HMC GUI should have an option of manage/add users as well as groups from LDAP. We currently have the LDAP configured under HMC to authenticate based on the individual user but not group. A case was opened with IBM support in order to provide a solution on how to add the LDAP groups to the user access configuration. Solution provided by the support is as follows "All individual users should have a defined taskrole and for that we will have to request the LDAP team to make changes to the Active Directory account.
The sole reason for adding a LDAP group is by considering the example that there are more than 100 users trying to access the HMC. We don't want to keep adding each of them individually under HMC gui, rather add the group in which they all belong which is already present in the Active Directory LDAP configuration.
Solution provided by the support was as follows:
There are two pieces to addressing the problem of "we don't want to add all 100 users individually rather just add that group name that will be sufficient to provide access to all 100 users."
1. "we don't want to add all 100 users individually"
The HMC can automatically create the ldap user for you, as long as two conditions are satisfied:
a) automanage=1 in the HMC's LDAP config
b) the HMC knows what taskrole the user should have. It will get the taskrole value (and values for any other HMC user properties) from whichever Active Directory user attribute is specified for "hmcuserpropsattribute" in the HMC LDAP configuration.
There is usually at least one attribute in the existing Active Directory schema that is not already being used, or an attribute that is used but can be re-purposed to store the HMC user properties information. "description" is one that I've seen
used in the past, but your Active Directory admin/team may have other suggestions.
If you choose to set hmcuserpropsattribute to "description", for example,
chhmcldap -o s --automanage=1 --hmcuserpropsattribute "description"
then your Active Directory user record must have the HMC user properties ("taskrole" is the only required property) defined in the value of that attribute. For example:
DistinguishedName: CN=Siddiqui-ALT\, Mohammed,OU=MEDES,OU=Contractors,OU=Alternate,OU=SD,DC=state,DC=mo,DC=us
2. "add that group name that will be sufficient to provide access to all 100 users."
To restrict the LDAP logins to users that are members of the sd-aix-system group and use the Active Directory server for authentication, you can set the searchfilter using the command below.
chhmcldap -o s --automanage=1 --searchfilter "(&(objectClass=user)(memberOf=CN=sd-aix-system,OU=AIX,OU=Alternate,OU=SD,DC=state,DC=mo,DC=us))"
That will take care of the user access by group, but in order to be considered a valid HMC user, the user must have a taskrole defined - either in their LDAP record as described in part 1 above, or as defined locally on the HMC as you have been
Although, solution doesn't seem to be feasible as we don't want HMC to create the LDAP users neither want to make changes to the LDAP user's properties/attributes. Hope there is a provision where we add the LDAP group through HMC GUI a similar way as we do currently for an individual user. If there will be any enhancement on the LDAP config management in the HMC in future releases. Wanted to know if there will be any enhancement in the future where we are not dependent on adding the taskrole to user's attribute. Like for example, currently, if I want to add an LDAP user to the HMC, I don't have to worry about any role or attribute, rather just add the user in the user access settings under HMC.
LDAP group implementation through LDAP server as defined is part of future release. Please let is know if it will address the requirement. thansk.
This enhancement is being planned for a future release where user can specify the taskrole details at a group level instead of user level.
We have evaluated this request and is part of a long term roadmap, hence marking as Uncommitted Candidate for now.