Configuring remote authentication

Remote authentication allows users to authenticate to the system that uses credentials that are stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign more passwords. Instead, you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access, to enforce password policies more efficiently, and to separate user management from storage management.

A remote user is authenticated on a remote service with Lightweight Directory Access Protocol (LDAPv3) support. A remote user does not need to be added to the list of users on the system, although they can be added to configure optional SSH keys. Remote users cannot access the system when the remote service is down. In that case, a local user account must be used until the remote service is restored. Remote users have their groups defined by the remote authentication service.

Using the management GUI

To configure remote authentication with LDAP, complete these steps:
  1. In the management GUI, select Settings > Security > Remote Authentication.
  2. Select Configure Remote Authentication.
  3. Select LDAP.
  4. Select the type of LDAP server that is used for authentication.
  5. Select one of the following security options:
    LDAP with StartTLS
    Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS or SSL. The initial connection to the directory server is decrypted but can be used on systems that do not have port 636 available.
    LDAPS
    Select this option to secure LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted.
    LDAP with no security
    Select this option to transport data in clear text format without encryption.
  6. Specify optional service credentials or modify advanced LDAP settings. The following LDAP attributes can be configured:
    User attribute
    For all server types, users are authenticated with a user name that is defined with the LDAP user attribute. This attribute must exist in your LDAP schema and must be unique for each of your users. Active Directory users can also authenticate by using their user principal names (UPN) or NT login names.
    Group attribute
    Authenticated users are assigned roles according to their LDAP group memberships. The groups to which a user belongs are stored in the LDAP group attribute. This attribute value can be the distinguished name of each group, or a colon-separated list of user group names.
    Audit log attribute
    If an LDAP user completes an audited action, the contents of the audit log attribute are recorded in the audit log.
  7. Define up to six LDAP servers to use for authentication. Multiple servers can be configured to provide access to different sets of users or for redundancy. You can also configure which servers are preferred to authenticate users.
  8. Configure user groups on the system to match groups that are configured on the remote authentication service. For each user group on the authentication service, a corresponding user group must be created with the same name. In the management GUI, complete these steps:
    1. Select Access > Users > Create User Groups.
    2. Enter the name of the user group that is on the remote authentication service and select LDAP under Remote Authentication.
    3. Select the corresponding role for this user group. For example, if the user group on the remote authentication service is called systemadmins, select Administrator role for this user group on the system. These users need equivalent roles to complete actions on the system.
    4. Click Create.
  9. Verify your LDAP configuration. To test the connection to the LDAP servers, select Global Actions > Test LDAP Connections. To test authentication to the LDAP servers, select Global Actions > Test LDAP Authentication and enter corresponding credentials for the user.
  10. Remote users, who require access without a password, must configure a Secure Shell (SSH) key on the system. To configure a remote user for SSH key access, complete these steps:
    1. Select Access > Users.
    2. Select New User or change an existing user by selecting Actions > Properties.
    3. Select the remote authentication mode and provide an SSH public key. If you require command-line access without entering a password, use an SSH public key.

    To delete a user from the system, complete these steps:

    1. Select Access > Users.
    2. Right-click the user and select Actions > Delete.

Using the command-line interface

To enable user authentication with LDAP by using the command-line interface, follow these steps:
  1. Configure LDAP by entering the chldap command.
    This command provides default settings for both IBM Security Directory Server and AD. To configure authentication with IBM Security Directory Server schema defaults and Transport Layer Security (TLS), for example, enter the following command: 
    chldap -type itds -security tls
    LDAP configuration can be inspected with the lsldap command.
    Note: Use TLS so that transmitted passwords are encrypted.
  2. Specify the mkldapserver command to define up to six LDAP servers to use for authentication.
    Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings that are configured with chldap. To configure an LDAP server with an SSL certificate and users in the cn=users,dc=company,dc=com subtree, for example, enter the following command: 
    mkldapserver -ip 9.71.45.108 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem

    You can also configure which servers are preferred to authenticate users.

    Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to change the configured LDAP servers.

  3. Configure user groups on the system by matching those user groups that are used by the authentication service.

    For each group of interest that is known to the authentication service, a system user group must be created with the same name and with the remote setting enabled. If members of a group that is called sysadmins, for example, require the system administrator (admin) role, enter the following command:

    mkusergrp -name sysadmins -remote -role Administrator

    If none of the user groups match a system user group, the user cannot access the system.

  4. Verify your LDAP configuration by using the testldapserver command.
    To test the connection to the LDAP servers, enter the command without any options. A user name can be supplied with or without a password to test for configuration errors. To process a full authentication attempt against each server, enter the following commands: 
    testldapserver -username username -password 'password'
  5. Enter the following command to enable LDAP authentication: 
    chauthservice -type ldap -enable yes
  6. Configure users who do not require Secure Shell (SSH) key access.
    Delete system users who must use the remote authentication service and do not require SSH key access.
    Remember: A superuser cannot be deleted or use the remote authentication service.
  7. Configure users who require SSH key access.

    All system users who use the remote authentication service and require SSH key access must have remote settings that are enabled and a valid SSH key that is configured on the system.

  8. Specify the type of security to use when communicating with LDAP servers.

    Specify tls to enable TLS. Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS. The initial connection to the directory server is unencrypted but can be used on systems that do not have port 636 available.

    Specify ssl to enable SSL security. This option secures LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted. The default value is none.