You must log in as a user with admin privileges to configure or modify local user accounts.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the Admin tab, click User Management.
Step 3
In the User Management pane, click the Local User tab.
Step 4
To configure or modify a local user account, click a row.
Step 5
In the User Details dialog box, update the following properties:
Name
Description
ID column
The unique identifier for the user.
Enabled check box
If checked, the user is enabled on the CIMC.
Username column
The username for the user.
Role column
The role assigned to the user. This can be one of the following:
read-only—A user with this role can view information but cannot make any changes.
user—A user with this role can perform the following tasks:
View all information
Manage the power control options such as power on, power cycle, and power off
Launch the KVM console and virtual media
Clear all logs
Toggle the locator LED
admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.
Step 6
Enter password information.
Step 7
Click Save Changes.
LDAP Servers
CIMC supports directory services that organize information in a directory, and manage access to this information. CIMC supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, CIMC supports Microsoft Active Directory (AD). Active Directory is a technology that
provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The CIMC utilizes the Kerberos-based authentication service of LDAP.
When LDAP is enabled in the CIMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.
By checking the Enable Encryption check box in the LDAP Settings area, you can require the server to encrypt data sent to the LDAP server.
The CIMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the CIMC. You can use an existing LDAP attribute that is mapped to the CIMC user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.
This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the CIMC user roles and locales.
The following steps must be performed on the LDAP server.
Procedure
Step 1
Ensure that the LDAP schema snap-in is installed.
Step 2
Using the schema snap-in, add a new attribute with the following properties:
Properties
Value
Common Name
CiscoAVPair
LDAP Display Name
CiscoAVPair
Unique X500 Object ID
1.3.6.1.4.1.9.287247.1
Description
CiscoAVPair
Syntax
Case Sensitive String
Step 3
Add the CiscoAVPair attribute to the user class using the snap-in:
Expand the Classes node in the left pane and type U to select the user class.
Click the Attributes tab and click Add.
Type C to select the CiscoAVPair attribute.
Click OK.
Step 4
Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to CIMC:
Configuring LDAP Settings and Group Authorization in CIMC
Before You Begin
You must log in as a user with admin privileges to perform this task.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the Admin tab, click User Management.
Step 3
In the User Management pane, click the LDAP tab.
Step 4
In the LDAP Settings area, update the following properties:
Name
Description
Enable LDAP check box
If checked, user authentication and role authorization is performed first by the LDAP server, followed by user accounts that are not found in the local user database.
Base DN
Base Distinguished Name. This field describes where to load users and groups from.
It must be in the dc=domain,dc=com format for Active Directory servers.
Domain
The IPv4 domain that all users must be in.
This field is required unless you specify at least one Global
Catalog server address.
Enable Encryption
If checked, the server encrypts all information it sends to the LDAP server.
Timeout (0 - 1800) seconds
The number of seconds the CIMC waits until the LDAP search operation times out.
If the search operation times out, CIMC tries to connect to the next server listed on this tab, if one is available.
Note
The value you specify for this field could impact the overall time.
Step 5
In the Configure LDAP Servers area, update the following properties:
Name
Description
Pre-Configure LDAP Servers radio button
If checked, the Active Directory uses the pre-configured LDAP servers.
LDAP Servers fields
Server
The IP address of the 6 LDAP servers.
If you are using Active Directory for LDAP, then servers 1, 2 and 3 are domain controllers, while servers 4, 5 and 6 are Global Catalogs. If you are not Active Directory for LDAP, then you can configure a maximum of 6 LDAP servers.
Note
You can provide the IP address of the host name as well.
Port
The port numbers for the servers.
If you are using Active Directory for LDAP, then for servers 1, 2 and 3, which are domain controllers, the default port number is 389. For servers 4, 5 and 6, which are Global Catalogs, the default port number is 3268.
LDAPS communication occurs over the TCP 636 port. LDAPS communication to a global catalog server occurs over TCP 3269 port.
Use DNS to Configure LDAP Servers radio button
If checked, you can use DNS to configure access to the LDAP servers.
DNS Parameters fields
Source:
Specifies how to obtain the domain name used for the DNS SRV request. It can be one of the following:
Extracted—specifies using domain name extracted-domain from the login ID
Configured—specifies using the configured-search domain.
Configured-Extracted—specifies using the domain name extracted from the login ID than the configured-search domain.
Domain to Search:
A configured domain name that acts as a source for a DNS query.
This field is disabled if the source is specified as Extracted.
Forest to Search:
A configured forest name that acts as a source for a DNS query.
This field is disabled if the source is specified as Extracted.
Step 6
In the Binding Parameters area, update the following properties:
Name
Description
Method
It can be one of the following:
Anonymous—requires NULL username and password. If this option is selected and the LDAP server is configured for Anonymous logins, then the user can gain access.
Configured Credentials—requires a known set of credentials to be specified for the initial bind process. If the initial bind process succeeds, then the distinguished name (DN) of the user name is queried and re-used for the re-binding process. If the re-binding process fails, then the user is denied access.
Login Credentials—requires the user credentials. If the bind process fails, the user is denied access.
By default, the Login Credentials option is selected.
Binding DN:
The distinguished name (DN) of the user. This field is editable only if you have selected Configured Credentials option as the binding method.
Password:
The password of the user. This field is editable only if you have selected Configured Credentials option as the binding method.
Step 7
In the Search Parameters area, update the following fields:
Name
Description
Filter Attribute:
This field must match the configured attribute in the schema on the LDAP server.
By default, this field displays sAMAccountName.
Group Attribute:
This field must match the configured attribute in the schema on the LDAP server.
By default, this field displays memberOf.
Attribute:
An LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the
user record for the value that matches this attribute name.
The LDAP attribute can use an existing LDAP attribute that is mapped to the CIMC user roles and locales, or can modify the schema such that a new LDAP attribute can be created. For example, CiscoAvPair.
Note
If you do not specify this property, the user cannot login. Although the object is located on the LDAP server, it should be an exact match of the attribute that is specified in this field.
Step 8
(Optional)In the Group Authorization area, update the following properties:
Name
Description
LDAP Group Authorization check box
If checked, user authentication is also done on the group level for LDAP users that are not found in the local user database.
If you check this box, CIMC enables the Configure Group button.
Group Name column
The name of the group in the LDAP server database that is authorized to access the server.
Group Domain column
The LDAP server domain the group must reside in.
Role column
The role assigned to all users in this LDAP server group. This can be one of the following:
read-only—A user with this role can view information but cannot make any changes.
user—A user with this role can perform the following tasks:
View all information
Manage the power control options such as power on, power cycle, and power off
Launch the KVM console and virtual media
Clear all logs
Toggle the locator LED
admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.
Delete column
Deletes an existing LDAP group.
Step 9
Click Save Changes.
Viewing User Sessions
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the Admin tab, click User Management.
Step 3
In the User Management pane, click the Sessions tab.
Step 4
View the following information about current user sessions:
Tip
Click a column header to sort the table rows, according to the entries in that column.
Name
Description
Session ID column
The unique identifier for the session.
Username column
The username for the user.
IP Address column
The IP address from which the user accessed the server.
Type column
The method by which the user accessed the server.
Action column
If your user account is assigned the admin user role, this column displays Terminate if you can force the associated user session to end. Otherwise it displays N/A.
Note
You cannot terminate your current session from this tab.