Configuring remote authentication service with Lightweight Directory Access Protocol (LDAP) using the CLI

You can use the command-line interface (CLI) to configure the system to authenticate users against servers that implement the Lightweight Directory Access Protocol (LDAP), including IBM Security Services and Active Directory (AD).

  • Users on provisioned LDAP servers with IBMRBS permissions of Supervisor Access or Supervisor Role can log in to the system as Administrator, but cannot run the setlocale command.
  • All authentication commands and settings are disabled.
    • Automatically provisioned settings are not visible to the user and are not displayed by the lssystem or lsldapserver commands.
    • The chauthservice command is enabled.
All options on the system GUI LDAP page are disabled.
Tip: A superuser cannot be authenticated if the superuser is using a remote Lightweight Directory Access Protocol (LDAP server). However, other users can authenticate in this manner.

To enable user authentication with LDAP, follow these steps:

  1. Configure LDAP by issuing the chldap command.
    This command provides default settings for both Tivoli Directory Server and AD. To configure authentication with Tivoli Directory Server schema defaults and Transport Layer Security (TLS), for example, issue the following command: 
    chldap -type itds -security tls
    LDAP configuration can be inspected with the lsldap command.
    Note: TLS is recommended because transmitted passwords are encrypted.
  2. Specify the mkldapserver command to define up to six LDAP servers to use for authentication.
    Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings that are configured with chldap. To configure an LDAP server with a Secure Socket Layer (SSL) certificate and users in the cn=users,dc=company,dc=com subtree, for example, issue: 
    mkldapserver -ip 9.71.45.108 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem

    You can also configure which servers are preferred to authenticate users.

    Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to change the configured LDAP servers.

  3. Configure user groups on the system by matching those user groups that are used by the authentication service.
    For each group of interest that is known to the authentication service, a system user group must be created with the same name and with the remote setting enabled. If members of a group that is called sysadmins, for example, require the system administrator (admin) role, issue the following command: 
    mkusergrp -name sysadmins -remote -role Administrator

    If none of the user groups match a system user group, the user cannot access the system.

  4. Verify your LDAP configuration by using the testldapserver command.
    To test the connection to the LDAP servers, issue the command without any options. A user name can be supplied with or without a password to test for configuration errors. To process a full authentication attempt against each server, issue the following commands: 
    testldapserver -username username -password password
  5. Issue the following command to enable LDAP authentication: 
    chauthservice -type ldap -enable yes
  6. Configure users who do not require Secure Shell (SSH) key access.
    Delete system users who must use the remote authentication service and do not require SSH key access.
    Remember: A superuser cannot be deleted or use the remote authentication service.
  7. Configure users who require SSH key access.

    All system users who use the remote authentication service and require SSH key access must have remote settings that are enabled and a valid SSH key that is configured on the system.

Parent topic: Configuring remote authentication service using CLI