wiki

User Tools

Site Tools

Trace: ssh_ecdsa install_apache spp aix_boot_problem hmc_ldap_ad
aix:hmc_ldap_ad

HMC connection to AD / LDAP

First remove the previous LDAP config 

hscroot@hmc:~> chhmcldap -o r -r ldap

Add a CA certificate for AD LDAP (copy the certificate to /home/hscroot/ca2.mydom.cer 

hscroot@hmc:~> getfile -t ldapcacert -l l -f /home/hscroot/ca2.mydom.cer -a 'MYDOM_ca2.cer'

Configure AD connexion: use this format 

ldaps://ldapserver1.mydom.lu:636 (so param must be --starttls 0)
hscroot@hmc:~> chhmcldap -o s --primary ldaps://ldapserver1.mydom.lu:636 --basedn "OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu"  --loginattribute sAMAccountName --automanage 1 --auth ldap --binddn "CN=ldap user,OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu" --bindpw "xxxxxxxxxxxx" --starttls 0 --automanage 0

hscroot@hmc:~> lshmcldap -r config -v
primary=ldaps://ldapserver1.mydom.lu:636,backup=,"basedn=OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=sAMAccountName,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=CN=ldap user,OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=sub,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never

Details:

Get LDAP Config:

Validate LDAP Configuration:

hscroot@hmc:~> lshmcldap -r user
name=user01,description=,remote_user_name=,user_properties=
name=user02,description=,remote_user_name=,user_properties=
name=user03,description=,remote_user_name=,user_properties=
name=user04,description=,remote_user_name=,user_properties=
...

Give rights to the different users 

hscroot@hmc:~> mkhmcusr -i "name=user01,taskrole=hmcsuperadmin,authentication_type=ldap,remote_webui_access=1,description="Myuser""

hscroot@hmc:~> lshmcusr
name=user01,taskrole=hmcsuperadmin,description=HMC User,pwage=99999,resourcerole=ALL:,authentication_type=ldap,remote_webui_access=1,remote_ssh_access=1,min_pwage=0,session_timeout=0,verify_timeout=15,idle_timeout=120,inactivity_expiration=0,resources=<ResourceID = ALL:><UserDefinedName = AllSystemResources>,disabled=0,passwd_authentication=0
...

Now try a connection on the Web UI, without domain !

If not possible to registryer a user, try 

hscroot@hmc:~> chhmcldap -o s --automanage 0
aix/hmc_ldap_ad.txt · Last modified: 2023/02/15 22:02 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki