Remote authentication

Remote authentication allows users to authenticate to the system using credentials stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign additional passwords. Instead you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access, to enforce password policies more efficiently, and to separate user management from storage management.

A remote user is authenticated on a remote service with either IBM Rational Jazz for Service Management (JazzSM), or Lightweight Directory Access Protocol (LDAPv3) servers. IBM Rational Jazz for Service Management (JazzSM) is supported on version 5.2 of IBM® Spectrum Control and higher. If you are unsure of the authentication method that is used in your environment, ask your system administrator before proceeding.

Configuring remote authentication with Lightweight Directory Access Protocol (LDAP)

To configure remote authentication with LDAP, complete these steps:
  1. Select Configure Remote Authentication.
  2. Select the type of LDAP server that is used for authentication.
  3. Select whether Transport Layer Security is used to ensure that user credentials are encrypted before they are transmitted over the network.
  4. Specify optional service credentials or modify advanced LDAP settings. The following LDAP attributes can be configured:
    User attribute
    For all server types, users are authenticated with a user name that is defined with the LDAP user attribute. This attribute must exist in your LDAP schema and must be unique for each of your users. Active Directory users can also authenticate by using their user principal names (UPN) or NT login names.
    Group attribute
    Authenticated users are assigned roles according to their LDAP group memberships. The groups to which a user belongs are stored in the LDAP group attribute. This attribute value can be the distinguished name of each group, or a colon-separated list of user group names.
    Audit log attribute
    If an LDAP user performs an audited action, the contents of the audit log attribute are recorded in the audit log.
  5. Define up to six LDAP servers to use for authentication. Multiple servers can be configured to provide access to different sets of users or for redundancy. You can also configure which servers are preferred to authenticate users.
  6. Verify your LDAP configuration. To test the connection to the LDAP servers, select Global Actions > Test LDAP Connections. To test authentication to the LDAP servers, select Global Actions > Test LDAP Authentication and enter corresponding credentials for the user.
  7. To enforce remote authentication, users who are configured on the system must be identified as remote users or be deleted from the system. LDAP users who are not defined on the system are able to access the management GUI and command-line interface (CLI) by using password authentication. However, users who require access without a password must configure a Secure Shell (SSH) key on the system. To configure a remote user for SSH key access, complete these steps:
    1. Select Access > Users.
    2. Select New User or change an existing user by selecting Actions > Properties.
    3. Select the remote authentication mode and provide SSH public key, and if you require command-line access without entering a password, use an SSH public key.

    To delete a user from the system, complete these steps:

    1. Select Access > Users.
    2. Right-click the user and select Actions > Delete.
Parent topic: Users
Contents | Monitoring | Pools | Volumes | Hosts | Copy Services | Access | Settings | More Information