CLI - Configuring the LDAP server

You can allow external directory users to connect to Spectrum Connect and manage it without having a locally-defined user account.

The connection to the directory server is established through Lightweight Directory Access Protocol (LDAP) authentication. When directory server access is enabled, any login attempt (attempt to log in to Spectrum Connect) is authenticated against the defined directory server.

Use the sc_ldap CLI command to configure the LDAP server. Then add the LDAP-based directory user or group access via the Spectrum Connect web UI (see Managing Spectrum Connect users) or the command line using the sc_users/sc_ldap_groups command (see CLI – Managing Spectrum Connect users).
Note:
  • When directory user access is enabled and configured through sc_ldap, the directory users can access and manage only Spectrum Connect. A separate and unrelated authentication system may be used on the storage system side for directory-based management of the storage system. For more information, refer to CLI – Adding or removing storage system credentials and to your storage system documentation.
Table 1. Arguments for sc_ldap
Argument Use after sc_ldap to:
configure -e -a

-s <server URI>

-t <directory server type>

-r <user search DN>

-k <user search key>

-g <user group DN>

-o <user group object class

or

configure --enable --anonymous

--server_uri <server URI>

--server_type <directory server type>

--user_search_dn <user search DN>

--user_search_key <user search key>

--group_search_dn <user group DN>

--group_object_class <user group object class>

 Enable directory access and establish a connection to a directory server as an anonymous user with the following parameters specified after the -a argument on the command line:
  • Server URI (-s; --server_uri) – Uniform resource identifier (URI) of the directory server. This parameter determines which directory server should be accessed and used for directory user management of Spectrum Connect.
  • Server type (-t; --server_type) – Type of the directory server. One of the following types can be specified:
    • Active Directory (ACTIVE_DIRECTORY)
    • Open LDAP (OPEN_LDAP)
    • Custom (CUSTOM)
  • User search DN (-r; --user_search_dn) – Distinguished name (DN) to be used for the user search.
  • User search key (-k; --user_search_key) – Search key of the directory user. Valid only if the specified server type (-t; --server_type) is CUSTOM.
  • Group search DN (-g; --group_search_dn) – Distinguished name (DN) of the user group for search purposes.
  • Group object class (-o; --group_object_class) – Object class of the user group. Valid only if the specified server type (-t; --server_type) is CUSTOM.

For example:

sc_ldap configure -e -a -s ldap://ad1.ibm.com
-t ACTIVE_DIRECTORY -r "CN=Users,DC=mydomain,DC=test,DC=com"
 -g "CN=sc_TestGrp,CN=Users,DC=mydomain,DC=test,DC=com"

When prompted to enter a password, press Enter without entering any password:

Please enter the BIND_DN password (password not shown):
The following changes were applied to the LDAP configuration: 
ENABLED
Please restart the IBM Spectrum Connect to apply 
the new configuration.

After enabling the directory access, test the directory connection by using the test option (see below). After testing, restart the Spectrum Connect service as explained in Checking and controlling the Spectrum Connect Linux service.

Then, use the sc_users command to add LDAP administrators to enable them to access the Spectrum Connect GUI, see CLI – Managing Spectrum Connect users and groups.
configure -e -u <Bind DN username>

-p <Bind DN password>

 Enable directory access and establish a connection to a directory server by using the Bind DN user account that was predefined on the directory server (predefined by the directory server administrator). For this command, specify these two parameters in addition to the entries listed for the anonymous user:
  • Bind DN username (-u; --bind_dn) – Username of the Bind DN user through which access to the directory server is established. Spectrum Connect uses this username to log in to the directory server and establish the connection with it.
  • Bind DN password (-p; --bind_password) – Password of the Bind DN username.

For example:

sc_ldap configure -e -s ldap://myad1.ibm.com
 -t ACTIVE_DIRECTORY -r "CN=Users,DC=sc,DC=test,DC=com"
 -g "CN=Users,DC=sc,DC=test,DC=com" 
 -u mybinduser -p mypassw0rd

When prompted to enter a password, enter the directory server's Bind DN user password:

Please enter the BIND_DN password (password not shown): ******
The following changes were applied to the LDAP configuration: 
ENABLED
Please restart the IBM Spectrum Connect to apply 
the new configuration.
configure -d

or

configure --disable

 Disable directory user access.

After disabling the directory access, restart the Spectrum Connect service as explained in Checking and controlling the Spectrum Connect Linux service.
list Display the current directory server configuration status (on Spectrum Connect) and Bind DN username.
test -u <directory username> -p <password> Test a directory user account by specifying the username and password of that account. You can test any user account that came up as configured user search DN on the directory server (the test is not for the Bind DN user account, but for an actual directory account).

For example:

sc_ldap test -u mytestuser -p mytestuserpassw0rd 
IBM Spectrum Connect LDAP configuration has been verified
successfully.
-h

or --help

 Display help information that is relevant to sc_ldap.

You can also display help for the configure, list, or test argument if it is typed on the command line as well.

Adding a directory server certificate

If the directory server uses Transport Layer Security (TLS), you must edit the ldap.conf file and specify the trusted certificate directory location and filename on Spectrum Connect. Complete the following steps to update Spectrum Connect:
  1. Log in to the directory server and issue the following command: certutil -ca.cert client.crt. This command generates the server certificate.
  2. Go to the /etc/openldap/ directory and edit the ldap.conf file by setting the value for the TLS_CACERT parameter. The following example shows the contents of the ldap.conf file:
    #LDAP Defaults
#
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:port#
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERT /etc/openldap/certs/trusted_ldap.pem
    Make sure that the TLS_CACERT parameter has the directory and file name of the new certificate that you generated. After editing the ldap.conf file, the ldap.ini file is automatically updated.

Editing the ldap.ini configuration file

In addition to using the sc_ldap CLI command, you can edit the ldap.ini configuration file to manually change the directory user access settings.
Attention:
  • Do not edit the ldap.ini file if you are not familiar with directory setting conventions.
  • Restart Spectrum Connect after editing the ldap.ini file to apply the changes.
The following example shows the editable parameters and their values specified after the '=' sign:
enable_ldap = True
server_uri = ldap://servername.domainname:389
server_type = OPEN_LDAP
user_search_dn = ou=users,dc=dcname,dc=com
user_search_key =
group_search_dn = dc=dcname,dc=com
group_object_class =
bind_dn =
bind_password = <enctypted password>=
bind_pwd_verification = <encrypted key>=

The following table summarizes the parameters and their indication.

Table 2. ldap.ini configuration parameters
Parameter Indication
enable_ldap True or False.

When True and enabled, the login attempt is authenticated against the directory server.
server_uri Uniform resource identifier (URI) of the directory server.
server_type Type of the directory server:
  • Active Directory
  • Open LDAP
  • Custom
user_search_dn Distinguished name (DN) to be used for user search.
user_search_key Search tag for obtaining a unique relative distinguished name (RDN).

Commonly used values: uid, preferredId
group_search_dn Distinguished name (DN) to be used for user group search.
group_object_class Type of the user group.

Commonly used values: GroupOfNames, NestedGroupOfNames, GroupOfUniqueNames, NestedGroupOfUniqueNames, ActiveDirectoryGroup, NestedActiveDirectoryGroup
bind_dn Username of the Bind DN user through which access to the directory server is established.
bind_password Password of the Bind DN username. The password is displayed in its encrypted form.
bind_pwd_verification Verification string for the Bind DN password. The string is displayed in its encrypted form.
Note:
  • user_search_key and user_search_dn return unique results. For example:
    user_search_key=uid
user_search_dn=ou=users,dc=dcname,dc=com
    In this case, if the user name is "John", the resulting DN for matching the user over LDAP would be: uid=John,ou=users,dc=dcname,dc=com
  • When server_type type is Active Directory, the following parameters are used by default:
    user search key = sAMAccountName
user group object class = NestedActiveDirectoryGroup
  • When server_type type is Open LDAP, the following parameters are used by default:
    user search key = uid
user group object class = GroupOfUniqueNames
  • You can use a valid username and password (defined on the LDAP server) with the sc_ldap test command to test your LDAP configuration.