Active Directory role-based authentication and authorization

You can set up remote LDAP authentication and authorization for users using Active Directory.

Note:

Active Directory role-based authentication and authorization applies only to BladeCenter units deployed in an Active Directory environment.
The Enhanced Role Based Security Snap-in tool is required for Active Directory role-based authentication and authorization.

Active Directory role-based authentication and authorization uses configuration information stored on an Active Directory server to authenticate a user and then associate permissions with this user.

Before enabling Active Directory role-based authentication and authorization, use the Enhanced Role Based Security Snap-in tool to store the configuration information on the Active Directory server that associates permissions to users. This tool runs on any Microsoft Windows client and can be downloaded from http://www.ibm.com/systems/support/.

The Enhanced Role Based Security Snap-in tool allows you to configure roles on an Active Directory server and to associate users, groups, and advanced management modules to these roles. See the documentation for the Enhanced Role Based Security Snap-in tool for information and instructions.
Roles identify the permissions assigned to users and groups and identify the command targets, such as the advanced management module or a blade server, to which a role is attached. Before enabling Active Directory role-based authentication and authorization, roles should be configured on the Active Directory server.
The optional name configured in the AMM Target Name field identifies a particular advanced management module and can be associated with one or more roles on the Active Directory server through the Role Based Security (RBS) Snap-In tool. This is accomplished by creating managed targets, giving them specific names, and associating them with the appropriate roles. If an AMM Target Name is configured, it can define specific roles for users and advanced management modules (targets) that are members of the same role. When a user logs in to the advanced management module and is authenticated through Active Directory, the roles for this user are retrieved from the directory. The permissions assigned to the user are extracted from the roles that also have a target as a member with a name that matches the advanced management module configured here, or a target that matches any advanced management module. Advanced management module can be given a unique name, or multiple advanced management modules can share the same target name. Assigning multiple advanced management modules to the same target name groups multiple advanced management modules together and assigns them to the same role.

To configure Active Directory role-based authentication and authorization for the advanced management module, complete the following steps:

In the navigation pane, click MM Control → Network Protocols.
Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section.
Select Use LDAP Servers for Authentication and Authorization.
Set Enhanced role-based security to Enabled.
The domain controllers (DC) to be used for authentication can either be manually configured or discovered dynamically via DNS SVR records.
- Select Use DNS to find LDAP Servers to dynamically discover the domain controllers based on DNS SVR records (see step 6).
- Select Use Pre-Configured LDAP Servers (default) to manually configure the domain controllers (see step 7).
If you are using DNS to dynamically discover the domain controllers, configure the domain name of the domain controller; then, go to step 8.

Domain Name

The fully qualified domain name of the domain controller. The domain name is needed to find the domain controller.

Active Directory Forest Name

Active Directory role-based authentication and authorization does not make use of Global Catalogs; leave this field blank.
If you are manually configuring the domain controllers, configure the LDAP Server Host Name or IP Address field; then, go to step 8. Up to four domain controllers can be configured using an IP address or a fully qualified hostname.
Configure the following Miscellaneous Parameters:

Root DN

This optional parameter is used to configure the base distinguished name (DN) of the Active Directory server (for example, dn=companyABC,dn=com). In most cases, this field is left blank, although it can be useful for debugging purposes.
The advanced management module normally uses the RootDSE query to find the base distinguished name of an Active Directory server with which it communicates. This base distinguished name is then used for subsequent searches. The base distinguished name is derived from the defaultNamingContext and rootDomaintNamingContext attributes retrieved from the RootDSE query. When the base distinguished name is set using the Root DN field, it overrides the defaultNamingContext and rootDomaintNamingContext attributes.

Binding Method

For initial binds to the domain controller server, select one of the following options:
w/ Configured Credentials: Fill in the client distinguished name (Client DN) and Password to be used for the initial bind. If this bind fails, the authentication process also fails. If the bind is successful, a search will attempt to find a user record that matches the client distinguished name entered in the Client DN field. The search typically looks for common attributes that might match the userid presented during the login process. These attributes include displayName, sAMAccountName, and userPrincipalName. If the UID search attribute field is configured, the search also includes this attribute.

If the search is successful, then a second bind is attempted, this time with the user distinguished name (retrieved from the search) and the password presented during the login process. If the second bind attempt succeeds, the authentication portion succeeds and group membership information for the user is retrieved and matched against the locally configured groups on the advanced management module. The matched groups will define the authorization permissions assigned to the user.

w/ Login Credentials: The initial bind to the domain controller server is made using the credentials presented during the login process. If this bind fails, the authentication process also fails. If the bind is successful, a search will attempt to find the user record. Once located, group membership information for the user is retrieved and matched against the locally configured groups on the advanced management module. The matched groups will define the authorization permissions assigned to the user.
To enable or disable SSL between the advanced management module and the Active Directory server, click LDAP section of the security page.