Configuring the LDAP search attributes

You can configure LDAP search attributes for a management module.

Configure the LDAP search attributes by completing the following steps:

  1. In the navigation pane, click MM Control → Network Protocols.
  2. Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section and click Set attribute names for LDAP based client search algorithm. A page similar to the one in the following illustration is displayed.
    Graphic illustrating the LDAP client search page.
  3. To configure the search attributes, use the following information:
    UID Search Attribute
    When the selected binding method is anonymous authentication or client authentication, the initial bind to the LDAP server is followed by a search request that is directed at retrieving specific information about the user, including the distinguished name, login permissions, and group ownerships of the user. To retrieve this information, the search request must specify the attribute name that is used to represent user IDs on that server. Specifically, this name is used as a search filter against the login ID that is entered by the user. This attribute name is configured here. If this field is left blank, a default of UID is used during user authentication. For example, on Active Directory servers, the attribute name that is used for user IDs is often sAMAccoutName.

    When the selected binding method is user principal name or strict user principal name, the UID Search Attribute field defaults automatically to userPrincipalName during user authentication, if the user ID that is entered has the form userid@somedomain.

    Group Search Attribute
    When the group filter name is configured, the list of groups to which a user belongs must be retrieved from the LDAP server. This is required to perform group authentication. To retrieve this list, the search filter that is sent to the server must specify the attribute name that is associated with groups. This field specifies this attribute name.

    If this field is left blank, the attribute name in the filter defaults to memberOf.

    Login Permission Attribute
    When a user is successfully authenticated through an LDAP server, the login permissions for the user must be retrieved. To retrieve these permissions, the search filter that is sent to the server must specify the attribute name that is associated with login permissions. This field specifies this attribute name.

    If the Login Permission Attribute field is left blank, the user is assigned a default of read-only permissions, assuming that user and group authentication passes. When successfully retrieved, the attribute value that is returned by the LDAP server is interpreted according to the following information:

    • The field supports user roles for both the command authorities that are used in earlier versions of management-module firmware and the role-based user permissions for the latest version of management-module firmware. Bit positions 11 through 16 determine which type of role is used. See Web interface pages and user roles for information about the commands available for each user role.
    • The attribute value must be a bit string that is entered as consecutive zeros or ones, with each bit representing a particular set of functions (for example, 010000000000 or 0000110010000). The bits are numbered according to their positions. The leftmost bit is bit position 0. A value of 1 at a particular position enables the corresponding function. A value of 0 disables that function. The LDAP attribute string is copied into a local string that is 64 characters long. If fewer than 64 characters are specified, the local string is padded with zeros. If the string is longer than 64 characters, extra characters are not copied.
    • The following functions are associated with the 64 bit positions:
      • User authorities (bit positions 0 through 10):
        • Deny Always (bit position 0): If this bit is set, a user will always fail authentication. This function can be used to block a particular user or users who are associated with a particular group.
        • Supervisor Access (bit position 1): If this bit is set, a user is given administrator privileges. The user has read and write access to every function. When this bit is set, other bits that define specific function access do not need to be set individually.
        • Read Only Access (bit position 2): If this bit is set, a user has read-only access and cannot perform any maintenance procedures (for example, restart, remote actions, and firmware updates), and nothing can be modified (using the save, clear, or restore functions). Note that read-only and all other bits are mutually exclusive, with bit position 2 having the lowest precedence. That is, if any other bit is set, this bit is ignored.
        • Networking and Security (bit position 3): If this bit is set, a user can modify the settings in the Security, Network Protocols, and Network Interface pages for MM Control. If this bit is set, a user also can modify the settings in the Management page for I/O Module Tasks.
        • User Account Management (bit position 4): If this bit is set, a user can add, modify, and delete users and change the Global Login Settings in the Login Profiles page.
        • Blade Server Remote Console Access (bit position 5): If this bit is set, a user can access the remote server console.
        • Blade Server Remote Console and Virtual Media Access (bit position 6): If this bit is set, a user can access the remote server console and the virtual media functions for the remote server.
        • Blade and I/O Module Power/Restart Access (bit position 7): If this bit is set, a user can access the power-on and restart functions for the blade servers and I/O modules.
        • Basic Configuration (management module, I/O modules, blade servers) (bit position 8): If this bit is set, a user can modify the General Settings and Alerts pages for MM Control and the Configuration page for Blade Tasks.
        • Ability to Clear Event Logs (bit position 9): If this bit is set, a user can clear the event logs. Everyone can look at the event logs, but this permission is required to clear the logs.
        • Advanced Configuration (management module, I/O modules, blade servers) (bit position 10): If this bit is set, a user has no restrictions when configuring the management module, blade servers, I/O modules, and VPD. The user also can perform firmware upgrades on the management module or blade servers, restore the management module to its factory default settings, modify and restore the management-module configuration from a configuration file, and restart or reset the management module.
      • Permission version (bit positions 11 through 15): These bits specify which type of user roles, user authorities, or role-based user permissions is being used. If these bits are set to 00001, the role-based user permissions, using bits 16 through 30, are used. If these bits are set to 00000 or any other value, the user authorities, using bits 0 through 10, are used.
      • Role-based user permissions (non-scripting use on all management-module types) (bit positions 16 through 30):
        • Deny Always (bit position 16): If this bit is set, a user will always fail authentication. This function can be used to block a particular user or users who are associated with a particular group.
        • Supervisor (bit position 17): If this bit is set, a user is given administrator privileges. The user has read and write access to every function. When this bit is set, other bits that define specific function access do not have to be set individually.
        • Operator (bit position 18): If this bit is set, a user can view all information. User access to information is limited by the permission scope that is specified in bits 31 through 49.
        • Chassis Operator (bit position 19): If this bit is set, a user can view information about the common BladeCenter® unit components.
        • Chassis User Account Management (bit position 20): If this bit is set, a user can add, modify, and delete user login profiles. Changing the Global Login Settings requires Chassis Configuration permission.
        • Chassis Log Management (bit position 21): If this bit is set, a user can clear the event logs or change the log policy settings. All users can look at the event logs, but this permission is required to clear the logs or change the log policy settings at the top of the event-log page.
        • Chassis Configuration (bit position 22): If this bit is set, a user can perform management and setup operations for the common BladeCenter unit components and features. User access to information is limited by the permission scope that is specified in bit 45.
        • Chassis Administration (bit position 23): If this bit is set, a user can manage operation of the common BladeCenter unit components and features. User access to information is limited by the permission scope that is specified in bit 45.
        • Blade Operator (bit position 24): If this bit is set, a user can view information about the blade servers. User access to blade servers is limited by the permission scope that is specified in bits 31 through 44.
        • Blade Remote Presence (bit position 25): If this bit is set, a user can access the remote server console and the virtual media functions for the remote server. User access to blade servers is limited by the permission scope that is specified in bits 31 through 44.
        • Blade Configuration (bit position 26): If this bit is set, a user can perform management and setup operations for the blade servers. User access to blade servers is limited by the permission scope that is specified in bits 31 through 44.
        • Blade Administration (bit position 27): If this bit is set, a user can manage operation of the blade servers. User access to blade servers is limited by the permission scope that is specified in bits 31 through 44.
        • Switch Operator (bit position 28): If this bit is set, a user can view information about the I/O modules. User access to I/O modules is limited by the permission scope that is specified in bits 46 through 55.
        • Switch Module Configuration (bit position 29): If this bit is set, a user can perform management and setup operations for the I/O modules. User access to I/O modules is limited by the permission scope that is specified in bits 46 through 55.
        • Switch Module Administration (bit position 30): If this bit is set, a user can manage operation of the I/O modules. User access to I/O modules is limited by the permission scope that is specified in bits 46 through 55.
      • Permission scope (for role-based user permissions) (bit positions 31 through 55):
        • Blade 1 (bit position 31): If this bit is set, a user can access information about the blade server that is addressed in blade bay 1.
        • Blade 2 (bit position 32): If this bit is set, a user can access information about the blade server that is addressed in blade bay 2.
        • Blade 3 (bit position 33): If this bit is set, a user can access information about the blade server that is addressed in blade bay 3.
        • Blade 4 (bit position 34): If this bit is set, a user can access information about the blade server that is addressed in blade bay 4.
        • Blade 5 (bit position 35): If this bit is set, a user can access information about the blade server that is addressed in blade bay 5.
        • Blade 6 (bit position 36): If this bit is set, a user can access information about the blade server that is addressed in blade bay 6.
        • Blade 7 (bit position 37): If this bit is set, a user can access information about the blade server that is addressed in blade bay 7.
        • Blade 8 (bit position 38): If this bit is set, a user can access information about the blade server that is addressed in blade bay 8.
        • Blade 9 (bit position 39): If this bit is set, a user can access information about the blade server that is addressed in blade bay 9.
        • Blade 10 (bit position 40): If this bit is set, a user can access information about the blade server that is addressed in blade bay 10.
        • Blade 11 (bit position 41): If this bit is set, a user can access information about the blade server that is addressed in blade bay 11.
        • Blade 12 (bit position 42): If this bit is set, a user can access information about the blade server that is addressed in blade bay 12.
        • Blade 13 (bit position 43): If this bit is set, a user can access information about the blade server that is addressed in blade bay 13.
        • Blade 14 (bit position 44): If this bit is set, a user can access information about the blade server that is addressed in blade bay 14.
        • Chassis (bit position 45): If this bit is set, a user can access information about the common BladeCenter unit components.
        • I/O Module 1 (bit position 46): If this bit is set, a user can access information about the I/O module in I/O-module bay 1.
        • I/O Module 2 (bit position 47): If this bit is set, a user can access information about the I/O module in I/O-module bay 2.
        • I/O Module 3 (bit position 48): If this bit is set, a user can access information about the I/O module in I/O-module bay 3.
        • I/O Module 4 (bit position 49): If this bit is set, a user can access information about the I/O module in I/O-module bay 4.
        • I/O Module 5 (bit position 50): If this bit is set, a user can access information about the I/O module in I/O-module bay 5.
        • I/O Module 6 (bit position 51): If this bit is set, a user can access information about the I/O module in I/O-module bay 6.
        • I/O Module 7 (bit position 52): If this bit is set, a user can access information about the I/O module in I/O-module bay 7.
        • I/O Module 8 (bit position 53): If this bit is set, a user can access information about the I/O module in I/O-module bay 8.
        • I/O Module 9 (bit position 54): If this bit is set, a user can access information about the I/O module in I/O-module bay 9.
        • I/O Module 10 (bit position 55): If this bit is set, a user can access information about the I/O module in I/O-module bay 10.
      • Reserved (bit positions 56 through 63): These bits are reserved for future use.
    • If none of the bits are set, the default is read-only for the user.
    • Priority is given to login permissions that are retrieved directly from the user record. If the user record does not have the login permission attribute, an attempt is made to retrieve the permissions from the groups to which the user belongs. This is done as part of the group authentication phase. The user is assigned the inclusive OR of all the bits for all of the groups. The Browser Only bit is set only if all the other bits are set to zero. If the Deny Always bit is set for any of the groups, the user is refused access. The Deny Always bit always has precedence over every other bit.
Parent topic: LDAP Configuration