Configuring the management software user registry

An internal user registry is automatically configured during the initial setup process. If you want to use an external user registry, use the User Registry Configuration wizard in the IBM® Flex System Manager management software web interface to choose the type of user registry, and other registry settings, for your IBM Flex System hardware configuration.

The IBM Flex System Manager management software uses Lightweight Directory Access Protocol (LDAP) to authenticate user credentials. By default, the management software is configured to use the local LDAP registry, but you can use any LDAP server available in your network.

The management software supports both local and external user registries. A local user registry is in the Flex System Manager Types 7955, 8731, and 8734 management node. An external user registry is a registry outside your IBM Flex System hardware.

Note: When you add users, make sure that you add the new users to either the local or external registry, but not both registries. Users with the same names in the local and external registries can lead to unintended results. For example, a user might update a login password in one registry and not the other.
Tip: Set the Security Policy (Home > Administration > Security Tasks > Configure Security Policy) to Legacy and configure the external LDAP user registry to validate the configuration. After the user registry configuration works successfully using the Legacy Security policy, configure using the Secure Policy. This technique can isolate SSL configuration problems for faster troubleshooting.
Important: If you are using an external user registry, you must make sure that user groups defined for the external user registry are added to the list of authorized group on the IBM Flex System Manager management software the management software, such as smadmin, smmgr, smmon, or smuser. To add a group:
  1. From the home page, click the Additional Setup tab.
  2. Click Manage Users and Groups.
  3. Select the Groups tab and click Create Group to start the Create User Groups wizard.
  4. Follow the steps in the wizard to create the group.

The User Registry Configuration wizard guides you through the following process of selecting and configuring the external registry that the management software will use:

User registry type
On this panel, you can accept the default settings, or you can provide the name or address of an external LDAP server accessible through your network. If the Security Policy is set to Secure, the usual port is 636. If the Security Policy is set to Legacy, the usual port is 389.
Note:
  • If you select Use an external User Registry, you must enter a valid hostname for the external registry and verify the port number.
  • If you have chosen to use the NIST-800-131a-Strict cryptography settings, the management software will be unable to connect to an external LDAP server using a secure port (for example, using LDAPS over default port 636). You can instead use the LDAP feature StartTLS, which allows you to start secure communications using TLS v1.2 over an existing non-secure connection, such as the default port, 389.
Distinguished name
Use this panel to specify the LDAP Distinguished Name information that will be used to search the external user registry. The following fields are displayed:
  • Default base Distinguished Name (DN)

    This is the base Distinguished Name (DN) to use to search the registry. The base Distinguished Name indicates the highest level of the LDAP hierarchy to search.

  • Bind Distinguished Name (DN)

    This is the fully qualified Distinguished Name that the management software will use to bind to the defined server. If the Bind Distinguished Name is not specified, the management software will attempt to bind to the server anonymously.

  • Bind Distinguished Name (DN) password

    This is the password for use with the Bind Distinguished Name to access the LDAP server.

Filters
The management software will use the external LDAP server to authenticate user credentials. Use this panel to specify the filters to be used to locate user data in the LDAP server. The following fields are displayed:
Note: Some LDAP servers limit the amount of data that they return in response to a search request. Therefore, be as specific as possible without excluding any users or groups for which you intend to give login rights.

In general, you can use broad search filters for smaller LDAP environments, such as environments with hundreds of LDAP users and fewer than 1500 user groups. You must use more narrow search filters for larger LDAP environments, such as environments with thousands of LDAP users and more than 1500 user groups. Note that the examples below are broad filters for use in smaller environments, and can cause performance issues in environments with thousands of users and more than 1500 user groups.

Important: When you are using an external registry, make sure that it is configured correctly before applying filters. Otherwise, you might not be able to log in to the IBM Flex System Manager® management node after the filters have been applied. If you run into this situation, you will need to make sure that you have the password for the pe user account. In addition, you will need to obtain root access to the IBM Flex System Manager. To obtain root access:
  1. Call IBM Support and obtain the password that is required to run the pesh command.
  2. From the management software command-line interface, use the lsconfig -v command to determine the UVMID of management node.
  3. Run the command pesh UVMID, where UVMID is the system ID that you determined in the previous step. When you are prompted, enter the password that you obtained from IBM Support.
  • User search filter

    The user filter is used for searching the registry for users based on their user IDs. The format of the search filter varies by LDAP server type.

    • For Tivoli® Directory Server or OpenLDAP servers: (&(uid=%v)(objectclass=inetOrgPerson)) or (&(uid=%v)(objectclass=person))
    • For Microsoft Active Directory servers: (&(sAMAccountName=%v)(objectcategory=user))

    The variable %v is used to filter by user ID. At runtime, it is replaced with the user ID of the user that is being authenticated.

  • User group object filter

    The user group object filter is used to search for user groups in the LDAP registry.

    • For Tivoli Directory Server or Open LDAP servers: (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)) or (objectclass=groupOfNames)
    • For Microsoft Active Directory servers: (objectCategory=group)
      Note: By default the objectCategory is set to group, which is extremely broad. In large environment, such a broad setting might return too many results when the user registry is queried, which will in users not being able to log on. Therefore, consider setting objectCategory to a more specific setting, such as 
      (|(CN=smadmin)(CN=smmgr)(CN=smuser)(CN=smmon)(CN=customgroup))

      The above example sets objectCategory to predefined groups, such as smmgr as well as a custom group (customgroupv). You can use the authusergp command to authorize custom groups to access the IBM Flex System Manager management software.

  • User object filter

    The user object filter is used to search the external LDAP directory for all users.

    For Tivoli Directory Server or Open LDAP servers: (objectclass=person) or (objectclass=inetOrgPerson)

    For Microsoft Active Directory servers: (|(objectCategory=person)(objectCategory=user))

  • Login attribute

    The Login attribute is used to identify a login name.

    For Tivoli Directory Server or Open LDAP servers: uid

    For Microsoft Active Directory servers: sAMAccountName

  • Member attribute

    The member attribute is used to identify that an object belongs to a group. The value contained in this attribute is expected to be the DN of the member object, for example member. You can specify multiple member attributes as a comma separated list of attributes, for example: member1,member2,member3.

Secure Socket Layer (SSL)
To connect to the external LDAP server, you must provide the SSL certificate from the server. Use this panel to specify the local path to the certificate.
Summary
The summary page shows the user registry configuration options you have chosen. Verify your configuration and correct it if necessary, then click Finish to apply the changes.

For more information about using a Microsoft Active Directory user registry on an external server, see Using Active Directory.

Parent topic: Additional setup