User Tools

Site Tools


aix:hmc_ldap_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
aix:hmc_ldap_ad [2022/04/04 15:23]
manu created
aix:hmc_ldap_ad [2023/02/15 22:02] (current)
manu
Line 1: Line 1:
 +====== HMC connection to AD / LDAP ======
  
 +First remove the previous LDAP config
 +<cli prompt='>'>​
 +hscroot@hmc:​~>​ chhmcldap -o r -r ldap
 +</​cli>​
  
 +Add a CA certificate for AD LDAP (copy the certificate to /​home/​hscroot/​ca2.mydom.cer
 +<cli prompt='>'>​
 +hscroot@hmc:​~>​ getfile -t ldapcacert -l l -f /​home/​hscroot/​ca2.mydom.cer -a '​MYDOM_ca2.cer'​
 +</​cli>​
  
 +
 +Configure AD connexion: use this format ​
 +  ldaps://​ldapserver1.mydom.lu:​636 (so param must be --starttls 0)
 +
 +<cli prompt='>'>​
 +hscroot@hmc:​~>​ chhmcldap -o s --primary ldaps://​ldapserver1.mydom.lu:​636 --basedn "​OU=Users,​OU=Users & Groups,​DC=mydom,​DC=test,​DC=lu" ​ --loginattribute sAMAccountName --automanage 1 --auth ldap --binddn "​CN=ldap user,​OU=Users,​OU=Users & Groups,​DC=mydom,​DC=test,​DC=lu"​ --bindpw "​xxxxxxxxxxxx"​ --starttls 0 --automanage 0
 +
 +hscroot@hmc:​~>​ lshmcldap -r config -v
 +primary=ldaps://​ldapserver1.mydom.lu:​636,​backup=,"​basedn=OU=Users,​OU=Users & Groups,​DC=mydom,​DC=test,​DC=lu",​timelimit=30,​bindtimelimit=30,​referrals=1,​ssl=0,​loginattribute=sAMAccountName,​hmcauthnameattribute=userPrincipalName,​hmcuserpropsattribute=description,"​binddn=CN=ldap user,​OU=Users,​OU=Users & Groups,​DC=mydom,​DC=test,​DC=lu",​bindpwset=1,​automanage=1,​auth=ldap,​searchfilter=,​scope=sub,​tlscacert=,​hmcgroups=,​authsearch=base,​tlsreqcert=never
 +
 +Details:
 +
 +Get LDAP Config:
 +
 +Validate LDAP Configuration:​
 +
 +hscroot@hmc:​~>​ lshmcldap -r user
 +name=user01,​description=,​remote_user_name=,​user_properties=
 +name=user02,​description=,​remote_user_name=,​user_properties=
 +name=user03,​description=,​remote_user_name=,​user_properties=
 +name=user04,​description=,​remote_user_name=,​user_properties=
 +...
 +</​cli>​
 +
 +Give rights to the different users
 +<cli prompt='>'>​
 +hscroot@hmc:​~>​ mkhmcusr -i "​name=user01,​taskrole=hmcsuperadmin,​authentication_type=ldap,​remote_webui_access=1,​description="​Myuser""​
 +
 +hscroot@hmc:​~>​ lshmcusr
 +name=user01,​taskrole=hmcsuperadmin,​description=HMC User,​pwage=99999,​resourcerole=ALL:,​authentication_type=ldap,​remote_webui_access=1,​remote_ssh_access=1,​min_pwage=0,​session_timeout=0,​verify_timeout=15,​idle_timeout=120,​inactivity_expiration=0,​resources=<​ResourceID = ALL:><​UserDefinedName = AllSystemResources>,​disabled=0,​passwd_authentication=0
 +...
 +</​cli>​
 +
 +Now try a connection on the Web UI, without domain !
 +
 +If not possible to registryer a user, try
 +<cli prompt='>'>​
 +hscroot@hmc:​~>​ chhmcldap -o s --automanage 0
 +</​cli>​
  
aix/hmc_ldap_ad.1649078616.txt.gz ยท Last modified: 2022/04/04 15:23 by manu