Add directory server

To configure authentication for Access Management, you establish communications between an LDAP server and the host running the Web Services Proxy for ThinkSystem SAN Manager . You then map the LDAP user groups to the local user roles.

1. Select Access Management .
2. From the Directory Services tab, select Add Directory Server .
   The Add Directory Server dialog box opens.
3. In the Server Settings tab, enter the credentials for the LDAP server.

   Field Details

   Setting	Description
   Configuration settings
   Domain(s)	Enter the domain name of the LDAP server. For multiple domains, enter the domains in a comma separated list. The domain name is used in the login ( username @ domain ) to specify which directory server to authenticate against.
   Server URL	Enter the URL for accessing the LDAP server in the form of ldap[s]:// host : port .
   Upload certificate (optional)	Note This field appears only if an LDAPS protocol is specified in the Server URL field above. Click Browse and select a CA certificate to upload. This is the trusted certificate or certificate chain used for authenticating the LDAP server.
   Bind account (optional)	Enter a read-only user account for search queries against the LDAP server and for searching within the groups. Enter the account name in an LDAP-type format. For example, if the bind user is called "bindacct," then you might enter a value such as "CN=bindacct,CN=Users,DC=cpoc,DC=local."
   Bind password (optional)	Note This field appears when you enter a bind account. Enter the password for the bind account.
   Test server connection before adding	Select this checkbox if you want to make sure the system can communicate with the LDAP server configuration you entered. The test occurs after you click Add at the bottom of the dialog box. If this checkbox is selected and the test fails, the configuration is not added. You must resolve the error or de-select the checkbox to skip the testing and add the configuration.
   Privilege settings
   Search base DN	Enter the LDAP context to search for users, typically in the form of CN=Users, DC=copc, DC=local .
   Username attribute	Enter the attribute that is bound to the user ID for authentication. For example: sAMAccountName .
   Group attribute(s)	Enter a list of group attributes on the user, which is used for group-to-role mapping. For example: memberOf, managedObjects .

4. Click the Role Mapping tab.
5. Assign LDAP groups to the predefined roles. A group can have multiple assigned roles.

   Field Details

   Setting	Description
   Mappings
   Group DN	Specify the group distinguished name (DN) for the LDAP user group to be mapped.
   Roles	Click in the field and select one of the local user roles to be mapped to the Group DN. You must individually select each role you want to include for this group. The Monitor role is required in combination with the other roles to log in to ThinkSystem SAN Manager . The mapped roles include the following permissions: Storage admin – Full read/write access to storage objects on the arrays, but no access to the security configuration. Security admin – Access to the security configuration in Access Management and Certificate Management. Support admin – Access to all hardware resources on storage arrays, failure data, and MEL events. No access to storage objects or the security configuration. Monitor – Read-only access to all storage objects, but no access to the security configuration.

6. If desired, click Add another mapping to enter more group-to-role mappings.
7. When you are finished with the mappings, click Add .
   The system performs a validation, making sure that the storage array and LDAP server can communicate. If an error message appears, check the credentials entered in the dialog box and re-enter the information if necessary.