You can determine the type of authentication method that
is used currently from the LDAP Client and SAML Settings tabs on the Security page.
About this task
The
authentication server is
a user registry that is used to authenticate user credentials.
Lenovo XClarity Administrator supports the following types of authentication servers.
- Local authentication server. By default, XClarity Administrator is configured to use the embedded Lightweight Directory
Access Protocol (LDAP) server that resides in the management server.
- External LDAP server. Currently, only Microsoft Active Directory and OpenLDAP are supported. This server must reside on
an outboard Microsoft Windows server that is connected to the management
network.
When an external LDAP server is used, the local authentication
server is disabled.
Attention: To configure the Active
Directory binding method to use login credentials, the baseboard management
controller for each managed server must be running firmware from September
2016 or later.
External identity-management system. Currently only
CyberArk is supported.
If user accounts
for a ThinkSystem or ThinkAgile server are onboarded onto CyberArk,
you can choose to have XClarity Administrator retrieve credentials from CyberArk to log in to the server
when initially setting up the servers for management (with managed
or local authentication). Before credentials can be retrieved from
CyberArk, the CyberArk paths must be defined in XClarity Administrator and mutual trust must be established between CyberArk
and XClarity Administrator using TLS mutual authentication through client certificates.
- External SAML identity provider. Currently, only Microsoft Active Directory Federation Services
(AD FS) is supported. In addition to entering a user name and
password, multi-factor authentication can be set up to enable additional
security by requiring a PIN code, reading smart card, and client certificate.
When an SAML identity provider is used, the local authentication server is not disabled. Local
user accounts are required to log in directly to a managed chassis
or server (unless Encapsulation is enabled on that device), for PowerShell and REST API
authentication, and for recovery if external authentication is not
available.
You can choose to use both an external LDAP server
and an external identity provider. If both are enabled, the external LDAP server is used to log in
directly to the manage devices, and the identity provider is used to log in to the management server.
Procedure
To determine the type of authentication server that is being used
by the management software, complete the following steps.
- From the XClarity Administrator menu bar, click .
- Click LDAP Client under the Users
and Groups section to display the LDAP Client Settings dialog.
Verify which user-authentication method is selected:
- Allow logons from local users. Authentication
is performed using the local authentication. When this option is selected,
all user accounts exist in the local authentication server on the
management node.
- Allow logons from LDAP users. Authentication
is performed by an external LDAP server. This method enables remote
management of user accounts. When this option is selected, all user
accounts exist remotely in an external LDAP server.
- Allow local users first, then LDAP users. The local authentication server performs the authentication first.
If that fails, an external LDAP server performs the authentication.
- Allow LDAP users first, then local users. An external LDAP server performs the authentication first. If that
fails, the local authentication server performs the authentication.
- Click SAML Settings under the Users
and Groups section to display the SAML Settings page.
If SAML Enabled is selected, then
a identity provider is used.