V7000: Configuring Directory Services from the command line
You can use the command-line interface (CLI) to configure the Storwize® V7000 to authenticate users against servers implementing the Lightweight Directory Access Protocol (LDAP), including IBM Tivoli Directory Server (ITDS) and Active Directory (AD).
To enable user authentication with LDAP, follow these steps:
Configure LDAP by issuing the chldap command.
This command provides default settings for both IBM Tivoli Directory Server (ITDS) and Active Directory (AD). For example, to configure authentication with ITDS schema defaults and Transport Layer Security (TLS), issue the following command:
chldap -type itds -security tls
LDAP configuration can be inspected with the lsldap command.
Note: TLS is recommended because transmitted passwords are encrypted.
Specify the mkldapserver command to define up to six LDAP servers to use for authentication.
Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings configured with chldap. For example, to configure an LDAP server with a Secure Socket Layer (SSL) certificate and users in the cn=users,dc=company,dc=com subtree, issue:
mkldapserver -ip 22.214.171.124 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem
You can also configure which servers are preferred to authenticate users.
Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to make changes to the configured LDAP servers.
Configure user groups on the system by matching those that are used by the authentication service.
For each group of interest known to the authentication service, a Storwize V7000 user group must be created with the same name and with the remote setting enabled. For example, if members of a group called sysadmins require the Storwize V7000 Administrator (admin) role, issue the following command:
mkusergrp -name sysadmins -remote -role Administrator
If none of the user groups match a Storwize V7000 user group, the user cannot access the system.
Verify your LDAP configuration using the testldapserver command.
To test the connection to the LDAP servers, issue the command without any options. A username can be supplied with or without a password to test for configuration errors. To perform a full authentication attempt against each server, issue the following commands:
testldapserver -username username -password password
Issue the following command to enable LDAP authentication:
chauthservice -type ldap -enable yes
Configure users who do not require Secure Shell (SSH) key access.
Storwize V7000 users who must use the remote authentication service and do not require SSH key access should be deleted from the system.
Remember: A superuser cannot be deleted or use the remote authentication service.
Configure users who require SSH key access.
All Storwize V7000 users who use the remote authentication service and require SSH key access must have the remote settings enabled and a valid SSH key configured on the system.