IBM BladeCenter Management Module User Manual page 49

Root DN
The distinguished name for the root entry of the directory tree on the
LDAP server. An example might look like dn=companyABC,dn=com.
User Search Base DN
As part of the user authentication process, it is necessary to search the
LDAP server for one or more attributes associated with a particular user.
Any search request must specify the base distinguished name for the
actual search. The User Search Base DN field specifies the base
distinguished name that is used to search the user directory. An
example might look like cn=Users,dn=companyABC,dn=com. If this field
is left blank, the root distinguished name is used as the search base.
User searches are part of the authentication process. They are carried
out to retrieve information about the user such as login permissions,
callback number, and group memberships. For Version 2.0 LDAP
clients, be sure to configure this parameter; otherwise, a search using
the root distinguished name might not succeed (as seen on Microsoft
®
Windows Server 2003 Active Directory servers).
ASM Group Filter
This parameter is used for group authentication. It specifies the set of
groups to which this particular management module belongs. If left
blank, group authentication is disabled. Otherwise, group authentication
is performed against this filter. The filter specified can be a specific
group name (for example, RSAWest), a wildcard with a prefix (for
example, RSA*), or a wildcard (specified as *). If a specific name is
used, this management module belongs only to this group. If a prefix
filter is used (for example, RSA*), this management module belongs to
any group whose first three letters are RSA. If a wildcard filter ( * ) is
used, then this management module belongs to all groups. The default
filter is RSA*.
Group authentication is performed after user authentication (where a
user ID and password are verified). Group authentication refers to the
process of verifying that a user is a member of at least one group
associated with this management module. For example, assume the
group filter is set to RSA*. If the user belongs to two groups, for
example, Engineering and RSAWest, group authentication passes
because the user belongs to a group (RSAWest) that matches the filter
RSA*. If the groups to which the user belong do not match the filter,
group authentication fails and the user is not allowed to access the
management module. Note that if the group filter is *, then group
authentication will automatically succeed because any group to which
the user belongs will match this wildcard.
Binding Method
For initial binds to the LDAP server during user authentication, choose
from the following options:
Anonymous authentication. A bind attempt is made without a client
distinguished name or password. If the bind is successful, a search will
be requested to find an entry on the LDAP server for the user
attempting to log in. If an entry is found, a second attempt to bind will
be attempted, this time with the distinguished name and password of
the user. If this succeeds, the user has passed the user authentication
phase. Group authentication is then attempted if it is enabled.
Chapter 3. Using the management-module Web interface
39