No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionServer G5500 Server iBMC (V300 or Later) User Guide 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
LDAP

LDAP

Function Description

The LDAP page allows you to view and configure Lightweight Directory Access Protocol (LDAP) user information.

The iBMC provides an access function for LDAP users. An LDAP user can log in to the iBMC WebUI or uses an SSH tool to log to in the iBMC CLI. Using a domain user account to access the iBMC improves system security.

On the LDAP server, DisplayName and CN must be the same.

The iBMC supports a maximum of six domain servers. During the login to the iBMC WebUI, the domain server can be manually specified or automatically searched. During the login to the iBMC CLI, the domain server is automatically searched.

NOTE:
The iBMC supports Windows Active Directory (AD) and Linux OpenLDAP.

GUI

Choose Configuration from the main menu, and select LDAP from the navigation tree.

The LDAP page is displayed.

Figure 3-21  LDAP page

Parameter Description

Table 3-42  Parameters on the LDAP page

Parameter

Description

LDAP

The LDAP function enables domain users to access the iBMC.

Click or , and click Save.

  • : enables the LDAP function.
  • : disables the LDAP function.

Domain Controller 1

The iBMC supports a maximum of six domain controllers (servers). When a user attempts to log in to iBMC WebUI through LDAP, the user can select the domain controller or Automatic matching.

Domain controllers 1 to 6 have the same parameters.

NOTE:
Parameters with asterisks (*) are mandatory.

Basic Parameters

Certificate Verification

Certificate verification of the LDAP server, which can be enabled or disabled.

Enable certificate verification for security purposes.

After certificate verification is enabled, you need to import the LDAP CA certificate, install the AD, DNS, and CA certificate issuer on the LDAP server, and import the CA certificate into the LDAP server and iBMC.

Certificate Verification Level

Level of the LDAP certificate verification.

  • demand: Reject the access to the iBMC if the client certificate is incorrect or no certificate is available. For security purposes, use the default option (Demand).
  • allow: Allow the access to the iBMC even if the client certificate is incorrect or no certificate is available.

Default value: demand

NOTE:

Only iBMC V316 and later versions support this parameter.

LDAP Server Address

LDAP server IP address.

Format: IPv4 or IPv6 address.

After certificate verification is enabled, set this parameter to the LDAP server FQDN (Host name.Domain name), and configure DNS address information on the Network page.

LDAPS Port

Port number for the LDAP service.

Value: an integer ranging from 1 to 65535

Default value: 636

Encrypted transmission is enabled by default. You need to perform related configurations on the LDAP server.

Domain

User domain to which an LDAP user defined in the domain controller belongs.

Value: a string of up to 255 characters

The value can contain letters, digits, and special characters.

Bind DN

Distinguished name (DN) of an LDAP proxy user.

For example, CN=username, OU=company, DC=domain, DC=com, which must be the same as the DN set on the LDAP server.

Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

Bind Password

Authentication password for the LDAP proxy user.

Base DN

Directory on the LDAP server of the LDAP group that can log in to the iBMC.

Format: "CN=xxx, CN=xxx,..." or "OU=xxx, OU=xxx,..."

The upper-level node follows the lower-level node.

For example, if the user infotest is in \testusers\part1 on the LDAP server, enter OU=part1, OU=testusers.

NOTE:
For details about the difference between CN and OU, see the detailed description of the LDAP protocol. For example, in Windows AD, the attribute of is CN, and the attribute of is OU.

Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

Current User Password

Password of the current user.

CA Certificate

Certificate

LDAP CA certificate in .cer, .pem, .cert, or .crt format.

NOTE:
  • The system takes longer to upload certificate files that exceed 100 MB in size. Refresh the page for the latest status.

  • The certificate chain of a maximum of 10 levels is supported.

Certificate Status

Status of the LDAP CA certificate, which can be imported or not imported.

Certificate Info

Certificate information.

For a certificate chain, Server Certificate > Intermediate Certificate > Root Certificate is displayed.

LDAP Groups

Adds an LDAP group.

Click to add an LDAP group.

Displays the region for configuring an existing LDAP group.

Modifies an LDAP group.

LDAP Group

Name of the LDAP group to which an LDAP user belongs.

Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

LDAP Group Folder

Directory on the LDAP server of the LDAP group that can log in to the iBMC.

Format: "CN=xxx, CN=xxx,..." or "OU=xxx, OU=xxx,..."

The upper-level node follows the lower-level node.

For example, if the LDAP group grouptest is in \testgroups\part1 on the LDAP server, enter OU=part1, OU=testgroups.

NOTE:
For details about the difference between CN and OU, see the detailed description of the LDAP protocol. For example, in Windows AD, the attribute of is CN, and the attribute of is OU.

Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

Role

Role assigned to an LDAP group.

Value: Administrator, Operator, Common user, or Custom Role.

Login Rule

Login rules that apply to the LDAP group.

Login Interface

Interfaces through which the LDAP group members can log in to iBMC.

Values:

  • Web: Users can user a web browser to log in to the iBMC WebUI.
  • SSH: Users can use an SSH tool (such as PuTTY) to log in to the iBMC CLI.
  • Redfish: Users can use a Redfish tool to log in to iBMC.

Procedure

iBMC supports a maximum of six domain servers. To configure a domain server, set LDAP controller parameters, import a root certificate, and add LDAP groups.

Enable LDAP and set LDAP controller parameters.

  1. On the menu bar, choose Configuration.
  2. In the navigation tree, choose LDAP.

    The LDAP page is displayed.

  3. Set LDAP Function to .
  4. Set LDAP controller parameters. For details about the parameters, see Table 3-42.
  5. Click Save.

    The message "Operation Successful" is displayed.

Import an LDAP CA certificate.

  1. In the CA Certificate area, click Browse next to Certificate and select an LDAP CA certificate.

  2. Click Upload.

    If the certificate is uploaded successfully, Certificate Status changes to The certificate has been uploaded, and click View Details to view the information about the imported certificate is displayed. For details about the parameters, see Table 3-43.

    Table 3-43  Parameters in the Import LDAP Root Certificate area

    Parameter

    Description

    Issued By

    Issuer of the LDAP certificate. Issued By and Issued To have the same parameters.

    Issued To

    User (current server) of an LDAP certificate, including:

    • CN: user name.
    • OU: department of the user.
    • O: company to which the user belongs.
    • L: city of the user.
    • S: state or province of the user.
    • C: country of the user.

    Valid From

    Date from which the LDAP certificate is valid.

    Valid To

    Date when the LDAP certificate will expire.

    Serial Number

    Serial number of the LDAP certificate, used for identifying and migrating the certificate.

Add an LDAP group.

You can add a maximum of five LDAP groups for the iBMC.

  1. In the LDAP Group area, click Add.

    The page for adding an LDAP group is displayed, as shown in Figure 3-22.

    Figure 3-22  Adding an LDAP group

    Table 3-44  Parameters for adding an LDAP group

    Parameter

    Description

    Current User Password

    Password of the user currently using the iBMC.

    LDAP Group

    Name of the LDAP group to which an LDAP user belongs.

    Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

    LDAP Group Folder

    Directory on the LDAP server of the LDAP group that can log in to the iBMC.

    Format: "CN=xxx, CN=xxx,..." or "OU=xxx, OU=xxx,..."

    The upper-level node follows the lower-level node.

    For example, if the LDAP group grouptest is in \testgroups\part1 on the LDAP server, enter OU=part1, OU=testgroups.

    NOTE:
    For details about the difference between CN and OU, see the detailed description of the LDAP protocol. For example, in Windows AD, the attribute of is CN, and the attribute of is OU.

    Value range: a string of 64 to 255 characters. The specific length varies with the number of bytes of each character.

    Login Rules

    Login rules that apply to the LDAP group.

    Login Interface

    Interfaces through which the LDAP group members can log in to iBMC.

    Values:

    • Web: Users can user a web browser to log in to the iBMC WebUI.
    • SSH: Users can use an SSH tool (such as PuTTY) to log in to the iBMC CLI.
    • Redfish: Users can use a Redfish tool to log in to iBMC.

    Role

    Role assigned to an LDAP group.

    Value: Administrator, Operator, Common user, or Custom Role.

  2. Set the LDAP group parameters.
  3. Click Save.

    Information about the new LDAP group is displayed in the LDAP group list.

Delete an LDAP group.

  1. In the LDAP group area, click for the LDAP group to be deleted.

    A dialog box is displayed, prompting you to enter the current user password.

  2. Enter the current user password.

Edit an LDAP group.

  1. In the LDAP group area, click for the LDAP group to be edited.
  2. Enter the current user password and modify the LDAP group parameters. For details about the parameters, see Table 3-44.
  3. Click Save.
Translation
Download
Updated: 2018-10-31

Document ID: EDOC1100031438

Views: 89410

Downloads: 49

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next