LDAP

Atlas 900 Compute Node iBMC (V3.01.00.00 or Later) User Guide 09

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

LDAP

Function Description

The LDAP page allows you to view and configure Lightweight Directory Access Protocol (LDAP) user information.

The iBMC provides an access function for LDAP users. An LDAP user can log in to the iBMC WebUI or uses an SSH tool to log to in the iBMC CLI. Using a domain user account to access the iBMC improves system security.

On the LDAP server, DisplayName and CN must be the same.

The iBMC supports a maximum of six domain servers.

During the login to the iBMC WebUI, the domain server can be manually specified or automatically searched. During the login to the iBMC CLI, the domain server is automatically searched.

The iBMC supports Windows Active Directory (AD) and FreeIPA.

GUI

Choose User & Security > LDAP.

The LDAP page is displayed, as shown in Figure 3-38.

Figure 3-38 LDAP page
Click to enlarge

Parameter Description

Table 3-44 LDAP

Parameter	Description
LDAP	The LDAP function enables domain users to access the iBMC. : enables the LDAP function. : disables the LDAP function. NOTE: The security policies (password complexity check, password validity period, minimum password age, previous passwords disallowed, and inactive timelimit, and user lockout policy) configured on the authentication server apply to the LDAP users attempting to log in to the iBMC.
Controller 1 The iBMC supports a maximum of six domain controllers (servers). When a user attempts to log in to iBMC WebUI through LDAP, the user can select the domain controller or Automatic matching. Controllers 1 to 6 have the same parameters. NOTE: Parameters with asterisks (*) are mandatory.
Basic parameters
LDAP Server Address	LDAP server IP address. Format: an IPv4 or IPv6 address or a domain name After certificate verification is enabled, set this parameter to the LDAP server FQDN (Host name.Domain name), and configure DNS address information on the Network page. NOTE: The domain name must meet the following requirements: Contain 0 to 255 characters. Allow digits, letters, hyphens (-), and dots (.) only. Cannot start with a hyphen or dot, or end with a hyphen. Allow a maximum of 63 characters between any two dots.
LDAPS Port	Port number for the LDAP service. Value: an integer ranging from 1 to 65535 Default value: 636 NOTE: The iBMC supports LDAPS, but it does not support LDAP without SSL (port number: 389), so the LDAP server must have a trusted server certificate to prove its identity.
Domain	User domain to which an LDAP user defined in the domain controller belongs. The domain name must meet the following requirements: Contain 0 to 255 characters. Allow digits, letters, hyphens (-), and dots (.) only. Cannot start with a hyphen or dot, or end with a hyphen. Allow a maximum of 63 characters between any two dots.
Bind DN	Distinguished name (DN) of an LDAP proxy user. For example, CN=username,OU=company,DC=domain,DC=com, which must be the same as the DN set on the LDAP server. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Bind Password	Authentication password for the LDAP proxy user. Value: a string of 1 to 20 characters, including digits, letters, and special characters
User Folder	Directory on the LDAP server of the LDAP user that can log in to the iBMC. Format: "CN=xxx" or "OU=xxx" When there are multiple levels of nodes, the upper-level node follows the lower-level node with a comma in between. For example, if the user infotest is in \testusers\part1 on the LDAP server, enter OU=part1,OU=testusers. NOTE: For details about the difference between CN and OU, see the description of the LDAP protocol. In Windows AD, for example, it is: CN if Type is Container. OU if Type is Organizational Unit. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
LDAP Certificate Verification	Certificate verification of the LDAP server, which can be enabled or disabled. Enable certificate verification for security purposes. After certificate verification is enabled, you need to import the LDAP CA certificate, install the AD, DNS, and CA certificate issuer on the LDAP server, and import the CA certificate into the LDAP server and iBMC. Default value: Disabled
Certificate Verification Level	Level of the LDAP certificate verification. Demand: Reject the access to the iBMC if the client certificate is incorrect or no certificate is available. For security purposes, use the default option (Demand). Allow: Allow the access to the iBMC even if the client certificate is incorrect or no certificate is available. Default value: Demand
LDAP Certificate	LDAP CA certificate in .cer, .pem, .cert, or .crt format. NOTE: The system takes longer to upload certificate files that exceed 100 MB in size. Refresh the page for the latest status. The certificate chain of a maximum of 10 levels is supported.
Certificate Info	Certificate information. For a certificate chain, Server Certificate > Intermediate Certificate > Root Certificate is displayed.
Current User Password	Password of the user for logging in to the iBMC.
LDAP User Group
Add	Adds an LDAP group.
	Displays the region for configuring an existing LDAP group.
	Modifies an LDAP group.
LDAP Group	Name of the LDAP group to which an LDAP user belongs. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Role	Role assigned to an LDAP group. Administrator: Users assigned the Administrator role can perform all operations. Operator: Users with the Operator role can perform basic management, remote control, remote media, power control, query information, and configure their own data. Common User: Users assigned with the Common User role can query information and configure their own data. Custom Role: Users assigned Custom Role 1 to Custom Role 4 can perform the specified operations.
Login Interfaces	Interfaces through which the LDAP group members can log in to iBMC. Values: SSH: Users can use an SSH tool (such as PuTTY) to log in to the iBMC CLI. Web: The user can use a web browser to log in to the iBMC WebUI. Redfish: The user can use a Redfish tool to log in to iBMC.
Group Folder	Directory on the LDAP server of the LDAP group that can log in to the iBMC. Format: "CN=xxx" or "OU=xxx" When there are multiple levels of nodes, the upper-level node follows the lower-level node with a comma in between. For example, if the user infotest is in \testusers\part1 on the LDAP server, enter OU=part1,OU=testusers. NOTE: For details about the difference between CN and OU, see the description of the LDAP protocol. In Windows AD, for example, it is: CN if Type is Container. OU if Type is Organizational Unit. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Login Rules	Login rules that apply to the LDAP group.

Enabling LDAP and Setting LDAP Controllers

Set LDAP to .
Set LDAP controller parameters. For details about the parameters, see Table 3-44.
Click Save.
The message "Operation Successful" is displayed.

Importing an LDAP Certificate

Click next to LDAP Certificate and select the LDAP certificate to be imported.

For security purposes, periodically update the certificate.

If "File uploaded successfully" is displayed, you can view the details about the uploaded certificate in the certificate information area. For details about the parameters, see Table 3-45.

Table 3-45 Certificate information

Parameter	Description
Issued By	Issuer of the LDAP certificate. Issued By and Issued To have the same parameters.
Issued To	User (current server) of an LDAP certificate, including: CN: user name. OU: department of the user. O: company to which the user belongs. L: city of the user. S: state or province of the user. C: country of the user.
Valid Period	Validity period of the LDAP certificate.
SN	Serial number of the LDAP certificate, used for identifying and migrating the certificate.
CRL	LDAP certificate revocation status. Configured: The certificate revocation file has been uploaded, and a certificate revocation verification will be performed when a TLS connection is set up. Unconfigured: The certificate revocation file is not uploaded.
CRL Validity Period	Validity period of the LDAP certificate revocation list (CRL). NOTE: If the CRL expires, the LDAP authentication function will be unavailable.

Uploading a CRL

The certificate revocation file is Base64-encoded and in *.crl format. It cannot exceed 100 KB.

Obtain a certificate revocation file from the CA.
In the Server Certificate Information area, click next to CRL.
Select the certificate revocation file.
Enter the password of the current login user and click OK.

Adding an LDAP Group

You can add a maximum of five LDAP groups for the iBMC.

In the LDAP User Group area, click Add.

The page for adding an LDAP group is displayed.

Table 3-46 Parameters for adding an LDAP group

Parameter	Description
LDAP Group Name	Name of the LDAP group to which an LDAP user belongs. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
LDAP Group Folder	Directory on the LDAP server of the LDAP group that can log in to the iBMC. Format: "CN=xxx" or "OU=xxx" When there are multiple levels of nodes, the upper-level node follows the lower-level node with a comma in between. For example, if the user infotest is in \testusers\part1 on the LDAP server, enter OU=part1,OU=testusers. NOTE: For details about the difference between CN and OU, see the description of the LDAP protocol. In Windows AD, for example, it is: CN if Type is Container. OU if Type is Organizational Unit. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Role	Role assigned to an LDAP group. Value: Administrator, Operator, Common user, or Custom Role.
Login Rules	Login rules that apply to the LDAP group.
Login Interfaces	Interfaces through which the LDAP group members can log in to iBMC. Values: SSH: Users can use an SSH tool (such as PuTTY) to log in to the iBMC CLI. Web: The user can use a web browser to log in to the iBMC WebUI. Redfish: The user can use a Redfish tool to log in to iBMC.
Current User Password	Password of the user for logging in to the iBMC.

Set the LDAP group parameters.
Click Save.
Information about the new LDAP group is displayed in the LDAP group list.

Deleting an LDAP Group

In the LDAP group area, click for the LDAP group to be deleted.
A dialog box is displayed, prompting you to enter the current user password.
Enter the current user password.
Click OK.
The message "Operation Successful" is displayed.

Editing an LDAP Group

In the LDAP group area, click for the LDAP group to be edited.
Enter the current user password and modify the LDAP group parameters. For details about the parameters, see Table 3-46.
Click Save.

After the LDAP group information is modified or the LDAP group is deleted, users who have logged in to the KVM will not be automatically logged out of the system. To log out of these KVM users, go to the Online Users page and log out the users.

Function Description
GUI
Parameter Description
Enabling LDAP and Setting LDAP Controllers
Importing an LDAP Certificate
Uploading a CRL
Adding an LDAP Group
Deleting an LDAP Group
Editing an LDAP Group

Translation

简体中文

Download

Updated: 2023-08-04

Document ID: EDOC1100152759

Downloads: 101

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate