Using Active Directory Authentication with IBM BladeCenter

To enable an IBM BladeCenter to use Active Directory for Authentication use the following settings: –

Firstly create a group in your Active Directory and add the people who need to access the IBM BladeCenter to this group.

Login to the BladeCenter Management Module

Under MM Control select Network Protocols

Go to the Domain Name System (DNS) section

If DNS is not already enabled it and enter addresses of your DNS Servers, e.g.

Don’t forget to click on the SAVE button at the end of the Domain Name System (DNS) section. If you have made any changes the n you will need to restart the Management Module.

Now scroll down to the Lightweight Directory Access Protocol (LDAP) Client section

Select “Use LDAP Servers for Authentication Only (with local authorization)

Select “Use DNS to find LDAP Servers

You should be able to leave your Active Directory forest name blank and just enter your domain name, e.g. your-company.local

Under Miscellaneous Parameters you can leave the Root DN blank and select “w/ Login Credentials” for the Binding method

Click on the SAVE button at the end of the Lightweight Directory Access Protocol (LDAP) Client section

Now select “Login Profiles” under “MM Control”

Go down to the Group Profiles section

Click “Add a group”

In the Group ID enter the distinguished name of the Active Directory group you created, e.g. CN=BladeAdmins,OU=Groups,DC=your-company,DC=local.
Note that this is a limit of 63 characters on the distinguished name so if your group is down multiple levels within your Active Directory then you may not be able to use it, e.g. CN=BladeAdmins,OU=ServerTeam,OU=InformationTechnology,OU=UnitedKingdom,DC=your-company,DC=local is going to be too long. You can just use the Common Name of BladeAdmins but this is not going to be as secure as using the distinguished name.

Select the Role for the people in this group. If you just want to try this out so that your Server Administration Team can login using their Active Directory account instead of using the default username then select Supervisor, by default Supervisor will have access to everything on the BladeCenter so you can click the SAVE button at the bottom. See more details below regarding roles.

Finally under “Account Security Management” set “User authentication method” to “Local first, then LDAP”. This will allow you still to be able to use the built in accounts if your LDAP configuration stops working.

No you will be able to login to the BladeCenter Management Module with users listed in the group you have configured. You do not need to enter the domain name, just the userid and password, e.g JohnDoe.

You can configure up to 16 different groups in the group profiles section with varying access. For example you may want a group with full Supervisor Access to everything, the Network Management Team may only require access to the I/O module configuration on the I/O Module bays with Ethernet modules in it, the Storage Administration Team may just need access to the I/O Module bays with Fibre Channel modules in them, and your front line help desk team may just need read access. You limit which blades each group has access to so you may have a team who has access to the email blades and a team who has access to the database blades.

The operator role gives the group read only access, this will not allow the people in this group to be able to use the Remote Control functionality of the blades. To provide a group of users with access to use the Remote Control functionality but not to make changes to the BladeCenter configuration select the Custom role and deselect all roles accept “Blade remote presence”, additional under the scope section you can limit the blades this group has access to by clicking on blades in the Assigned column to unassign them. The “Blade remote presence” role does not allow the user to power on/off the blades, for this functionality also select the “Blade administration” role. The following table details the functionality provided by each of the roles.

Page

Role required to change information or execute tasks

Supervisor

Chassis User Account Management

Blade Server Remote Presence

Chassis Operator

Chassis Administration

Blade Administration

I/O Module Administration

Chassis Log Administration

Chassis Configuration

Blade Configuration

I/O Module Configuration

Monitors

System Status

Event Log (view)

Event Log (clear or set log policy)

  

  

  

  

  

  

  

  

  

LEDs

  

Fuel Gauge

  

Hardware VPD

  

Firmware VPD

  

Blade tasks

Power/Restart

  

  

  

  

  

  

  

  

  

Remote Control (remote console)

  

  

  

  

  

  

  

  

  

Remote Control (virtual media)

  

  

  

  

  

  

  

  

  

Firmware Update

  

  

  

  

  

  

  

  

  

Configuration

  

  

  

  

  

  

  

  

  

Serial Over LAN

  

  

  

  

  

  

  

  

I/O-module tasks

Admin/Power/Restart

  

  

  

  

  

  

  

  

  

Configuration (see Note 1)

  

  

  

  

  

  

  

  

  

Firmware Update

  

  

  

  

  

  

  

  

  

MM control

General Settings

  

  

  

  

  

  

  

  

  

Login Profiles

  

  

  

  

  

  

  

  

  

Global Login Settings

  

  

  

  

  

  

  

  

  

Alerts (see Note 2)

  

  

  

  

  

  

  

  

  

Port Assignments

  

  

  

  

  

  

  

  

  

Network Interfaces

  

  

  

  

  

  

  

  

  

Network Protocols

  

  

  

  

  

  

  

  

  

Security

  

  

  

  

  

  

  

  

  

Configuration File (backup)

  

  

  

  

  

  

  

  

  

Configuration File (restore)

  

  

  

  

  

  

  

  

  

  

Firmware Update

  

  

  

  

  

  

  

  

  

Restore Defaults (see Note 3)

  

  

  

  

  

  

  

  

Restart MM

  

  

  

  

  

  

  

  

  

Notes:

  1. To send ping requests to an I/O module (Advanced Management link in I/O Module Tasks Configuration page), the I/O Module Administration, I/O Module Configuration, or I/O Module Operator role is required.
  2. For the BladeCenter T Management Module, the Supervisor or Chassis Administration role is required to reset filter detection under MM Control Alerts.
  3. For the MM Control Restore Defaults page, both the Chassis Administration and Chassis Configuration roles are required.
This entry was posted in Blade, IBM. Bookmark the permalink.

1 Response to Using Active Directory Authentication with IBM BladeCenter

  1. jihefge says:

    Thanks, thanks, thanks, thanks….. A thousand thanks ! This article saved my day !

Leave a Reply

Your email address will not be published. Required fields are marked *