Configuring remote authentication with Lightweight Directory Access Protocol (LDAP)

You can use the management GUI or the command-line interface (CLI) to configure remote authentication with Lightweight Directory Access Protocol (LDAP).

Remote authentication allows users to authenticate to the system using credentials stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign additional passwords. Instead you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access, to enforce password policies more efficiently, and to separate user management from storage management.

A remote user is authenticated on a remote service with either IBM^® Security Services or Lightweight Directory Access Protocol (LDAPv3) support. A remote user does not need local authentication methods. With IBM^® Security Services, both a password and SSH key are required to use the command-line interface. With LDAP, having a password and SSH key is not necessary although SSH keys optionally can be configured. Remote users who need to access the system when the remote service is down also need to configure local credentials. Remote users have their groups defined by the remote authentication service.

Configuring remote authentication with LDAP using the management GUI

To configure remote authentication with LDAP, complete these steps:

In the management GUI, select Settings > Security > Remote Authentication.
Select Configure Remote Authentication.
Select LDAP.
Select the type of LDAP server that is used for authentication.
Select one of the following security options:
Transport Layer Security (TLS)

Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS. The initial connection to the directory server is unencrypted but can be used on systems that do not have port 636 available.

Secure Sockets Layer (SSL)

Select this option to secure LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted.

None

Select this option to transport data in clear text format without encryption.
Specify optional service credentials or modify advanced LDAP settings. The following LDAP attributes can be configured:
User attribute

For all server types, users are authenticated with a user name that is defined with the LDAP user attribute. This attribute must exist in your LDAP schema and must be unique for each of your users. Active Directory users can also authenticate by using their user principal names (UPN) or NT login names.

Group attribute

Authenticated users are assigned roles according to their LDAP group memberships. The groups to which a user belongs are stored in the LDAP group attribute. This attribute value can be the distinguished name of each group, or a colon-separated list of user group names.

Audit log attribute

If an LDAP user performs an audited action, the contents of the audit log attribute are recorded in the audit log.
Define up to six LDAP servers to use for authentication. Multiple servers can be configured to provide access to different sets of users or for redundancy. You can also configure which servers are preferred to authenticate users.
Verify your LDAP configuration. To test the connection to the LDAP servers, select Global Actions > Test LDAP Connections. To test authentication to the LDAP servers, select Global Actions > Test LDAP Authentication and enter corresponding credentials for the user.
To enforce remote authentication, users who are configured on the system must be identified as remote users or be deleted from the system. LDAP users who are not defined on the system are able to access the management GUI and command-line interface (CLI) by using password authentication. However, users who require access without a password must configure a Secure Shell (SSH) key on the system. To configure a remote user for SSH key access, complete these steps:
1. Select Access > Users.
2. Select New User or change an existing user by selecting Actions > Properties.
3. Select the remote authentication mode and provide SSH public key, and if you require command-line access without entering a password, use an SSH public key.
To delete a user from the system, complete these steps:
1. Select Access > Users.
2. Right-click the user and select Actions > Delete.

Configuring remote authentication with LDAP using the command-line interface

To enable user authentication with LDAP by using the command-line interface, follow these steps:

Configure LDAP by entering the chldap command.
This command provides default settings for both Tivoli Directory Server and AD. To configure authentication with Tivoli Directory Server schema defaults and Transport Layer Security (TLS), for example, enter the following command:
```
chldap -type itds -security tls
```
LDAP configuration can be inspected with the lsldap command.
Note: Use TLS so that transmitted passwords are encrypted.
Specify the mkldapserver command to define up to six LDAP servers to use for authentication.
Multiple servers can be configured to provide access to different sets of users or for redundancy. All servers must share the settings that are configured with chldap. To configure an LDAP server with an SSL certificate and users in the cn=users,dc=company,dc=com subtree, for example, enter the following command:
```
mkldapserver -ip 9.71.45.108 -basedn cn=users,dc=company,dc=com -sslcert /tmp/sslcert.pem
```
You can also configure which servers are preferred to authenticate users.

Specify lsldapserver for LDAP server configuration information. Specify chldapserver and rmldapserver to change the configured LDAP servers.
Configure user groups on the system by matching those user groups that are used by the authentication service.
For each group of interest that is known to the authentication service, a system user group must be created with the same name and with the remote setting enabled. If members of a group that is called sysadmins, for example, require the system administrator (admin) role, enter the following command:
```
mkusergrp -name sysadmins -remote -role Administrator
```
If none of the user groups match a system user group, the user cannot access the system.
Verify your LDAP configuration by using the testldapserver command.
To test the connection to the LDAP servers, enter the command without any options. A user name can be supplied with or without a password to test for configuration errors. To process a full authentication attempt against each server, enter the following commands:
```
testldapserver -username username -password password
```
Enter the following command to enable LDAP authentication:
```
chauthservice -type ldap -enable yes
```
Configure users who do not require Secure Shell (SSH) key access.
Delete system users who must use the remote authentication service and do not require SSH key access.
Remember: A superuser cannot be deleted or use the remote authentication service.
Configure users who require SSH key access.
All system users who use the remote authentication service and require SSH key access must have remote settings that are enabled and a valid SSH key that is configured on the system.
Specify the type of security to use when communicating with LDAP servers.
Specify tls to enable TLS. Select this option to configure extensions that upgrade the standard LDAP port (389) to an encrypted port that uses TLS. The initial connection to the directory server is unencrypted but can be used on systems that do not have port 636 available.

Specify ssl to enable SSL security. This option secures LDAP communication by using the default secure port (636). The connections for all transactions with the directory server are encrypted. The default value is none.