Managing the authentication server

By default, Lenovo XClarity Administrator uses a local Lightweight Directory Access Protocol (LDAP) server to authenticate user credentials.

About this task

Supported authentication servers

The authentication server is a user registry that is used to authenticate user credentials. Lenovo XClarity Administrator supports three types of authentication servers:
  • Local authentication server. By default, XClarity Administrator is configured to use the embedded Lightweight Directory Access Protocol (LDAP) server that resides in the management server.
  • External LDAP server. Currently, only Microsoft Active Directory and OpenLDAP are supported. This server must reside on an outboard Microsoft Windows server that is connected to the management network.

    When an external LDAP server is used, the local authentication server is disabled.

    Attention: To configure the Active Directory binding method to use login credentials, the baseboard management controller for each managed server must be running firmware from September 2016 or later.
  • External SAML identity provider. Currently, only Microsoft Active Directory Federation Services (AD FS) is supported. In addition to entering a user name and password, multi-factor authentication can be set up to enable additional security by requiring a PIN code, reading smart card, and client certificate.

    When an SAML identity provider is used, the local authentication server is not disabled. Local user accounts are required to log in directly to a managed chassis or server (unless Encapsulation is enabled on that device), for PowerShell and REST API authentication, and for recovery if external authentication is not available.

    You can choose to use both an external LDAP server and an external identity provider. If both are enabled, the external LDAP server is used to log in directly to the manage devices, and the identity provider is used to log in to the management server.

Device authentication

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.
  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    Note: RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.
  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.

    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.

    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix "LXCA_" followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the "LXCA_" user account is disabled, and the prefix "LXCA_" is replaced with the prefix "DISABLED_". To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix "LXCA_". If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the "LXCA_" prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      In XClarity Administrator v2.4 and later, if you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.

      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

Recovery account

If you specify a recovery password, XClarity Administrator disables the local CMM or management-controller user account and creates a new recovery user account (RECOVERY_ID) on the device for future authentication. If the management server fails, you can use the RECOVERY_ID account to log in to the device to take recovery actions to restore account-management functions on the device until the management node is restored or replaced.

If you unmanage a device that has a RECOVERY_ID user account, all local user accounts are enabled, and the RECOVERY_ID account is deleted.

Notes:
  • If you change the disabled local user accounts (for example, if you change a password), the changes have no effect on the RECOVERY_ID account. In managed-authentication mode, the RECOVERY_ID account is the only user account that is activated and operational.
  • Use the RECOVERY_ID account only in an emergency, for example, if the management server fails or if a network problem prevents the device from communicating with XClarity Administrator to authenticate users.
  • The RECOVERY_ID password is specified when you discover the device. Ensure that you record the password for later use.

For information about recovering a device management, see Recovering management with a CMM after a management server failure and Recovering rack or tower server management after a management server failure.