Configuring LDAP-based directory user access

You can allow external directory users to connect to Spectrum Control and manage it without having a locally-defined user account.

The connection to the directory server is established through Lightweight Directory Access Protocol (LDAP) authentication. When directory server access is enabled, any login attempt (attempt to log in to Spectrum Control) is authenticated against both the local database of Spectrum Control users, and against the defined directory server.

Use the sc_ldap CLI command to configure LDAP-based directory user access to Spectrum Control. Use the required argument after the command, as specified in the following table.

Note:

When directory user access is enabled and configured through sc_ldap, the directory users can access and manage only Spectrum Control. A separate and unrelated authentication system may be used on the storage system side for directory-based management of the storage system. For more information, refer to CLI – Adding or removing storage array credentials and to your storage system documentation.
Once the connection is established, all users that are defined on the directory server can access and manage Spectrum Control.

Table 1. Arguments for sc_ldap
Argument	Use after sc_ldap to:
configure -e -a -s <server URI> -t <directory server type> -r <user search DN> -k <user search key> -g <user group DN> -o <user group object class -n <user group authentication DN> or configure --enable --anonymous --server_uri <server URI> --server_type <directory server type> --user_search_dn <user search DN> --user_search_key <user search key> --group_search_dn <user group DN> --group_object_class <user group object class> --authentication_group_dn <user group authentication DN>	Enable directory access and establish a connection to a directory server as an anonymous user with the following parameters specified after the -a argument on the command line: Server URI (-s; --server_uri) – Uniform resource identifier (URI) of the directory server. This parameter determines which directory server should be accessed and used for directory user management of Spectrum Control. Server type (-t; --server_type) – Type of the directory server. One of the following types can be specified: Active Directory (active_directory) Open LDAP (open_ldap) Custom (custom) User search DN (-r; --user_search_dn) – Distinguished name (DN) to be used for the user search. User search key (-k; --user_search_key) – Search key of the directory user. Valid only if the specified server type (-t; --server_type) is 'custom'. Group search DN (-g; --group_search_dn) – Distinguished name (DN) of the user group for search purposes. Group object class (-o; --group_object_class) – Object class of the user group. Valid only if the specified server type (-t; --server_type) is 'custom'. Authentication group DN (-n; --authentication_group_dn) – Distinguished name (DN) used for the user group authentication. For example: `sc_ldap configure -e -a -s ldap://ad1.ibm.com -t active_directory -r "CN=Users,DC=mydomain,DC=test,DC=com" -g "CN=sc_TestGrp,CN=Users,DC=mydomain,DC=test,DC=com" -n "CN=sc_TestGrp,CN=Users,DC=mydomain,DC=test,DC=com"` When prompted to enter a password, press Enter without entering any password: `Please enter the BIND_DN password (password not shown): The following changes were applied to the LDAP configuration: ENABLED Please restart the IBM Spectrum Control to apply the new configuration.` After enabling the directory access, you can test the directory connection by using the test option (see below). Then, restart the Spectrum Control service as explained in Checking and controlling the Spectrum Control service.
configure -e -u <Bind DN username> -p <Bind DN password>	Enable directory access and establish a connection to a directory server by using the Bind DN user account that was predefined on the directory server (predefined by the directory server administrator). For this command, specify these two parameters in addition to the entries listed for the anonymous user: Bind DN username (-u; --bind_dn) – Username of the Bind DN user through which access to the directory server is established. Spectrum Control uses this username to log in to the directory server and establish the connection with it. Bind DN password (-p; --bind_password) – Password of the Bind DN username. For example: `sc_ldap configure -e -s ldap://myad1.ibm.com -t ACTIVE_DIRECTORY -r "CN=Users,DC=sc,DC=test,DC=com" -g "CN=Users,DC=sc,DC=test,DC=com" -n "CN=SC_TestGrp,CN=Users,DC=sc,DC=test,DC=com" -u mybinduser -p mypassw0rd` When prompted to enter a password, enter the directory server's Bind DN user password: `Please enter the BIND_DN password (password not shown): ****** The following changes were applied to the LDAP configuration: ENABLED Please restart the IBM Spectrum Control to apply the new configuration.`
configure -d or configure --disable	Disable directory user access. After disabling the directory access, restart the Spectrum Control service as explained in Checking and controlling the Spectrum Control service.
list	Display the current directory server configuration status (on Spectrum Control) and Bind DN username.
test -u <directory username> -p <password>	Test a directory user account by specifying the username and password of that account. You can test any user account that is defined on the directory server (the test is not for the Bind DN user account, but for an actual directory account). For example: `sc_ldap test -u mytestuser -p mytestuserpassw0rd IBM Spectrum Control LDAP configuration has been verified successfully.`
-h or --help	Display help information that is relevant to sc_ldap. You can also display help for the configure, list, or test argument if it is typed on the command line as well.

Adding a directory server certificate

If the directory server uses Transport Layer Security (TLS), you must edit the ldap.conf file and specify the trusted certificate directory location and filename on Spectrum Control. Complete the following steps to update Spectrum Control:

Log in to the directory server and issue the following command: certutil -ca.cert client.crt. This command generates the server certificate.
Go to the /etc/openldap/ directory and edit the ldap.conf file by setting the value for the TLS_CACERT parameter. The following example shows the contents of the ldap.conf file:
```
#LDAP Defaults
#
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:port#
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERT /etc/openldap/certs/trusted_ldap.pem
```
Make sure that the TLS_CACERT parameter has the directory and file name of the new certificate that you generated. After editing the ldap.conf file, the ldap.ini file is automatically updated.

Editing the ldap.ini configuration file

In addition to using the sc_ldap CLI command (see Table 1), you can edit the ldap.ini configuration file to manually change the directory user access settings.

Attention: Do not edit the ldap.ini file if you are not familiar with directory setting conventions.

The following example shows the editable parameters and their values specified after the '=' sign:

enable_ldap = True
server_uri = ldap://servername.domainname:389
server_type = OPEN_LDAP
user_search_dn = ou=users,dc=dcname,dc=com
user_search_key =
group_search_dn = dc=dcname,dc=com
group_object_class =
authentication_group_dn = cn=authenticating-group,dc=dcname,dc=com
bind_dn =
bind_password = <enctypted password>=
bind_pwd_verification = <encrypted key>=

The following table summarizes the parameters and their indication. Refer to Table 1 for more detailed information.

Table 2. ldap.ini configuration parameters
Parameter	Indication
enable_ldap	`True` or `False`. When `True` and enabled, the login attempt is authenticated against the directory server.
server_uri	Uniform resource identifier (URI) of the directory server.
server_type	Type of the directory server: Active Directory Open LDAP Custom
user_search_dn	Distinguished name (DN) to be used for user search.
user_search_key	Search tag for obtaining a unique relative distinguished name (RDN). Commonly used values: `uid`, `preferredId`
group_search_dn	Distinguished name (DN) to be used for user group search.
group_object_class	Type of the user group. Commonly used values: `GroupOfNames`, `NestedGroupOfNames`, `GroupOfUniqueNames`, `NestedGroupOfUniqueNames`, `ActiveDirectoryGroup`, `NestedActiveDirectoryGroup`
authentication_group_dn	Distinguished name (DN) of the authentication user group.
bind_dn	Username of the Bind DN user through which access to the directory server is established.
bind_password	Password of the Bind DN username. The password is displayed in its encrypted form.
bind_pwd_verification	Verification string for the Bind DN password. The string is displayed in its encrypted form.

Note:

user_search_key and user_search_dn return unique results. For example:
```
user_search_key=uid
user_search_dn=ou=users,dc=dcname,dc=com
```
In this case, if the user name is "John", the resulting DN for matching the user over LDAP would be: uid=John,ou=users,dc=dcname,dc=com
If authentication_group_dn is set, only users that belong to that group are authenticated. You can remove this parameter from the ldap.ini file to disable group authentication.
When server_type type is Active Directory, the following parameters are used by default:
```
user search key = sAMAccountName
user group object class = ActiveDirectoryGroup
```
When server_type type is Open LDAP, the following parameters are used by default:
```
user search key = uid
user group object class = GroupOfUniqueNames
```