• No results found

Configuring and Using the TMM with LDAP / Active Directory

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Configuring and Using the TMM with LDAP / Active Directory"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Configuring and Using the TMM with

LDAP / Active Directory

Lenovo ThinkServer

April 27, 2012 Version 1.0

(2)

Configuring and Using the TMM with LDAP / Active

Directory

Contents

Configuring and using the TMM with LDAP / Active Directory ... 3

Configuring the TMM to use LDAP ... 3

Configuring the LDAP Server ... 4

Configuring the LDAP Server Dynamically ... 4

Configuring the LDAP Server Manually ... 5

Configuring LDAP Search Parameters ... 5

Configuring Group Authentication... 6

Binding to the LDAP Server ... 7

Configuring User Permissions ... 7

(3)

Configuring and Using the TMM with LDAP / Active

Directory

Configuring and using the TMM with LDAP / Active Directory

Using a Lightweight Directory Access Protocol (LDAP) server, the TMM can authenticate a user by querying an LDAP directory instead of using the local user repository in the TMM. LDAP can also be used to assign users to groups and require group authentication as well as user authentication. User authority levels can also be assigned using information found in the Directory.

When using LDAP to authenticate users, users must login using the form:

[email protected]

Configuring the TMM to use LDAP

The TMM contains an LDAP client that provides user authentication through one or more LDAP servers.

The following describes the procedure to configure the TMM to use a Windows Server 2008 R2 Active Directory server.

After logging in to the TMM web interface, select “LDAP” from the navigation pane. The “LDAP Configuration Page” is displayed (see Figure 1).

(4)

Configuring and Using the TMM with LDAP / Active

Directory

Configuring the LDAP Server

The LDAP servers used can either be configured dynamically, or the configuration information can be specified manually.

Configuring the LDAP Server Dynamically

To dynamically discover the LDAP server, select the “Use DNS to find servers” checkbox. The TMM uses the DNS SRV record as specified by RFC 2782 to define the location (e.g. hostname and port number) of the server. The following information is required :

 Domain Name for DNS SVR request

 Service Name

Specifying the Domain Name for DNS SVR request

The DNS SRV request that is sent to the DNS server must specify a domain name. The LDAP client determines where to get this domain name based on which option for the “Domain Source” is selected.

Insure the DNS server address is configured in the network configuration.

Use Domain from Login: The LDAP client uses the domain name extracted from the login ID. For example, if the login ID is [email protected], the domain name is test.tmm.com. If the domain name cannot be obtained, the DNS SRV request will fail, causing the user authentication to fail.

Figure 2 - Use DNS to configure servers specifying domain source from login

Use Configured Search Domain: The LDAP client uses the domain name that is configured in the

“Domain Name for DNS SVR request” parameter. When using this option, enter the domain name to use in the “Domain Name for DNS SVR request” field.

(5)

Configuring and Using the TMM with LDAP / Active

Directory

Figure 3 - Use DNS to configure servers preconfiguring domain source

Try Login Domain, then Configured: The LDAP client first attempts to extract the domain name from the login ID. If this is successful, this domain name is used in the DNS SRV request. If no domain name is present in the login ID, the LDAP client uses the configured Search Domain parameter as the domain name in the DNS SRV request. If nothing is configured, user authentication will fail.

Specifying the Service Name

The DNS SRV request that is sent to the DNS server must also specify a service name.

Service Name – The configured value is used. If nothing is entered in this field, the default value is ldap.

Configuring the LDAP Server Manually

If the LDAP server information will be specified manually, deselect the “Use DNS to find servers”

checkbox. Enter the fully qualified host name or IP Address and port number for at least one and up to three domain controllers. The default port number is 389.

(6)

Configuring and Using the TMM with LDAP / Active

Directory

Base Domain Name – Specify the distinguished name (DN) of the root entry of the directory tree on the LDAP server that should be used as the base object for all authentication searches. For Active Directory, this must be entered in dc=domain, dc=com format. For OpenLDAP, use the format dc=domain.com.

UID Search Object Value – The initial bind to the LDAP server is followed by a search request that retrieves specific information about the user, including the distinguished name, login permissions, and group membership. The search request must specify the attribute name that is used to represent user IDs on that server. Specify the search attribute here. With Active Directory servers, this attribute name is usually sAMAccountName. With OpenLDAP servers, it is usually uid.

Figure 5 – “Base Domain Name” and “UID Search Object Value”

Configuring Group Authentication

A TMM can be associated with one or more directory groups, and a user will only be authenticated if the user also belongs to at least one group that is associated with the TMM. To use group authentication, the following fields are used:

Group Filter – When the group filter field is configured, it is used to specify to which groups the TMM belongs, and requires that the user belong to at least one of the groups specified for authentication to succeed. Nested groups are not supported. If the Group Filter field is left blank, group authentication is ignored.

The Group Filter can consist of one or more group names, and authentication will succeed if the user is a member of at least one of the groups listed. Comparison of group names is case sensitive.

Syntactically, group names must be separated by the colon (:) character. Leading and trailing spaces are ignored, but any other space is treated as part of the group name. Wildcards in the group name are allowed, although not in the first character position. For example, the group filter can be specified as a specific group name (GroupA) or a group name with a wildcard (Group*).

Figure 6 – LDAP Group Authentication specifying the user must be a member of either GroupB or GroupC

Group ID Attribute – this parameter specifies the attribute name that is used to identify the groups to which a user belongs. In Active Directory, this is usually memberOf.

(7)

Configuring and Using the TMM with LDAP / Active

Directory

Binding to the LDAP Server

Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client's privileges. These fields are required to authenticate with LDAP.

Binding Method – Before the LDAP server can be searched or queried, a bind request must be sent. This parameter controls how this initial bind to the LDAP server is performed. Choose one of the options from the “Binding Method” drop down box:

Use anonymous bind: Bind without a distinguished name (DN) or password. Because most servers do not allow search requests on specific user records, this option is not recommended.

Use Configured Credentials: If this method is selected, specify the “Client ID used with CC binding,” and the “Client Password used with CC binding.” The Client ID must be provided as a fully qualified domain (for example, [email protected]).

Figure 7 – Bind using configured credentials

Use Login Credentials: Bind with the credentials that are supplied during the login process. The user ID is provided as a fully qualified domain name.

Figure 8 – Bind using login credentials

Configuring User Permissions

Permissions define the role privileges the user has after login. The roles determined from the

(8)

Configuring and Using the TMM with LDAP / Active

Directory

Figure 9 – Configuring Active Directory User Permissions

Permissions cannot be stored at the group level.

The attribute value that represents the user permissions is interpreted according to the information in Table 1:

Role Permission Value

Administrator 111111111

Operator 111110011

User 000000001

Table 1 - User Permission Values

The TMM LDAP client must be configured to identify the location in the user object where the permission information is stored.

Attribute to query permission in group – This field specifies the attribute name that is associated with login permissions. This attribute must be specified, or the login will fail.

Figure 10 – Attribute to query permissions

References

Download now ( PDF - 8 Page - 754.86 KB )

Related documents

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

[email protected] Authentication with LDAP ● Search for entry holding username ● Bind to LDAP server as that DN to verify password ● Other forms of credential are

VMware Zimbra Collaboration Server Administrator s Guide

External LDAP and Active Directory Authentication Mechanism External LDAP and external Active Directory authentication can be used if the email environment uses another LDAP server

Ecology.pdf

• Organisms must maintain water balance • Freshwater – Standing waters – lakes, ponds – Flowing waters – streams, rivers – Aquifers – underground rivers 30

Metamorphic modelling - simulating metamorphic processes: teacher s notes

Activity 1 (a class experiment or demonstration) simulates the idea of contact metamorphism by investigating the effect of heat from a beaker of hot water (simulating an

SERVICE MANUAL. Commercial Air Conditioning. Models. Features AS072XVERA AS092XVERA AS122XVERA AU182XFERA AU222XFERA

Press ON/OFF button (from OFF mode to ON mode), the times of SLEEP button to be pressed is the set unit number, then press ON/OFF button to quit unit number setting state, at

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

The principle of least privilege, separation of duties, job rotation, mandatory access control, discretionary access control, role based access control and rule based access

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

UNIX/Linux – LDAP, LDAP + Kerberos, NIS Windows – Active Directory (LDAP + Kerberos) LDAP is the most common identity store.. Centralized user databases.. Basic LDAP

Diabetes Self-Management Education: A Rural Health Development

Physicians Hospital CEO Dietician Pharmacist Diabetes Educator T2DM Patients T2DM and obesity statistics in the SEK community Exploration of resources available in the