This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
aix:hmc_ldap_ad [2022/04/04 15:23] manu created |
aix:hmc_ldap_ad [2023/02/15 22:02] (current) manu |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== HMC connection to AD / LDAP ====== | ||
+ | First remove the previous LDAP config | ||
+ | <cli prompt='>'> | ||
+ | hscroot@hmc:~> chhmcldap -o r -r ldap | ||
+ | </cli> | ||
+ | Add a CA certificate for AD LDAP (copy the certificate to /home/hscroot/ca2.mydom.cer | ||
+ | <cli prompt='>'> | ||
+ | hscroot@hmc:~> getfile -t ldapcacert -l l -f /home/hscroot/ca2.mydom.cer -a 'MYDOM_ca2.cer' | ||
+ | </cli> | ||
+ | |||
+ | Configure AD connexion: use this format | ||
+ | ldaps://ldapserver1.mydom.lu:636 (so param must be --starttls 0) | ||
+ | |||
+ | <cli prompt='>'> | ||
+ | hscroot@hmc:~> chhmcldap -o s --primary ldaps://ldapserver1.mydom.lu:636 --basedn "OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu" --loginattribute sAMAccountName --automanage 1 --auth ldap --binddn "CN=ldap user,OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu" --bindpw "xxxxxxxxxxxx" --starttls 0 --automanage 0 | ||
+ | |||
+ | hscroot@hmc:~> lshmcldap -r config -v | ||
+ | primary=ldaps://ldapserver1.mydom.lu:636,backup=,"basedn=OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu",timelimit=30,bindtimelimit=30,referrals=1,ssl=0,loginattribute=sAMAccountName,hmcauthnameattribute=userPrincipalName,hmcuserpropsattribute=description,"binddn=CN=ldap user,OU=Users,OU=Users & Groups,DC=mydom,DC=test,DC=lu",bindpwset=1,automanage=1,auth=ldap,searchfilter=,scope=sub,tlscacert=,hmcgroups=,authsearch=base,tlsreqcert=never | ||
+ | |||
+ | Details: | ||
+ | |||
+ | Get LDAP Config: | ||
+ | |||
+ | Validate LDAP Configuration: | ||
+ | |||
+ | hscroot@hmc:~> lshmcldap -r user | ||
+ | name=user01,description=,remote_user_name=,user_properties= | ||
+ | name=user02,description=,remote_user_name=,user_properties= | ||
+ | name=user03,description=,remote_user_name=,user_properties= | ||
+ | name=user04,description=,remote_user_name=,user_properties= | ||
+ | ... | ||
+ | </cli> | ||
+ | |||
+ | Give rights to the different users | ||
+ | <cli prompt='>'> | ||
+ | hscroot@hmc:~> mkhmcusr -i "name=user01,taskrole=hmcsuperadmin,authentication_type=ldap,remote_webui_access=1,description="Myuser"" | ||
+ | |||
+ | hscroot@hmc:~> lshmcusr | ||
+ | name=user01,taskrole=hmcsuperadmin,description=HMC User,pwage=99999,resourcerole=ALL:,authentication_type=ldap,remote_webui_access=1,remote_ssh_access=1,min_pwage=0,session_timeout=0,verify_timeout=15,idle_timeout=120,inactivity_expiration=0,resources=<ResourceID = ALL:><UserDefinedName = AllSystemResources>,disabled=0,passwd_authentication=0 | ||
+ | ... | ||
+ | </cli> | ||
+ | |||
+ | Now try a connection on the Web UI, without domain ! | ||
+ | |||
+ | If not possible to registryer a user, try | ||
+ | <cli prompt='>'> | ||
+ | hscroot@hmc:~> chhmcldap -o s --automanage 0 | ||
+ | </cli> | ||