Skip to Main Content
IBM Power Ideas Portal

This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Planned for future release
Created by Guest
Created on Aug 26, 2019

HMC GUI should have an option of adding an LDAP group along with LDAP users

HMC GUI should have an option of manage/add users as well as groups from LDAP. We currently have the LDAP configured under HMC to authenticate based on the individual user but not group. A case was opened with IBM support in order to provide a solution on how to add the LDAP groups to the user access configuration. Solution provided by the support is as follows "All individual users should have a defined taskrole and for that we will have to request the LDAP team to make changes to the Active Directory account.

The sole reason for adding a LDAP group is by considering the example that there are more than 100 users trying to access the HMC. We don't want to keep adding each of them individually under HMC gui, rather add the group in which they all belong which is already present in the Active Directory LDAP configuration.

Solution provided by the support was as follows:

There are two pieces to addressing the problem of "we don't want to add all 100 users individually rather just add that group name that will be sufficient to provide access to all 100 users."
1. "we don't want to add all 100 users individually"
The HMC can automatically create the ldap user for you, as long as two conditions are satisfied:
a) automanage=1 in the HMC's LDAP config
b) the HMC knows what taskrole the user should have. It will get the taskrole value (and values for any other HMC user properties) from whichever Active Directory user attribute is specified for "hmcuserpropsattribute" in the HMC LDAP configuration.
There is usually at least one attribute in the existing Active Directory schema that is not already being used, or an attribute that is used but can be re-purposed to store the HMC user properties information. "description" is one that I've seen
used in the past, but your Active Directory admin/team may have other suggestions.
If you choose to set hmcuserpropsattribute to "description", for example,
chhmcldap -o s --automanage=1 --hmcuserpropsattribute "description"
then your Active Directory user record must have the HMC user properties ("taskrole" is the only required property) defined in the value of that attribute. For example:
DistinguishedName: CN=Siddiqui-ALT\, Mohammed,OU=MEDES,OU=Contractors,OU=Alternate,OU=SD,DC=state,DC=mo,DC=us
sAMAccountName: mohammed.siddiqui
description: taskrole=hmcsuperadmin,remote_webui_access=1,remote_ssh_access=1
memberOf: CN=sd-aix-system,OU=AIX,OU=Alternate,OU=SD,DC=state,DC=mo,DC=us
2. "add that group name that will be sufficient to provide access to all 100 users."
To restrict the LDAP logins to users that are members of the sd-aix-system group and use the Active Directory server for authentication, you can set the searchfilter using the command below.
chhmcldap -o s --automanage=1 --searchfilter "(&(objectClass=user)(memberOf=CN=sd-aix-system,OU=AIX,OU=Alternate,OU=SD,DC=state,DC=mo,DC=us))"
That will take care of the user access by group, but in order to be considered a valid HMC user, the user must have a taskrole defined - either in their LDAP record as described in part 1 above, or as defined locally on the HMC as you have been

Although, solution doesn't seem to be feasible as we don't want HMC to create the LDAP users neither want to make changes to the LDAP user's properties/attributes. Hope there is a provision where we add the LDAP group through HMC GUI a similar way as we do currently for an individual user. If there will be any enhancement on the LDAP config management in the HMC in future releases. Wanted to know if there will be any enhancement in the future where we are not dependent on adding the taskrole to user's attribute. Like for example, currently, if I want to add an LDAP user to the HMC, I don't have to worry about any role or attribute, rather just add the user in the user access settings under HMC.

Idea priority Medium
  • Guest
    Aug 16, 2022

    LDAP group implementation through LDAP server as defined is part of future release. Please let is know if it will address the requirement. thansk.

  • Guest
    Mar 4, 2022

    Hi Mohammed,

    This enhancement is being planned for a future release where user can specify the taskrole details at a group level instead of user level.


  • Guest
    Nov 18, 2020


    We have evaluated this request and is part of a long term roadmap, hence marking as Uncommitted Candidate for now.