Skip to main content

Configuring LDAP

Use the information in this topic to view or change CMM2 LDAP (lightweight directory access protocol) settings.

LDAP support includes:
  • Support for LDAP protocol version 3 (RFC-2251)

  • Support for the standard LDAP client APIs (RFC-1823)

  • Support for the standard LDAP search filter syntax (RFC-2254)

  • Support for Lightweight Directory Access Protocol (v3) Extension for Transport Layer Security (RFC-2830)

The LDAP implementation supports the following LDAP servers:
  • Microsoft Active Directory (Windows 2008 and later)

  • Microsoft Active Directory Application Mode (Windows 2008 and later)

  • Microsoft Lightweight Directory Service (Windows 2008 and later)

  • Novell eDirectory Server, version 8.7 and 8.8

  • OpenLDAP Server 2.1, 2.2, 2.3 and 2.4

To configure LDAP with commands, see ldapcfg command.

To import an LDAP certificate, see External authentication of certificates.

Login Permission Attribute

When a user is authenticated through an LDAP server successfully, the login permissions for the user must be retrieved. To retrieve the login permissions, the search filter that is sent to the server must specify the attribute name that is associated with login permissions. The Login Permission Attribute field specifies the attribute name. If this field is left blank, the user is assigned a default of read-only permissions, assuming that the user passes the user and group authentication.

The attribute value that is returned by the LDAP server searches for the keyword string IBMRBSPermissions=. This keyword string must be immediately followed by a bit string that is entered as 12 consecutive 0s or 1s. Each bit represents a set of functions. The bits are numbered according to their positions. The left-most bit is bit position 0, and the right-most bit is bit position 11. A value of 1 at a bit position enables the function that is associated with that bit position. A value of 0 at a bit position disables the function that is associated with that bit position.

The string IBMRBSPermissions=010000000000 is a valid example. The IBMRBSPermissions= keyword is used to allow it to be placed anywhere in this field. This enables the LDAP administrator to reuse an existing attribute; therefore, preventing an extension to the LDAP schema. This also enables the attribute to be used for its original purpose. You can add the keyword string anywhere in this field. The attribute that you use can allow for a free-formatted string. When the attribute is retrieved successfully, the value that is returned by the LDAP server is interpreted according to the information in the following table.

Table 1. CMM2 LDAP permission bits
Bit positionFunctionExplanation
0Deny AlwaysThe user always fails authentication. This function can be used to block a particular user or users associated with a particular group.
1Supervisor AccessThe user is given administrator privileges, including viewing any page, making changes to any field, and doing any action provided by the interface. When this bit is set, there is no need to set the other bits.
2Read Only AccessThe user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions).
Note
This bit comes with the lowest precedence, and will be ignored when any other bit is set.
3Networking and SecurityThe user is allowed to modify configuration in the Security, Network Protocols, and Network Interface interfaces of the Management Module, and also modify the IP configuration parameters for I/O modules in the I/O Module Tasks Management interface.
4User Account ManagementThe user is allowed to add/modify/delete users and change the Global Login Settings in the Login Profiles interface.
5Node Remote Console AccessThe user has access to the remote video console of a compute node with keyboard and mouse.
6Node Remote Console and Virtual Media AccessThe user has access to the remote video console of a compute node with keyboard and mouse control, and can also access the virtual media features of that remote node.
7Node and I/O Module Power/Restart AccessThe user is allowed to power-on and restart the compute nodes and I/O modules. These functions are available in Node Tasks Power/Restart and I/O Module Tasks Admin/Power/Restart interface.
8Basic ConfigurationThe user is allowed to modify basic configuration parameters of the MM (General Settings and Alerts) and compute nodes (Node Tasks > Configuration).
9Ability to Clear Event LogsThe user is allowed to clear the event logs. Everyone can view the event logs, but this particular permission is required to clear the logs.
10Advanced Adapter ConfigurationThe user has no restrictions when configuring the MM, compute nodes, I/O Modules, and VPD. In addition, the user has administrative access to the following advanced functions:
  • updating MM or compute node firmware.

  • restoring MM factory default.

  • modifying and restoring MM configuration from a configuration file.

  • restarting/resetting MM.

11 - 15Version Number
  • A version number of 00000 indicates that the previous user permissions scheme (bit positions 0..10) will be used.
  • A version number of 00001 indicates that role based user permissions scheme (bit positions 16..55) will be used.
  • Any invalid version number indicates that the previous user permissions scheme will be used.
16Deny Always RoleThe user always fails authentication. This function can be used to block a particular user or users associated with a particular group.
17Supervisor RoleThe user has full read/write access to everything.
Note
When this bit is set, there is no need to turn on any other authority levels.
18Operator RoleThe user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions).
Note
This bit comes with the lowest precedence, and will be ignored when any other bit is set.
19Chassis Operator RoleThe user is allowed to:
  • browse status and properties of chassis components (MM, chassis cooling Devices, midplane, power modules, and media tray).

  • export MM configuration backup file.

Note
Saving MM configuration to chassis requires Supervisor access.
20Chassis User Account Management RoleThe user is allowed to:
  • add/modify/delete users in the Login Profiles interface
  • export MM configuration backup file.
Note
Changing the global login settings requires the Chassis Configuration role.
21Chassis Log Account Management RoleThe user is allowed to:
  • clear the event logs.
  • change the log policy settings.
  • export MM configuration backup file.
Note
Every user is allowed to view the event logs, but this particular role is required to clear the logs or to change the log policy settings, which are located on the top of the event log page.
22Chassis Configuration RoleThe user is allowed to:
  • modify and save any chassis configuration parameter (except user profiles and event log settings). For example, general MM settings, MM port assignments, MM network interfaces, MM network protocols, and MM security.

  • change the SOL configuration on the SOL configuration interface.

  • change the global login settings.

  • export MM configuration backup file.

  • restore MM factory defaults configuration if the user also has Chassis Administration permissions.

23Chassis Administration RoleThe user is allowed to:
  • update MM firmware.

  • modify chassis LEDs.

  • restart the MM.

  • export MM configuration backup file.

  • restore MM factory defaults configuration if the user also has Chassis Configuration permissions.

24Blade Operator RoleThe user is allowed to read node information, but not to modify it.
25Node Remote Presence RoleThe user has access to Remote Control interface and the functions provided on the interface, including remote console (KVM) and remote disk. The user is also allowed to issue the CLI console command to start a SOL session to a node.
26Node Configuration RoleThe user is allowed to modify and save any node configuration parameter (except parameters in the SOL configuration interface). For example, node names, node policy settings, disabling/enabling SOL for individual nodes under Serial Over LAN status interface.
27Node Administration RoleThe user is allowed to power on/off and restart nodes, activate standby nodes, update firmware, or modify node LEDs.
28Switch Operator RoleThe user is allowed to browse the status and properties of I/O modules, and ping I/O modules.
29Switch Configuration RoleThe user is allowed to:
  • configure IP address.

  • enable/disable external management over all ports.

  • preserve new IP configuration on all resets.

  • restore factory defaults.

  • launch a telnet or web session to an I/O module if the user also has Switch Administration permissions.

30Switch Administration RoleThe user is allowed to:
  • power on/off and restart I/O modules with various diagnostic levels.

  • update passthru I/O module firmware.

  • enable/disable Fast POST.

  • enable/disable external ports.

  • restore factory defaults.

  • launch a telnet or web session to an I/O module if the user also has Switch Configuration permissions.

31Node 1 ScopeThe user has access to the node in slot 1.
32Node 2 ScopeThe user has access to the node in slot 2.
33Node 3 ScopeThe user has access to the node in slot 3.
34Node 4 ScopeThe user has access to the node in slot 4.
35Node 5 ScopeThe user has access to the node in slot 5.
36Node 6 ScopeThe user has access to the node in slot 6.
37Node 7 ScopeThe user has access to the node in slot 8.
38Node 8 ScopeThe user has access to the node in slot 8.
39Node 9 ScopeThe user has access to the node in slot 9.
40Node 10 ScopeThe user has access to the node in slot 10.
41Node 11 ScopeThe user has access to the node in slot 11.
42Node 12 ScopeThe user has access to the node in slot 12.
43Node 13 ScopeThe user has access to the node in slot 13.
44Node 14 ScopeThe user has access to the node in slot 14.
45Chassis ScopeThe user has access to the chassis and management module.
46I/O Module 1 ScopeThe user has access to I/O module 1.
47I/O Module 2 ScopeThe user has access to I/O module 2.
48I/O Module 3 ScopeThe user has access to I/O module 3.
49I/O Module 4 ScopeThe user has access to I/O module 4.
50I/O Module 5 ScopeThe user has access to I/O module 5.
51I/O Module 6 ScopeThe user has access to I/O module 6.
52I/O Module 7 ScopeThe user has access to I/O module 7.
53I/O Module 8 ScopeThe user has access to I/O module 8.
54I/O Module 9 ScopeThe user has access to I/O module 9.
55I/O Module 10 ScopeThe user has access to I/O module 10.
56 - 63ReservedThese bits are reserved for future use, and are currently ignored.