Skip to main content

Edit directory server settings and role mappings

If you previously configured a directory server in Access Management, you can change its settings at any time. Settings include the server connection information and the group-to-role mappings.

Before you begin

  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, the Access Management functions do not appear.

  • A directory server must be defined.

  1. Select Access Management .
  2. Select the Directory Services tab.
  3. If more than one server is defined, select the server you want to edit from the table.
  4. Select View/Edit Settings .
    The Directory Server Settings dialog box opens.
  5. In the Server Settings tab, change the desired settings.

    SettingDescription
    Configuration settings
    Domain(s)The domain name(s) of the LDAP server(s). For multiple domains, enter the domains in a comma-separated list. The domain name is used in the login ( username @ domain ) to specify which directory server to authenticate against.
    Server URLThe URL for accessing the LDAP server in the form of ldap[s]:// host : port .
    Bind account (optional)The read-only user account for search queries against the LDAP server and for searching within the groups.
    Bind password (optional)The password for the bind account. (This field appears when a bind account is entered.)
    Test server connection before savingChecks that the system can communicate with the LDAP server configuration. The test occurs after you click Save . If this checkbox is selected and the test fails, the configuration is not changed. You must resolve the error or clear the checkbox to skip the testing and re-edit the configuration.
    Privilege settings
    Search base DNThe LDAP context to search for users, typically in the form of CN=Users, DC=copc, DC=local .
    Username attributeThe attribute that is bound to the user ID for authentication. For example: sAMAccountName .
    Group attribute(s)A list of group attributes on the user, which is used for group-to-role mapping. For example: memberOf, managedObjects .
  6. In the Role Mapping tab, change the desired mapping.

    SettingDescription
    Mappings
    Group DNThe domain name for the LDAP user group to be mapped.
    RolesThe roles to be mapped to the Group DN. You must individually select each role you want to include for this group. The Monitor role is required in combination with the other roles to log in to ThinkSystem SAN Manager .

    The roles include the following:

    • Storage admin – Full read/write access to storage objects on the arrays, but no access to the security configuration.
    • Security admin – Access to the security configuration in Access Management and Certificate Management.
    • Support admin – Access to all hardware resources on storage arrays, failure data, and MEL events. No access to storage objects or the security configuration.
    • Monitor – Read-only access to all storage objects, but no access to the security configuration.
  7. If desired, click Add another mapping to enter more group-to-role mappings.
  8. Click Save .
After you complete this task, any active user sessions are terminated. Only your current user session is retained.