IMC administrator / operators can be externally authenticated via LDAP or Radius. Combine LDAP authentication and a Active Directory and you get and easy way to authenticate your IMC administrators.
LDAP is relatively easy to setup if you´re using the basic configuration without encryption (SSL). While an easy and quick setup is nice now and then I will also go through the setup of LDAP over SSL authentication. In my opinion using encryption is crucial because passwords and usernames in cleartext over the wire isn´t exactly best practice.
In this post I will go through the following steps:
- Setup basic operator LDAP authentication.
- Enable SSL authentication.
Part 1: Setup basic operator LDAP authentication.
First we need to define an LDAP operator account in AD. IMC will use this account to do LDAP lookups. Grab hold of your favorite AD administrator or do it yourself. The user only needs to be member of the “domain user” group and nothing more. In this example I will use the account name “imc-operator-ldap”.
Next we need to find the full DN of the user where we will use the command “dsquery”:
:\Users\imc-operator-ldap>dsquery user -name imc* "CN=imc-operator-ldap,CN=Users,DC=hp-lab,DC=local"
We can now use this information to configure the LDAP server in IMC:
- Server type : Microsoft Active Directory.
- Server Address: The IP adress of your AD server.
- Server Port: 389 for basic authentication and 636 for SSL.
- Base DN: This is the base search level for your operator user. In this case we take the following from our dsquery “DC=hp-lab,DC=local”.
- Admin DN: This is the full DN of your IMC operator. In this case we take the following from our dsquery “CN=imc-operator-ldap,CN=Users,DC=hp-lab,DC=local”
- Admin password: The password of the IMC operator AD user.
- Username attribute: Leave this at standard.
Define IMC user operator
With the LDAP server configured we now need to configure the actual administrative user which we will log on to IMC with.
First configure the AD user. This is a trivial task which I will not cover in this post.
Next we will configure the user in IMC:
- Login name: The same as the AD account login name.
- Full name: The same as the Login name.
- Authentication type: LDAP.
You can leave the rest as per standard.
Now you can verify the configuration by loggin in with your new operator login!
Step 2: Configure LDAP over SSL
For this step we need the following things:
- CA server certificate in base64 format.
- Configure SSL over LDAP in IMC.
The easiest way of grabbing the CA certificate is pointing your favorite webbrowser to the following: “http://ip-address-of-your-ca/certsrv”. Next choose “Download a CA certificate, certificate chain, or CRL” and click on “Base64”. Download the certificate file by choosing “Download CA certificate”.
To finalize the configuration go to the LDAP config under IMC again:
- Server port: 636.
- Select “Requires Security Connection (SSL).
- Click on “Authentication File Configure” and upload the Base64 CA certificate.
And that´s it! Verify by logging in with your AD credential.