LDAP Authentication for IBM DS8000 Systems: Updated for DS8000 Release 9.1

LDAP Authentication for IBM DS8000 Systems: Updated for DS8000 Release 9.1

by Bjoern Wesselbaum, Claudio Di Celio, Bert Dufrasne, Connie Riggins, Robert Tondini, Alex Warmuth
Released March 2021
Publisher(s): IBM Redbooks
ISBN: 9780738459486

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The IBM® DS8000® series includes the option to replace the locally based user ID and password authentication with a centralized directory-based approach.

This IBM Redpaper publication helps DS8000 storage administrators understand the concepts and benefits of a centralized directory. It provides the information that is required for implementing a DS8000 authentication mechanism that is based on the Lightweight Directory Access Protocol (LDAP).

Starting with DS8000 Release 9.1 code, a simpler, native LDAP authentication method is supported along with the former implementation that relies on IBM Copy Services Manager (CSM) acting as a proxy between the DS8000 and external LDAP servers.

Note that examples and operations shown in this Redpaper refer to the DS8000 R9.1 SP1, code release bundle 89.11.33.0.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. IBM DS8000 user authentication
    1. 1.1 Introduction to the DS8000 user authentication
    2. 1.2 Storage Authentication Service by using CSM as an LDAP proxy
    3. 1.3 Remote authentication by using the native implementation
    4. 1.4 Benefits of using remote authentication for a DS8000 system
    5. 1.5 Determining the remote authentication solution
  5. Chapter 2. Lightweight Directory Access Protocol for IBM DS8000 administrators
    1. 2.1 Directory services and LDAP
    2. 2.2 Basic LDAP and directory services terms explained
      1. 2.2.1 Directory entry
      2. 2.2.2 Groups
      3. 2.2.3 The directory structure
      4. 2.2.4 LDAP filter
    3. 2.3 LDAP binding and authentication
      1. 2.3.1 Simple bind
      2. 2.3.2 Anonymous bind
      3. 2.3.3 Direct bind and authentication
  6. Chapter 3. IBM DS8000 user management
    1. 3.1 DS8000 basic user management and access
      1. 3.1.1 Users and roles
      2. 3.1.2 Basic user management
    2. 3.2 Customized user roles and considerations
      1. 3.2.1 Creating a customized user role by using the DS GUI
      2. 3.2.2 LDAP considerations with customized user roles
    3. 3.3 Planning for LDAP user groups and mappings
      1. 3.3.1 Local administrator user ID considerations with LDAP
      2. 3.3.2 Security administrator mapping considerations
      3. 3.3.3 Users and user groups on a remote authentication server
  7. Chapter 4. IBM DS8000 GUI implementation
    1. 4.1 Configuring remote authentication by using the GUI
      1. 4.1.1 Starting the wizard
      2. 4.1.2 Remote Authentication type
      3. 4.1.3 LDAP server type
      4. 4.1.4 LDAP Servers access
      5. 4.1.5 Configuring the access mode
      6. 4.1.6 Configure Lookup Method
      7. 4.1.7 Enable Local Administrator window
      8. 4.1.8 Authentication mapping
      9. 4.1.9 Special consideration for secadmin users
      10. 4.1.10 Administrator verification
    2. 4.2 Modifying an existing configuration
      1. 4.2.1 Changing the user mappings
      2. 4.2.2 Changing the LDAP server configuration
    3. 4.3 Enabling local authentication
    4. 4.4 Exporting and importing the configuration
      1. 4.4.1 Exporting the configuration
      2. 4.4.2 Importing the configuration
  8. Chapter 5. Implementing LDAP by using the DS Command-Line Interface
    1. 5.1 Overview
    2. 5.2 Creating a truststore for a secure LDAP connection
    3. 5.3 Creating a remote authentication policy
    4. 5.4 Testing and activating a remote authentication policy
    5. 5.5 Managing remote authentication policies by using the DS CLI
    6. 5.6 Special considerations for security administrators
    7. 5.7 Special considerations for resource groups
  9. Chapter 6. Implementing LDAP with directory services
    1. 6.1 OpenLDAP
      1. 6.1.1 Overlays
      2. 6.1.2 Group definition
    2. 6.2 Microsoft Active Directory
      1. 6.2.1 Binding
      2. 6.2.2 Nested group support
    3. 6.3 IBM Security Directory Server
      1. 6.3.1 Binding
      2. 6.3.2 Nested group support
  10. Chapter 7. IBM Resource Access Control Facility
    1. 7.1 Configuring secure communication between the LDAP server and a client on a DS8900F system
    2. 7.2 LDAP search base
    3. 7.3 RACF user and group considerations
      1. 7.3.1 RACF user definitions
      2. 7.3.2 RACF group definitions
    4. 7.4 LDAP authentication
      1. 7.4.1 Simple binding
      2. 7.4.2 Direct binding
    5. 7.5 LDAP lookup considerations
    6. 7.6 Authentication mappings
    7. 7.7 RACF multi-factor authentication
  11. Chapter 8. Migrating from IBM Copy Services Manager based LDAP authentication to native LDAP authentication
    1. 8.1 The migration scenario
    2. 8.2 Required information for the migration
      1. 8.2.1 Gathering the data from the DS8900F system
      2. 8.2.2 Gathering the CSM LDAP configuration details
    3. 8.3 Starting the migration
      1. 8.3.1 Changing the authentication to local authentication on the DS8900 system
      2. 8.3.2 Restarting the HMCs
      3. 8.3.3 Configuring the native LDAP authentication
  12. Chapter 9. Implementing LDAP through IBM Copy Services Manager
    1. 9.1 Architecture for remote authentication through CSM
    2. 9.2 Differences between embedded and external CSM
      1. 9.2.1 Communication and IP ports to use
      2. 9.2.2 Certificates to use for building the truststore
    3. 9.3 Creating a truststore
      1. 9.3.1 Obtaining the truststore files for external CSM servers
      2. 9.3.2 Creating the truststore files for an embedded CSM server
    4. 9.4 Configuring the CSM servers for LDAP authentication
      1. 9.4.1 Configuring LDAP by using the CSM GUI
      2. 9.4.2 Configuring LDAP by using the CSM command line
    5. 9.5 Configuring the DS8000 system for LDAP authentication
      1. 9.5.1 Using the DS Storage Manager GUI
      2. 9.5.2 Configuring DS8000 LDAP authentication by using the DS CLI
    6. 9.6 Mapping LDAP users and groups to the DS8000 Security Administrator role
  13. Appendix A. LDAP planning worksheet
    1. Choosing an LDAP implementation
    2. Native LDAP
    3. Configuring LDAP by using CSM
    4. Enabling a local administrator
    5. Configuring authentication mappings
  14. Appendix B. Troubleshooting
    1. Troubleshooting by using ldapsearch
    2. Troubleshooting by using dsquery
  15. Appendix C. Exporting secure certificates by using the Google Chrome and Microsoft Edge web browsers
    1. Exporting a certificate on Microsoft Edge
    2. Exporting a certificate on Google Chrome
  16. Related publications
    1. IBM Redbooks
    2. Online resources
    3. Help from IBM
  17. Back cover

Product information

  • Title: LDAP Authentication for IBM DS8000 Systems: Updated for DS8000 Release 9.1
  • Author(s): Bjoern Wesselbaum, Claudio Di Celio, Bert Dufrasne, Connie Riggins, Robert Tondini, Alex Warmuth
  • Release date: March 2021
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738459486