 1 Scope | The user has access to I/O module 1. |
47 | I/O Module 2 Scope | The user has access to I/O module 2. |
48 | I/O Module 3 Scope | The user has access to I/O module 3. |
49 | I/O Module 4 Scope | The user has access to I/O module 4. |
50 | I/O Module 5 Scope | The user has access to I/O module 5. |
51 | I/O Module 6 Scope | The user has access to I/O module 6. |
52 | I/O Module 7 Scope | The user has access to I/O module 7. |
53 | I/O Module 8 Scope | The user has access to I/O module 8. |
54 | I/O Module 9 Scope | The user has access to I/O module 9. |
55 | I/O Module 10 Scope | The user has access to I/O module 10. |
56 - 63 | Reserved | These bits are reserved for future use, and are currently ignored. |