Configuring LDAP

Use the information in this topic to view or change CMM2 LDAP (lightweight directory access protocol) settings.

LDAP support includes:
  • Support for LDAP protocol version 3 (RFC-2251)

  • Support for the standard LDAP client APIs (RFC-1823)

  • Support for the standard LDAP search filter syntax (RFC-2254)

  • Support for Lightweight Directory Access Protocol (v3) Extension for Transport Layer Security (RFC-2830)

The LDAP implementation supports the following LDAP servers:
  • Microsoft Active Directory (Windows 2008 and later)

  • Microsoft Active Directory Application Mode (Windows 2008 and later)

  • Microsoft Lightweight Directory Service (Windows 2008 and later)

  • Novell eDirectory Server, version 8.7 and 8.8

  • OpenLDAP Server 2.1, 2.2, 2.3 and 2.4

To configure LDAP with commands, see ldapcfg command.

To import an LDAP certificate, see External authentication of certificates.

Login Permission Attribute

When a user is authenticated through an LDAP server successfully, the login permissions for the user must be retrieved. To retrieve the login permissions, the search filter that is sent to the server must specify the attribute name that is associated with login permissions. The Login Permission Attribute field specifies the attribute name. If this field is left blank, the user is assigned a default of read-only permissions, assuming that the user passes the user and group authentication.

The attribute value that is returned by the LDAP server searches for the keyword string IBMRBSPermissions=. This keyword string must be immediately followed by a bit string that is entered as 12 consecutive 0s or 1s. Each bit represents a set of functions. The bits are numbered according to their positions. The left-most bit is bit position 0, and the right-most bit is bit position 11. A value of 1 at a bit position enables the function that is associated with that bit position. A value of 0 at a bit position disables the function that is associated with that bit position.

The string IBMRBSPermissions=010000000000 is a valid example. The IBMRBSPermissions= keyword is used to allow it to be placed anywhere in this field. This enables the LDAP administrator to reuse an existing attribute; therefore, preventing an extension to the LDAP schema. This also enables the attribute to be used for its original purpose. You can add the keyword string anywhere in this field. The attribute that you use can allow for a free-formatted string. When the attribute is retrieved successfully, the value that is returned by the LDAP server is interpreted according to the information in the following table.

Table 1. CMM2 LDAP permission bits
Bit position Function Explanation
0 Deny Always The user always fails authentication. This function can be used to block a particular user or users associated with a particular group.
1 Supervisor Access The user is given administrator privileges, including viewing any page, making changes to any field, and doing any action provided by the interface. When this bit is set, there is no need to set the other bits.
2 Read Only Access The user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions).
Note: This bit comes with the lowest precedence, and will be ignored when any other bit is set.
3 Networking and Security The user is allowed to modify configuration in the Security, Network Protocols, and Network Interface interfaces of the Management Module, and also modify the IP configuration parameters for I/O modules in the I/O Module Tasks Management interface.
4 User Account Management The user is allowed to add/modify/delete users and change the Global Login Settings in the Login Profiles interface.
5 Node Remote Console Access The user has access to the remote video console of a compute node with keyboard and mouse.
6 Node Remote Console and Virtual Media Access The user has access to the remote video console of a compute node with keyboard and mouse control, and can also access the virtual media features of that remote node.
7 Node and I/O Module Power/Restart Access The user is allowed to power-on and restart the compute nodes and I/O modules. These functions are available in Node Tasks Power/Restart and I/O Module Tasks Admin/Power/Restart interface.
8 Basic Configuration The user is allowed to modify basic configuration parameters of the MM (General Settings and Alerts) and compute nodes (Node Tasks > Configuration).
9 Ability to Clear Event Logs The user is allowed to clear the event logs. Everyone can view the event logs, but this particular permission is required to clear the logs.
10 Advanced Adapter Configuration The user has no restrictions when configuring the MM, compute nodes, I/O Modules, and VPD. In addition, the user has administrative access to the following advanced functions:
  • updating MM or compute node firmware.

  • restoring MM factory default.

  • modifying and restoring MM configuration from a configuration file.

  • restarting/resetting MM.

11 - 15 Version Number
  • A version number of 00000 indicates that the previous user permissions scheme (bit positions 0..10) will be used.
  • A version number of 00001 indicates that role based user permissions scheme (bit positions 16..55) will be used.
  • Any invalid version number indicates that the previous user permissions scheme will be used.
16 Deny Always Role The user always fails authentication. This function can be used to block a particular user or users associated with a particular group.
17 Supervisor Role The user has full read/write access to everything.
Note: When this bit is set, there is no need to turn on any other authority levels.
18 Operator Role The user has read-only access, and can not perform any maintenance procedures, including restart, remote actions, firmware updates, or modify anything by saving, clearing, or restoring functions).
Note: This bit comes with the lowest precedence, and will be ignored when any other bit is set.
19 Chassis Operator Role The user is allowed to:
  • browse status and properties of chassis components (MM, chassis cooling Devices, midplane, power modules, and media tray).

  • export MM configuration backup file.

Note: Saving MM configuration to chassis requires Supervisor access.
20 Chassis User Account Management Role The user is allowed to:
  • add/modify/delete users in the Login Profiles interface
  • export MM configuration backup file.
Note: Changing the global login settings requires the Chassis Configuration role.
21 Chassis Log Account Management Role The user is allowed to:
  • clear the event logs.
  • change the log policy settings.
  • export MM configuration backup file.
Note: Every user is allowed to view the event logs, but this particular role is required to clear the logs or to change the log policy settings, which are located on the top of the event log page.
22 Chassis Configuration Role The user is allowed to:
  • modify and save any chassis configuration parameter (except user profiles and event log settings). For example, general MM settings, MM port assignments, MM network interfaces, MM network protocols, and MM security.

  • change the SOL configuration on the SOL configuration interface.

  • change the global login settings.

  • export MM configuration backup file.

  • restore MM factory defaults configuration if the user also has Chassis Administration permissions.

23 Chassis Administration Role The user is allowed to:
  • update MM firmware.

  • modify chassis LEDs.

  • restart the MM.

  • export MM configuration backup file.

  • restore MM factory defaults configuration if the user also has Chassis Configuration permissions.

24 Blade Operator Role The user is allowed to read node information, but not to modify it.
25 Node Remote Presence Role The user has access to Remote Control interface and the functions provided on the interface, including remote console (KVM) and remote disk. The user is also allowed to issue the CLI console command to start a SOL session to a node.
26 Node Configuration Role The user is allowed to modify and save any node configuration parameter (except parameters in the SOL configuration interface). For example, node names, node policy settings, disabling/enabling SOL for individual nodes under Serial Over LAN status interface.
27 Node Administration Role The user is allowed to power on/off and restart nodes, activate standby nodes, update firmware, or modify node LEDs.
28 Switch Operator Role The user is allowed to browse the status and properties of I/O modules, and ping I/O modules.
29 Switch Configuration Role The user is allowed to:
  • configure IP address.

  • enable/disable external management over all ports.

  • preserve new IP configuration on all resets.

  • restore factory defaults.

  • launch a telnet or web session to an I/O module if the user also has Switch Administration permissions.

30 Switch Administration Role The user is allowed to:
  • power on/off and restart I/O modules with various diagnostic levels.

  • update passthru I/O module firmware.

  • enable/disable Fast POST.

  • enable/disable external ports.

  • restore factory defaults.

  • launch a telnet or web session to an I/O module if the user also has Switch Configuration permissions.

31 Node 1 Scope The user has access to the node in slot 1.
32 Node 2 Scope The user has access to the node in slot 2.
33 Node 3 Scope The user has access to the node in slot 3.
34 Node 4 Scope The user has access to the node in slot 4.
35 Node 5 Scope The user has access to the node in slot 5.
36 Node 6 Scope The user has access to the node in slot 6.
37 Node 7 Scope The user has access to the node in slot 8.
38 Node 8 Scope The user has access to the node in slot 8.
39 Node 9 Scope The user has access to the node in slot 9.
40 Node 10 Scope The user has access to the node in slot 10.
41 Node 11 Scope The user has access to the node in slot 11.
42 Node 12 Scope The user has access to the node in slot 12.
43 Node 13 Scope The user has access to the node in slot 13.
44 Node 14 Scope The user has access to the node in slot 14.
45 Chassis Scope The user has access to the chassis and management module.
46 I/O Module 1 Scope The user has access to I/O module 1.
47 I/O Module 2 Scope The user has access to I/O module 2.
48 I/O Module 3 Scope The user has access to I/O module 3.
49 I/O Module 4 Scope The user has access to I/O module 4.
50 I/O Module 5 Scope The user has access to I/O module 5.
51 I/O Module 6 Scope The user has access to I/O module 6.
52 I/O Module 7 Scope The user has access to I/O module 7.
53 I/O Module 8 Scope The user has access to I/O module 8.
54 I/O Module 9 Scope The user has access to I/O module 9.
55 I/O Module 10 Scope The user has access to I/O module 10.
56 - 63 Reserved These bits are reserved for future use, and are currently ignored.