Setting up an external LDAP authentication server

You can choose to use an external LDAP authentication server instead of the local Lenovo XClarity Administrator authentication server on the management node.

Before you begin

The initial setup of XClarity Administrator must be completed before setting up the external authentication server.

The following external authentication servers are supported:
  • OpenLDAP

  • Microsoft Active Directory. It must reside on an outboard Microsoft Windows server that is connected to the management network, data network, or both

Ensure that all ports that are required for the external authentication server are open on the network and firewalls. For information about port requirements, see Port availability.

You must create or rename role groups in the local authentication server to match the groups that are defined in the external authentication server.

Ensure that there are one or more users with lxc-recovery authority in the local authentication server. You can use this local user account to authenticate directly to XClarity Administrator when a communication error occurs with the external LDAP server.

Note: When XClarity Administrator is configured to use an external authentication server, the Users Management page in the XClarity Administrator web interface is disabled.
Attention: For Active Directory, to configure the binding method to use login credentials, the baseboard management controller for each managed server must be running firmware from September 2016 or later.

XClarity Administrator performs a connectivity check every 5 minutes to maintain connectivity to configured external LDAP servers. Environments with many LDAP servers might experience high CPU usage during this connectivity check. To achieve the best performance, ensure that most or all of the LDAP servers in the domain are reachable, or set the authentication-server selection method to Use Pre-Configured Servers and specify only known, reachable LDAP servers.

Procedure

To configure XClarity Administrator to use an external authentication server, complete the following steps.

  1. Set up the user-authentication method for Microsoft Active Directory or OpenLDAP.

    If you choose to use non-secure authentication, no additional configuration is required. The Windows Active Directory or OpenLDAP domain controllers use non-secure LDAP authentication by default.

    If you choose to use secure LDAP authentication, you must set up the domain controllers to allow secure LDAP authentication. For more information about setting configuring secure LDAP authentication in Active Directory, see the LDAP over SSL (LDAPS) Certificate article on the Microsoft TechNet website.

    To verify that the Active Directory domain controllers are configured to use secure LDAP authentication:
    • Look for the LDAP over Secure Sockets layer (SSL) is now available event in the domain controllers Event Viewer window.
    • Use the ldp.exe Windows tool to test secure LDAP connectivity with the domain controllers.
  2. Import the Active Directory or OpenLDAP server certificate or the root certificate of the certificate authority that signed the server certificate.
    1. From the XClarity Administrator menu bar, click Administration > Security.
    2. Click Trusted Certificates in the Certificate Management section.
    3. Click the Create icon (Create icon) to add a certificate.
    4. Browse for the file or paste the PEM-formatted certificate text.
    5. Click Create.
  3. Configure the XClarity Administrator LDAP client:
    1. From the XClarity Administrator menu bar, click Administration > Security.
    2. Click LDAP Client under the Users and Groups section to display the LDAP Client Settings dialog.

      Illustrates the LDAP Client Settings page.
    3. Fill in the dialog based on the following criteria.
      1. Select one of these user-authentication methods:
        • Allow logons from local users. Authentication is performed using the local authentication. When this option is selected, all user accounts exist in the local authentication server on the management node.
        • Allow logons from LDAP users. Authentication is performed by an external LDAP server. This method enables remote management of user accounts. When this option is selected, all user accounts exist remotely in an external LDAP server.
        • Allow local users first, then LDAP users. The local authentication server performs the authentication first. If that fails, an external LDAP server performs the authentication.
        • Allow LDAP users first, then local users. An external LDAP server performs the authentication first. If that fails, the local authentication server performs the authentication.
      2. Choose whether to enable or disable secure LDAP:
        • Enable secure LDAP. XClarity Administrator uses the LDAPS protocol to connect securely to the external authentication server. When this option is selected, you must also configure trusted certificates for the purpose of enabling secure LDAP support.
        • Disable secure LDAP. XClarity Administrator uses an unsecure protocol to connect to the external authentication server. If you choose this setting, your hardware might be more vulnerable to security attacks.
      3. Select one of these server-selection methods:
        • Use Pre-Configured Servers. XClarity Administrator uses the specified IP addresses and ports to discover the external authentication server.

          If you select this option, specify up to four pre-configured server IP addresses and ports. The LDAP client attempts to authenticate using the first server address. If authentication fails, the LDAP client attempts to authenticate using the next server IP address.

          If the port number for an entry is not explicitly set to 3268 or 3269, the entry is assumed to identify a domain controller.

          When the port number is set to 3268 or 3269, the entry is assumed to identify a global catalog. The LDAP client attempts to authenticate using the domain controller for the first configured server IP address. If this fails, the LDAP client attempts to authenticate using the domain controller for the next server IP address.

          Important: At least one domain controller must be specified, even if the global catalog is specified. Specifying only the global catalog seems to be successful but is not a valid configuration.

          When the cryptography mode is set to NIST-800-131A, XClarity Administrator might not be able to connect to an external LDAP server using a secure port (for example, using LDAPS over default port 636) if the LDAP server is not capable of establishing a Transport Layer Security (TLS) version 1.2 connection with the LDAP client in XClarity Administrator.

        • Use DNS to find LDAP Servers. XClarity Administrator uses the specified domain name or forest name to discover the external authentication server dynamically. The domain name and forest name are used to obtain a list of domain controllers, and the forest name is used to obtain a list of global catalog servers.

          Attention: When using DNS to find LDAP servers, ensure that the user account to be used to authenticate to the external authentication server is hosted on specified domain controllers. If the user account is hosted on a child domain controller, include the child domain controller in the service request list.
      4. Select one of these binding methods:

        • Configured Credentials. Use this binding method to use the client name and password to bind XClarity Administrator to the external authentication server. If the bind fails, the authentication process also fails

          The client name can be any name that the LDAP server supports, including a distinguished name, AMAccountName, NetBIOS name, or UserPrincipalName. The client name must be a user account within the domain that has at least read-only privileges. For example:
          cn=administrator,cn=users,dc=example,dc=com
          example\administrator
          administrator@example.com
          Attention: If you change the client password in the external authentication server, ensure that you also updated the new password in XClarity Administrator. For more information, see Cannot log in to Lenovo XClarity Administrator.
        • Login Credentials. Use this binding method to use an Active Directory or OpenLDAP user name and password to bind XClarity Administrator to the external authentication server.

          The user ID and password that you specify are used only to test the connection to the authentication server. If successful, the LDAP client settings are saved, but the test login credential that you specified are not save. All future binds use the user name and password that you used to log in to XClarity Administrator.

          Note:
          • You must be logged in to XClarity Administrator using a fully-qualified user ID (for example, administrator@domain.com or DOMAIN\admin).

          • You must use a fully qualified test client name for the binding method.

          Attention: To configure the binding method to use login credentials, the management controller for each managed server must be running firmware from September 2016 or later.
      5. In the Root DN field, it is recommended that you do not specify a root distinguished name, especially for environments with multiple domains. When this field is blank, XClarity Administrator queries the external authentication server for the naming contexts.

        If you use DNS to discover the external authentication server or if you specify multiple servers (for example, dc=example,dc=com), You can optionally specify the top-most entry in your LDAP directory tree. In this case, searches are started using the specified root distinguished name as the search base.

      6. Specify the attribute to use to search for the user name.

        When the binding method is set to Configured Credentials, the initial bind to the LDAP server is followed by a search request that retrieves specific information about the user, including the user's DN, login permissions, and group membership. This search request must specify the attribute name that represents the user IDs on that server. This attribute name is configured in this field. If this field is left blank, the default is cn.

      7. Specify the attribute name that is used to identify the groups to which a user belongs. If this field is left blank, the attribute name in the filter defaults to memberOf.

      8. Specify the attribute name that is used to identify the group name that is configured by the LDAP server. If this field is left blank, the default is uid.

    4. Click Apply.

      The XClarity Administrator attempts to test the configuration to detect common errors. If the test fails, error messages are displayed that indicate the source of the errors. If the test succeeds and connections to the specified servers complete successfully, user authentication might still fail if:

      • A local user with lxc-recovery authority does not exist.

      • The root distinguished name is incorrect.

      • The user is not a member of at least one group in the external authentication server that matches the name of a role group on the XClarity Administrator authentication server. XClarity Administrator cannot detect whether the root DN is correct; however, it can detect whether a user is a member of at least one group. If a user is not a member of at least one group, an error message is displayed when the user attempts to log in to XClarity Administrator. For more information about troubleshooting issues with the external authentication servers, see Connectivity issues.

  4. Create an external user account that can access XClarity Administrator:
    1. From the external authentication server, create a user account. For instructions , see the Active Directory or OpenLDAP documentation.
    2. Create an Active Directory or OpenLDAP global group with the name of a predefined and authorized group. The group must exist within the context of the root distinguished name that is defined in the LDAP client.
    3. Add the Active Directory or OpenLDAP user as a member of the security group that you created previously.
    4. Log on to XClarity Administrator using the Active Directory or OpenLDAP user name.
    5. Optional: Define and create additional groups. You can authorize these groups and assign roles to them from the Users and Groups page.
    6. If secure LDAP is enabled, import trusted certificates to the external LDAP server (see Installing a customized, externally signed server certificate).

Results

XClarity Administrator validates the LDAP server connection. If the validation passes, user authentication occurs on the external authentication server when you log in to XClarity Administrator, CMM, and management controller.

If the validation fails, the authentication mode is automatically changed back to the Allow logons from local users setting, and a message that explains the cause of the failure is displayed.

Note: The correct role groups must be configured in XClarity Administrator, and user accounts must be defined as member of one of those role groups on the Active Directory server. Otherwise, user authentication fails.