Configure user authentication from an external user registry to the Local Management Interface

Use the LMI Authentication Configuration page to configure, reconfigure, or unconfigure users from an external user registry to authenticate to the local management interface of the virtual appliance.

Make sure to add the required users to the external user registry on IBM Security Directory Server or Microsoft Active Directory before working from this configuration page.

Configure, reconfigure, or unconfigure external authentication to enable users that are included in the external user registry to access the local management interface (LMI) of the virtual appliance.

Action LMI Authentication configuration options
Configure

Host name
Name of the server hosting the directory server.

The acceptable formats for the host name are IPv4, FQDN, and IPv6. For example, igildap.example.com.

Port
Specify the directory server port.

For example, 389.

SSL
Flag this check box to apply SSL encryption to the connection with this server.

If we select this option, we are also prompted to accept the default digital certificate.

Principal DN
Principal distinguished name.

For example, cn=root.

Password
Password for the principal distinguished name.

LMI Authentication DN Location
Specify the directory server DN location.

For example, dc=com.

User filter
Specify which users in the external registry can access the LMI. For example,
  • For Directory Server, 
    (&(uid=%v)(objectclass=inetOrgPerson))
    uses user IDs (uid) and the inetOrgPerson object class to find the users. At run time, %v is replaced with the uid attribute of each user, which must be a unique key within the same object class in LDAP.
  • For Active Directory, 
    (&(sAMAccountName=%v)(objectclass=organizationalPerson)))
    uses user account names (sAMAccountName) and the organizationalPerson object class to find the users.

Group filter
Use group names to specify which users in the external registry can access the LMI. For example,
  • For Directory Server, use:
    (&(cn=%v)(objectclass=groupOfNames))
    The filter looks up groups in the directory service based on their common name (CN). At runtime, %v is replaced by the group name. The object class can be groupOfNames, groupOfUniqueNames, or groupOfURLs.We can specify multiple object classes. For example, 
    (&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
  • For Active Directory, use:
    (&(cn=%v)(objectcategory=CN=Group,CN=Schema,
CN=Configuration,DC=DN location of Active Directory)))
Reconfigure

Host name
Name of the server hosting the directory server.

The acceptable formats for the host name are IPv4, FQDN, and IPv6. For example, igildap.example.com.

Port
Specify the directory server port.

For example, 389.

SSL
Flag this check box to apply SSL encryption to the connection with this server.

If we select this option, we are also prompted to accept the default digital certificate.

Principal DN
Principal distinguished name.

For example, cn=root.

Password
Password for the principal distinguished name.

LMI Authentication DN Location
Specify the directory server DN location.

For example, dc=com.

User filter
Specify which users in the external registry can access the LMI. For example,
  • For Directory Server, 
    (&(uid=%v)(objectclass=inetOrgPerson))
    uses user IDs (uid) and the inetOrgPerson object class to find the users. At run time, %v is replaced with the uid attribute of each user, which must be a unique key within the same object class in LDAP.
  • For Active Directory, 
    (&(sAMAccountName=%v)(objectclass=organizationalPerson)))
    uses user account names (sAMAccountName) and the organizationalPerson object class to find the users.

Group filter
Use group names to specify which users in the external registry can access the LMI. For example,
  • For Directory Server, in 
    (&(cn=groupName)((objectclass=groupOfNames))
    groupName is the name of a group defined in Directory server. The object class can be groupOfNames, groupOfUniqueNames, or groupOfURLs.We can specify multiple object classes. For example, 
    (&(cn=groupName)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
  • For Active Directory, in 
    (&(cn=groupName)(objectcategory=CN=Group,CN=Schema,
CN=Configuration,DC=DN location of Active Directory)))
    groupName is the name of a group defined in Directory Server.

  1. From the top-level menu of the virtual appliance dashboard, click Manage > System Settings > Management Authentication.

  2. In the LMI Authentication Configuration pane, select Configure.

  3. In the LMI Authentication Configuration Details window, specify the expected variables. See Table 1.

  4. Select Save Configuration.

  5. Optional: Reconfigure an existing LMI Authentication configuration.

    1. From the LMI Authentication Configuration table, select the LMI Authentication configuration record.

    2. Click Reconfigure.

    3. In the Edit LMI Authentication Configuration Details window, edit the configuration variables. See Table 1.

    4. Click Save Configuration.

  6. Optional: Unconfigure an existing LMI Authentication configuration.

    1. From the LMI Authentication Configuration table, select the LMI Authentication configuration record.

    2. Click Unconfigure.

    3. Click Yes to confirm the deletion.

Parent topic: Authenticating users from an external user registry to the Local Management Interface