Supported authentication servers
The
authentication server is
a user registry that is used to authenticate user credentials.
Lenovo XClarity Administrator supports the following types of authentication servers.
- Local authentication server. By default, XClarity Administrator is configured to use the embedded Lightweight Directory
Access Protocol (LDAP) server that resides in the management server.
- External LDAP server. Currently, only Microsoft Active Directory and OpenLDAP are supported. This server must reside on
an outboard Microsoft Windows server that is connected to the management
network.
When an external LDAP server is used, the local authentication
server is disabled.
Attention: To configure the Active
Directory binding method to use login credentials, the baseboard management
controller for each managed server must be running firmware from September
2016 or later.
External identity-management system. Currently only
CyberArk is supported.
If user accounts
for a ThinkSystem or ThinkAgile server are onboarded onto CyberArk,
you can choose to have XClarity Administrator retrieve credentials from CyberArk to log in to the server
when initially setting up the servers for management (with managed
or local authentication). Before credentials can be retrieved from
CyberArk, the CyberArk paths must be defined in XClarity Administrator and mutual trust must be established between CyberArk
and XClarity Administrator using TLS mutual authentication through client certificates.
- External SAML identity provider. Currently, only Microsoft Active Directory Federation Services
(AD FS) is supported. In addition to entering a user name and
password, multi-factor authentication can be set up to enable additional
security by requiring a PIN code, reading smart card, and client certificate.
When an SAML identity provider is used, the local authentication server is not disabled. Local
user accounts are required to log in directly to a managed chassis
or server (unless Encapsulation is enabled on that device), for PowerShell and REST API
authentication, and for recovery if external authentication is not
available.
You can choose to use both an external LDAP server
and an external identity provider. If both are enabled, the external LDAP server is used to log in
directly to the manage devices, and the identity provider is used to log in to the management server.
For more information about authentication servers, see Managing the authentication server.
Device authentication
By
default, devices are managed using
XClarity Administrator managed authentication to log in to the devices. When
managing rack servers and Lenovo chassis, you can choose to use local
authentication or managed authentication to log in to the devices.
When local authentication is used for rack servers,
Lenovo chassis, and Lenovo rack switches, XClarity Administrator uses a stored credential to authenticate to the device.
The stored credential can be an active user account on the
device or a user account in an Active Directory server.
You
must create a stored credential in XClarity Administrator that matches an active user account on the device or a
user account in an Active Directory server before managing the device
using local authentication (see Managing stored credentials).
Note: RackSwitch devices support only stored credentials
for authentication. XClarity Administrator user credentials are not supported.
Using managed authentication allows
you to manage and monitor multiple devices using credentials in the XClarity Administrator authentication server instead of local credentials. When
managed authentication is used for a device (other than ThinkServer
servers, System x M4 servers, and switches), XClarity Administrator configures the device and its installed components to
use the XClarity Administrator authentication server for centralized management.
- When managed authentication is enabled, you can manage devices
using either manually-entered or stored credentials (see Managing user accounts and Managing stored credentials).
The stored credential
is used only until XClarity Administrator configures the LDAP settings on the device. After that,
any change to the stored credential has no impact the management or
monitoring of that device.
Note: When managed authentication is
enabled for a device, you cannot edit stored credentials for that
device using XClarity Administrator.
- If a local or external LDAP server is used as the XClarity Administrator authentication server, user accounts that are defined
in the authentication server are used to log in to XClarity Administrator, CMMs and baseboard management controllers in the XClarity Administrator domain. Local CMM and management controller user accounts
are disabled.
Note: For Think Edge SE450, SE350 V2, and SE360 V2 servers,
the default local user account remains enabled and all other local
accounts are disabled.
- If an SAML 2.0 identity provider is used as the XClarity Administrator authentication server, SAML accounts are not accessible
to managed devices. However, when using an SAML identity provider
and an LDAP server together, if the identity provider uses accounts
that exist in the LDAP server, LDAP user accounts can be used to log
into the managed devices while the more advanced authentication methods
that are provided by SAML 2.0 (such as multifactor authentication
and single sign-on) can be used to log into XClarity Administrator.
- Single sign-on allows a user that is already
logged in to XClarity Administrator to automatically log in to the baseboard management control.
Single sign-on is enabled by default when a ThinkSystem or ThinkAgile
server is brought into management by XClarity Administrator (unless the server is managed with CyberArk passwords).
You can configure the global setting to enable or disable single sign-on
for all managed ThinkSystem and ThinkAgile servers. Enabling single
sign-on for a specific ThinkSystem and ThinkAgile server overrides
the global setting for all ThinkSystem and ThinkAgile servers (see Managing servers).
Note: Single sign-on is disabled automatically when
using the CyberArk identity-management system for authentication.
- When managed authentication is enabled for ThinkSystem SR635 and
SR655 servers:
For ThinkServer and System x M4 servers,
the XClarity Administrator authentication server is not used. Instead, an IPMI account
is created on the device with the prefix LXCA_
followed by
a random string. (The existing local IPMI user accounts are not disabled.)
When you unmanage a ThinkServer server, the LXCA_
user account
is disabled, and the prefix LXCA_
is replaced with the prefix DISABLED_
. To determine whether a ThinkServer server is managed
by another instance, XClarity Administrator checks for IPMI accounts with the prefix LXCA_
.
If you choose to force management of a managed ThinkServer server,
all the IPMI accounts on the device with the LXCA_
prefix are
disabled and renamed. Consider manually clearing IPMI accounts that
are no longer used.
If you use manually-entered credentials, XClarity Administrator automatically creates a stored credential and uses that
stored credential to manage the device.
Note: When managed authentication
is enabled for a device, you cannot edit stored credentials for that
device using
XClarity Administrator.
- Each time you manage a device using manually-entered credentials,
a new stored credential is created for that device, even if another
stored credential was created for that device during a previous management
process.
- When you unmanage a device, XClarity Administrator does not delete stored credentials there were automatically
created for that device during the management process.
Recovery user account
If you specify a recovery password, XClarity Administrator disables the local CMM or management-controller user account
and creates a new recovery user account (RECOVERY_ID) on the device for future authentication. If the management server
fails, you can use the RECOVERY_ID account
to log in to the device to take recovery actions to restore account-management
functions on the device until the management node is restored or replaced.
If you unmanage a device that has a RECOVERY_ID user account, all local user accounts are enabled, and the RECOVERY_ID account is deleted.
Notes:
- If you change the disabled local user accounts (for example, if
you change a password), the changes have no effect on the RECOVERY_ID account. In managed-authentication mode,
the RECOVERY_ID account is the only user account
that is activated and operational.
- Use the RECOVERY_ID account only in an
emergency, for example, if the management server fails or if a network
problem prevents the device from communicating with XClarity Administrator to authenticate users.
- The RECOVERY_ID password is specified when
you discover the device. Ensure that you record the password for later
use.
- RackSwitch devices support only stored credentials
for authentication. XClarity Administrator user credentials are not supported.
For information about recovering
a device management, see Recovering management with a CMM after a management server failure and Recovering rack or tower server management after a management server failure.