Authentication

Supported authentication servers

The authentication server is a user registry that is used to authenticate user credentials. Lenovo XClarity Administrator supports the following types of authentication servers.
  • Local authentication server. By default, XClarity Administrator is configured to use the embedded Lightweight Directory Access Protocol (LDAP) server that resides in the management server.
  • External LDAP server. Currently, only Microsoft Active Directory and OpenLDAP are supported. This server must reside on an outboard Microsoft Windows server that is connected to the management network.

    When an external LDAP server is used, the local authentication server is disabled.

    Attention: To configure the Active Directory binding method to use login credentials, the baseboard management controller for each managed server must be running firmware from September 2016 or later.
  • External identity-management system. Currently only CyberArk is supported.

    If user accounts for a ThinkSystem or ThinkAgile server are onboarded onto CyberArk, you can choose to have XClarity Administrator retrieve credentials from CyberArk to log in to the server when initially setting up the servers for management (with managed or local authentication). Before credentials can be retrieved from CyberArk, the CyberArk paths must be defined in XClarity Administrator and mutual trust must be established between CyberArk and XClarity Administrator using TLS mutual authentication through client certificates.

  • External SAML identity provider. Currently, only Microsoft Active Directory Federation Services (AD FS) is supported. In addition to entering a user name and password, multi-factor authentication can be set up to enable additional security by requiring a PIN code, reading smart card, and client certificate.

    When an SAML identity provider is used, the local authentication server is not disabled. Local user accounts are required to log in directly to a managed chassis or server (unless Encapsulation is enabled on that device), for PowerShell and REST API authentication, and for recovery if external authentication is not available.

    You can choose to use both an external LDAP server and an external identity provider. If both are enabled, the external LDAP server is used to log in directly to the manage devices, and the identity provider is used to log in to the management server.

For more information about authentication servers, see Managing the authentication server.

Device authentication

By default, devices are managed using XClarity Administrator managed authentication to log in to the devices. When managing rack servers and Lenovo chassis, you can choose to use local authentication or managed authentication to log in to the devices.
  • When local authentication is used for rack servers, Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device. The stored credential can be an active user account on the device or a user account in an Active Directory server.

    You must create a stored credential in XClarity Administrator that matches an active user account on the device or a user account in an Active Directory server before managing the device using local authentication (see Managing stored credentials).

    Note: RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.
  • Using managed authentication allows you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When managed authentication is used for a device (other than ThinkServer servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to use the XClarity Administrator authentication server for centralized management.

    • When managed authentication is enabled, you can manage devices using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).

      The stored credential is used only until XClarity Administrator configures the LDAP settings on the device. After that, any change to the stored credential has no impact the management or monitoring of that device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
    • If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts are disabled.
      Note: For Think Edge SE450, SE350 V2, and SE360 V2 servers, the default local user account remains enabled and all other local accounts are disabled.
    • If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible to managed devices. However, when using an SAML identity provider and an LDAP server together, if the identity provider uses accounts that exist in the LDAP server, LDAP user accounts can be used to log into the managed devices while the more advanced authentication methods that are provided by SAML 2.0 (such as multifactor authentication and single sign-on) can be used to log into XClarity Administrator.
    • Single sign-on allows a user that is already logged in to XClarity Administrator to automatically log in to the baseboard management control. Single sign-on is enabled by default when a ThinkSystem or ThinkAgile server is brought into management by XClarity Administrator (unless the server is managed with CyberArk passwords). You can configure the global setting to enable or disable single sign-on for all managed ThinkSystem and ThinkAgile servers. Enabling single sign-on for a specific ThinkSystem and ThinkAgile server overrides the global setting for all ThinkSystem and ThinkAgile servers (see Managing servers).
      Note: Single sign-on is disabled automatically when using the CyberArk identity-management system for authentication.
    • When managed authentication is enabled for ThinkSystem SR635 and SR655 servers:
      • Baseboard management-controller firmware supports up to five LDAP user roles. XClarity Administrator adds these LDAP user roles to the servers during management: lxc-supervisor, lxc-sysmgr, lxc-admin, lxc-fw-admin, and lxc-os-admin.

        Users must be assigned to at least one of the specified LDAP user roles to communicate with ThinkSystem SR635 and SR655 servers.

      • Management-controller firmware does not support LDAP users with the same username as local user of the sever.
    • For ThinkServer and System x M4 servers, the XClarity Administrator authentication server is not used. Instead, an IPMI account is created on the device with the prefix LXCA_ followed by a random string. (The existing local IPMI user accounts are not disabled.) When you unmanage a ThinkServer server, the LXCA_ user account is disabled, and the prefix LXCA_ is replaced with the prefix DISABLED_. To determine whether a ThinkServer server is managed by another instance, XClarity Administrator checks for IPMI accounts with the prefix LXCA_. If you choose to force management of a managed ThinkServer server, all the IPMI accounts on the device with the LXCA_ prefix are disabled and renamed. Consider manually clearing IPMI accounts that are no longer used.

      If you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that stored credential to manage the device.

      Note: When managed authentication is enabled for a device, you cannot edit stored credentials for that device using XClarity Administrator.
      • Each time you manage a device using manually-entered credentials, a new stored credential is created for that device, even if another stored credential was created for that device during a previous management process.
      • When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically created for that device during the management process.

Recovery user account

If you specify a recovery password, XClarity Administrator disables the local CMM or management-controller user account and creates a new recovery user account (RECOVERY_ID) on the device for future authentication. If the management server fails, you can use the RECOVERY_ID account to log in to the device to take recovery actions to restore account-management functions on the device until the management node is restored or replaced.

If you unmanage a device that has a RECOVERY_ID user account, all local user accounts are enabled, and the RECOVERY_ID account is deleted.

Notes:
  • If you change the disabled local user accounts (for example, if you change a password), the changes have no effect on the RECOVERY_ID account. In managed-authentication mode, the RECOVERY_ID account is the only user account that is activated and operational.
  • Use the RECOVERY_ID account only in an emergency, for example, if the management server fails or if a network problem prevents the device from communicating with XClarity Administrator to authenticate users.
  • The RECOVERY_ID password is specified when you discover the device. Ensure that you record the password for later use.
  • RackSwitch devices support only stored credentials for authentication. XClarity Administrator user credentials are not supported.

For information about recovering a device management, see Recovering management with a CMM after a management server failure and Recovering rack or tower server management after a management server failure.