Skip to main content

Configuring LDAP

Use the information in this topic to view or change XClarity Controller LDAP settings.

LDAP support includes:
  • Support for LDAP protocol version 3 (RFC-2251)
  • Support for the standard LDAP client APIs (RFC-1823)
  • Support for the standard LDAP search filter syntax (RFC-2254)
  • Support for Lightweight Directory Access Protocol (v3) Extension for Transport Layer Security (RFC-2830)
The LDAP implementation supports the following LDAP servers:
  • Microsoft Active Directory (Windows 2003, Windows 2008, Windows 2012, Windows 2016, Windows 2019)
  • Microsoft Active Directory Application Mode (Windows 2003, Windows 2008)
  • Microsoft Lightweight Directory Service (Windows 2008, Windows 2012, Windows 2016, Windows 2019)
  • Novell eDirectory Server, version 8.7 and 8.8
  • OpenLDAP Server 2.1, 2.2, 2.3, 2.4, 2.5 and 2.6

Click the LDAP tab to view or modify XClarity Controller LDAP settings.

The XClarity Controller can remotely authenticate a user's access through a central LDAP server instead of, or in addition to the local user accounts that are stored in the XClarity Controller itself. Privileges can be designated for each user account using the valur of "Login Permission attribute". You can also use the LDAP server to assign users to groups and perform group authentication, in addition to the normal user (password check) authentication. For example, an XClarity Controller can be associated with one or more groups, the user will pass group authentication only if the user belongs to at least one group that is associated with the XClarity Controller.

To configure an LDAP server, complete the following steps:
  1. Under LDAP Server Information, the following options are available from the item list:
    • Use LDAP server for Authentication only (with local authorization): This selection directs the XClarity Controller to use the credentials only to authenticate to the LDAP server and to retrieve group membership information. The group names and roles can be configured in the Groups for Local Authorization section.
    • Use LDAP server for Authentication and Authorization: This selection directs the XClarity Controller to use the credentials both to authenticate to the LDAP server and to identify a user’s permission.
    Note
    The LDAP servers to be used for authentication can either be configured manually or discovered dynamically via DNS SRV records.
    • Use Pre-Configured Servers: You can configure up to three LDAP servers by entering each server's IP address or host name if DNS is enabled. The port number for each server is optional. If this field is left blank, the default value of 389 is used for non-secured LDAP connections. For secured connections, the default port value is 636. You must configure at least one LDAP server.
    • Use DNS to Find Servers: You can choose to discover the LDAP server(s) dynamically. The mechanisms described in RFC2782 (A DNS RR for specifying the location of services) are used to locate the LDAP server(s). This is known as DNS SRV. You need to specify a fully qualified domain name (FQDN) to be used as the domain name in the DNS SRV request.
      • AD Forest: In an environment with universal groups in cross domains, the forest name (set of domains) must be configured to discover the required Global Catalogs (GC). In an environment where cross-domain group membership does not apply, this field can be left blank.
      • AD Domain: You will need to specify a fully qualified domain name (FQDN) to be used as the domain name in the DNS SRV request.
    If you wish to enable secure LDAP, click the Enable Secure LDAP checkbox. In order to support secure LDAP, a valid SSL certificate must be in place and at least one SSL client trusted certificate must be imported into the XClarity Controller. Your LDAP server must support Transport Layer Security (TLS) version 1.2 to be compatible with the XClarity Controller secure LDAP client. For more information about certificate handling, see SSL certificate handling.
  2. Fill in information under Additional Parameters. Below are explanations of the parameters.
    LDAP type
    Select the LDAP server type for LDAP based authentication. The following server types are available:
    • OpenLDAP

      OpenLDAP

    • Active Directory

      Directory: Windows Active Directory

    • Other

      Directory: Apache Directory, eDirectory, etc.

    Binding method
    Before you can search or query the LDAP server, you must send a bind request. This field controls how this initial bind to the LDAP server is performed. The following bind methods are available:
    • Use Configured Credentials

      Use this method to bind with the configured client DN and password.

    • Use Login Credentials

      Use this method to bind with the credentials that are supplied during the login process. The user ID can be provided through a DN, a partial DN, a fully qualified domain name, or through a user ID that matches the UID Search Attribute that is configured on the XClarity Controller. If the credentials that are presented resemble a partial DN (e.g. cn=joe), this partial DN will be prepended to the configured Root DN in an attempt to create a DN that matches the user's record. If the bind attempt fails, a final attempt will be made to bind by prepending cn= to the login credential, and prepending the resulting string to the configured Root DN.

    If the initial bind is successful, a search is performed to find an entry on the LDAP server that belongs to the user who is logging in. If necessary, a second attempt to bind is made, this time with the DN that is retrieved from the user's LDAP record and the password that was entered during the login process. If the second attempt to bind fails, the user is denied access. The second bind is performed only when the Use Configured Credentials binding methods is used.
    Client distinguished name
    The Client Distinguished Name (DN) to be used for the initial bind. And it is limited to a maximum of 300 characters.
    Client password
    The password for this Distinguished Client.
    Root DN
    This is the distinguished name (DN) of the root entry of the directory tree on the LDAP server (for example, dn=mycompany,dc=com). This DN is used as the base object for all search requests.
    User’s Login Name Search Attribute
    When the binding method is set to Use Configured Credentials, the initial bind to the LDAP server is followed by a search request that retrieves specific information about the user, including the user's DN, login permissions, and group membership. This search request must specify the attribute name that represents the user IDs on that server. This attribute name is configured in this field. On Active Directory servers, the attribute name is usually CN or sAMAccountName. On Novell eDirectory and OpenLDAP servers, the attribute name is uid. If this field is left blank, the default is sAMAccountName.
    Group Filter
    The Group Filter field is used for group authentication. Group authentication is attempted after the user's credentials are successfully verified. If group authentication fails, the user's attempt to log on is denied. When the group filter is configured, it is used to specify to which groups the XClarity Controller belongs. This means that to succeed the user must belong to at least one of the groups that are configured for group authentication. If the Group Filter field is left blank, group authentication automatically succeeds. If the group filter is configured, an attempt is made to match at least one group in the list to a group that the user belongs. If there is no match, the user fails authentication and is denied access. If there is at least one match, group authentication is successful.
    The comparisons are case sensitive. The filter is limited to 511 characters and can consist of one or more group names. The colon (:) character must be used to delimit multiple group names. Leading and trailing spaces are ignored, but any other space is treated as part of the group name.
    Note
    The wildcard character (*) is no longer treated as a wildcard. The wildcard concept has been discontinued to prevent security exposures. A group name can be specified as a full DN or by using only the cn portion. For example, a group with a DN of cn=adminGroup, dc=mycompany, dc=com can be specified using the actual DN or with adminGroup.
    Group Membership Search Attribute
    The Group Search Attribute field specifies the attribute name that is used to identify the groups to which a user belongs. On Active Directory servers, the attribute name is usually memberOf. On Novell eDirectory servers, the attribute name is groupMembership. On OpenLDAP servers, users are usually assigned to groups whose objectClass equals PosixGroup. In that context, this field specifies the attribute name that is used to identify the members of a particular PosixGroup. This attribute name is memberUid. If this field is left blank, the attribute name in the filter defaults to memberOf.
    Login Permission Attribute
    When a user is authenticated through an LDAP server successfully, the login permissions for the user must be retrieved. To retrieve the login permissions, the search filter that is sent to the server must specify the attribute name that is associated with login permissions. The Login Permission Attribute field specifies the attribute name. If using LDAP server for Authentication and Authorization, but this field is left blank, the user will be refused access.
    The attribute value that is returned by the LDAP server searches should be a bit string that is entered as 13 consecutive 0s or 1s, or a bit string as 13 consecutive 0s or 1s in total. Each bit represents a set of functions. The bits are numbered according to their positions. The left-most bit is bit position 0, and the right-most bit is bit position 12. A value of 1 at a bit position enables the function that is associated with that bit position. A value of 0 at a bit position disables the function that is associated with that bit position.
    The string 0100000000000 is a valid example, which is used to allow it to be placed in any field. The attribute that you use can allow for a free-formatted string. When the attribute is retrieved successfully, the value that is returned by the LDAP server is interpreted according to the information in the following table.
    Table 1. Permission bits. Three column table containing bit position explanations.
    Bit positionFunctionExplanation
    0Deny AlwaysA user will always fail authentication. This function can be used to block a particular user or users associated with a particular group.
    1Supervisor AccessA user is given administrator privileges. The user has read/write access to every function. If you set this bit, you do not have to individually set the other bits.
    2Read Only AccessA user has read-only access, and cannot perform any maintenance procedures (for example, restart, remote actions, or firmware updates) or make modifications (for example, the save, clear, or restore functions). Bit position 2 and all other bits are mutually exclusive, with bit position 2 having the lowest precedence. When any other bit is set, this bit will be ignored.
    3Configuration - Networking and BMC SecurityA user can modify the Security, Network Protocols, Network Interface, Port Assignments, and Serial Port configurations.
    4User Account ManagementA user can add, modify, or delete users and change the Global Login Settings in the Login Profiles window.
    5Remote Console AccessA user can access the remote server console.
    6Remote Console and Remote Disk AccessA user can access the remote server console and the remote disk functions for the remote server.
    7Remote Server Power/Restart AccessA user can access the power on and restart functions for the remote server.
    8Configuration - BasicA user can modify configuration parameters in the System Settings and Alerts windows.
    9Ability to Clear Event LogsA user can clear the event logs.
    Note
    All users can view the event logs; but, to clear the event logs the user is required to have this level of permission.
    10Configuration - Advanced (Firmware Update, Restart BMC, Restore Configuration)A user has no restrictions when configuring the XClarity Controller. In addition the user has administrative access to the XClarity Controller. The user can perform the following advanced functions: firmware upgrades, PXE network boot, restore adapter factory defaults, modify and restore adapter configuration from a configuration file, and restart/reset the adapter.
    11Configuration - UEFI SecurityA user can configure UEFI security related settings, which can also be configured from UEFI F1 security setup page.
    12ReservedReserved for future use, and currently ignored.
    If none of the bits are set, the user will be refused access
    Note
    Note that priority is given to login permissions retrieved directly from the user record. If the user does not have the login permission attribute in its record, an attempt will be made to retrieve the permissions from the group(s) that the user belongs to, and, if configured, that match the group filter. In this case the user will be assigned the inclusive OR of all the bits for all of the groups. Similarly, the Read Only Access bit will only be set if all the other bits are zero. Moreover, note that if the Deny Always bit is set for any of the groups, the user will be refused access. The Deny Always bit always has precedence over every other bit.
    Important
    If you give a user the ability to modify basic, networking, and/or security related adapter configuration parameters, you should consider giving this same user the ability to restart the XClarity Controller (bit position 10). Otherwise, without this ability, a user might be able to change parameters (for example, IP address of the adapter), but will not be able to have them take effect.
  3. If Use LDAP server for Authentication only (with local authorization) mode is used, configure the Groups for Local Authorization. Group Name, Group Domain and Role are configured to provide local authorization for groups of users. Each group can be assigned with a Role (permissions) that is the same as configured in the roles in Local User. User accounts are assigned to different groups on LDAP server. An user account will be assigned with the Role (permissions) of the group this user account belongs to after login to BMC. Group Domain should be in the same format as Distinguished Name, like: dc=mycompany,dc=com, will be used as the base object for group searches. If the field is left blank, it will use the same value as the "Root DN" field. Additional groups can be added by clicking the "+" icon or deleted by clicking the "x" icon.

  4. Select the attribute used for displaying the user name from the Specify the attribute used for displaying user name drop-down menu.