CLI Configuration Guide for Cisco UCS E-Series Servers, Release 2.x
Managing User Accounts
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 3.57MB) | The complete bookePub (ePub - 491.0KB) | Feedback

Managing User Accounts

Managing User Accounts

This chapter includes the following sections:

Configuring Local Users

Before You Begin

You must log in as a user with admin privileges to configure or modify local user accounts.

Procedure
     Command or ActionPurpose
    Step 1Server# scope user usernumber  

    Enters user command mode for user number usernumber.

     
    Step 2Server /user # set enabled {yes | no}  

    Enables or disables the user account on the CIMC.

     
    Step 3Server /user # set name username  

    Specifies the username for the user.

     
    Step 4Server /user # set password  

    You are prompted to enter the password twice.

     
    Step 5Server /user # set role {readonly | user | admin}  
    Specifies the role assigned to the user. The roles are as follows:
    • readonly—This user can view information but cannot make any changes.
    • user—This user can do the following:
      • View all information
      • Manage the power control options such as power on, power cycle, and power off
      • Launch the KVM console and virtual media
      • Clear all logs
      • Toggle the locator LED
    • admin—This user can perform all actions available through the GUI, CLI, and IPMI.
     
    Step 6Server /user # commit  

    Commits the transaction to the system configuration.

     

    This example configures user 5 as an admin:

    Server# scope user 5
    Server /user # set enabled yes
    Server /user *# set name john
    Server /user *# set password
    Please enter password:
    Please confirm password:
    Server /user *# set role readonly
    Server /user *# commit
    Server /user #  show
    User   Name             Role     Enabled  
    ------ ---------------- -------- -------- 
    5      john             readonly yes       
              
    

    LDAP Servers (Active Directory)

    CIMC supports directory services that organize information in a directory, and manage access to this information. CIMC supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, CIMC supports Microsoft Active Directory (AD). Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The CIMC utilizes the Kerberos-based authentication service of LDAP.

    When LDAP is enabled in the CIMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.

    By checking the Enable Encryption check box in the LDAP Settings area, you can require the server to encrypt data sent to the LDAP server.

    Configuring the LDAP Server

    The CIMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the CIMC. You can use an existing LDAP attribute that is mapped to the CIMC user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.

    Important:

    For more information about altering the schema, see the article at http:/​/​technet.microsoft.com/​en-us/​library/​bb727064.aspx.


    Note


    This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the CIMC user roles and locales.


    The following steps must be performed on the LDAP server.

    Procedure
      Step 1   Ensure that the LDAP schema snap-in is installed.
      Step 2   Using the schema snap-in, add a new attribute with the following properties:

      Properties

      Value

      Common Name

      CiscoAVPair

      LDAP Display Name

      CiscoAVPair

      Unique X500 Object ID

      1.3.6.1.4.1.9.287247.1

      Description

      CiscoAVPair

      Syntax

      Case Sensitive String

      Step 3   Add the CiscoAVPair attribute to the user class using the snap-in:
      1. Expand the Classes node in the left pane and type U to select the user class.
      2. Click the Attributes tab and click Add.
      3. Type C to select the CiscoAVPair attribute.
      4. Click OK.
      Step 4   Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to CIMC:

      Role

      CiscoAVPair Attribute Value

      admin

      shell:roles="admin"

      user

      shell:roles="user"

      read-only

      shell:roles="read-only"

      Note   

      For more information about adding values to attributes, see the article at http:/​/​technet.microsoft.com/​en-us/​library/​bb727064.aspx.


      What to Do Next

      Use the CIMC to configure the LDAP server.

      Configuring LDAP in CIMC

      Configure LDAP in CIMC when you want to use an LDAP server for local user authentication and authorization.

      Before You Begin

      You must log in as a user with admin privileges to perform this task.

      Procedure
         Command or ActionPurpose
        Step 1Server# scope ldap  

        Enters the LDAP command mode.

         
        Step 2Server /ldap # set enabled {yes | no}  

        Enables or disables LDAP security. When enabled, user authentication and role authorization is performed by LDAP for user accounts not found in the local user database.

         
        Step 3Server /ldap # set domainLDAP domain name  

        Specifies an LDAP domain name.

         
        Step 4Server /ldap # set timeout seconds  

        Specifies the number of seconds the CIMC waits until the LDAP search operation times out. The value must be between 0 and 1800 seconds.

         
        Step 5Server /ldap # set encrypted {yes | no}  

        If encryption is enabled, the server encrypts all information sent to AD.

         
        Step 6Server /ldap # set base-dn domain-name  

        Specifies the Base DN that is searched on the LDAP server.

         
        Step 7Server /ldap # set attribute name  

        Specify an LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

        You can use an existing LDAP attribute that is mapped to the CIMC user roles and locales or you can create a custom attribute, such as the CiscoAVPair attribute, which has the following attribute ID:

        1.3.6.1.4.1.9.287247.1
        
        
        Note   

        If you do not specify this property, user access is denied.

         
        Step 8Server /ldap # set filter-attribute  

        Specifies the account name attribute. If Active Directory is used, then specify sAMAccountName for this field.

         
        Step 9Server /ldap # commit  

        Commits the transaction to the system configuration.

         
        Step 10Server /ldap # show [detail]  

        (Optional) Displays the LDAP configuration.

         

        This example configures LDAP using the CiscoAVPair attribute:

        Server# scope ldap
        Server /ldap # set enabled yes
        Server /ldap *# set domain sample-domain
        Server /ldap *# set timeout 60
        Server /ldap *# set encrypted yes
        Server /ldap *# set base-dn example.com
        Server /ldap *# set attribute CiscoAVPair
        Server /ldap *# set filter-attribute sAMAccountName
        Server /ldap *# commit
        Server /ldap # show detail
        LDAP Settings:
            Enabled: yes
            Encrypted: yes
            Domain: sample-domain
            BaseDN: example.com
            Timeout: 60
            Filter-Attribute: sAMAccountName
            Attribute: CiscoAvPair
        Server /ldap #             
        
        What to Do Next

        If you want to use LDAP groups for group authorization, see Configuring LDAP Groups in CIMC.

        Configuring LDAP Groups in CIMC


        Note


        When Active Directory (AD) group authorization is enabled and configured, user authentication is also done on the group level for users that are not found in the local user database or who are not individually authorized to use CIMC in the Active Directory.


        Before You Begin
        • You must log in as a user with admin privileges to perform this task.
        • Active Directory (or LDAP) must be enabled and configured.
        Procedure
           Command or ActionPurpose
          Step 1Server# scope ldap  

          Enters the LDAP command mode for AD configuration.

           
          Step 2Server /ldap# scope ldap-group-rule  

          Enters the LDAP group rules command mode for AD configuration.

           
          Step 3Server /ldap/ldap-group-rule # set group-auth {yes | no}  

          Enables or disables LDAP group authorization.

           
          Step 4Server /ldap # scope role-group index  

          Selects one of the available group profiles for configuration, where index is a number between 1 and 28.

           
          Step 5Server /ldap/role-group # set name group-name  

          Specifies the name of the group in the AD database that is authorized to access the server.

           
          Step 6Server /ldap/role-group # set domain domain-name  

          Specifies the AD domain the group must reside in.

           
          Step 7Server /ldap/role-group # set role {admin | user | readonly}  

          Specifies the permission level (role) assigned to all users in this AD group. This can be one of the following:

          • admin—The user can perform all actions available.
          • user—The user can perform the following tasks:
            • View all information
            • Manage the power control options such as power on, power cycle, and power off
            • Launch the KVM console and virtual media
            • Clear all logs
            • Toggle the locator LED
          • readonly—The user can view information but cannot make any changes.
           
          Step 8Server /ldap/role-group # commit  

          Commits the transaction to the system configuration.

           

          This example shows how to configure LDAP group authorization:

          Server# scope ldap
          Server /ldap # scope ldap-group-rule
          Server /ldap/ldap-group-rule # set group-auth yes
          Server /ldap *# scope role-group 5
          Server /ldap/role-group # set name Training
          Server /ldap/role-group* # set domain example.com
          Server /ldap/role-group* # set role readonly
          Server /ldap/role-group* # commit
          ucs-c250-M2 /ldap # show role-group
          Group  Group Name       Domain Name      Assigned Role     
          ------ -----------     --------------   -------------- 
          1      (n/a)            (n/a)            admin    
          2      (n/a)            (n/a)            user     
          3      (n/a)            (n/a)            readonly 
          4      (n/a)            (n/a)            (n/a)    
          5      Training         example.com      readonly 
          
          Server /ldap/role-group # 
          

          Viewing User Sessions

          Procedure
             Command or ActionPurpose
            Step 1Server# show user-session  

            Displays information about current user sessions.

             

            The command output displays the following information about current user sessions:

            Name Description

            Session ID column

            The unique identifier for the session.

            Username column

            The username for the user.

            IP Address column

            The IP address from which the user accessed the server.

            Type column

            The method by which the user accessed the server. For example, CLI, vKVM, and so on.

            Action column

            If your user account is assigned the admin user role, this column displays Terminate if you can force the associated user session to end. Otherwise it displays N/A.

            Note   

            You cannot terminate your current session from this tab.

            This example displays information about current user sessions:

            Server# show user-session
            ID     Name             IP Address        Type         Killable 
            ------ ---------------- ----------------- ------------ -------- 
            15     admin            10.20.30.138      CLI          yes      
            
            Server /user #             
            

            Terminating a User Session

            Before You Begin

            You must log in as a user with admin privileges to terminate a user session.

            Procedure
               Command or ActionPurpose
              Step 1Server# show user-session  

              Displays information about current user sessions. The user session to be terminated must be eligible to be terminated (killable) and must not be your own session.

               
              Step 2Server /user-session # scope user-session session-number  

              Enters user session command mode for the numbered user session that you want to terminate.

               
              Step 3Server /user-session # terminate  

              Terminates the user session.

               

              This example shows how the admin at user session 10 terminates user session 15:

              Server# show user-session
              ID     Name             IP Address        Type         Killable 
              ------ ---------------- ----------------- ------------ -------- 
              10     admin            10.20.41.234      CLI          yes  
              15     admin            10.20.30.138      CLI          yes      
              Server# scope user-session 15
              Server /user-session # terminate
              User session 15 terminated.
              
              Server /user-session #