Contents
Managing User Accounts
This chapter includes the following sections:
Configuring Local Users
Before You BeginProcedureYou must log in as a user with admin privileges to configure or modify local user accounts.
Active Directory
Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The CIMC utilizes the Kerberos-based authentication service of Active Directory.
When Active Directory is enabled in the CIMC, user authentication and role authorization is performed by Active Directory for user accounts not found in the local user database.
By checking the Enable Encryption check box in the Active Directory Properties area, you can require the server to encrypt data sent to Active Directory.
Configuring the Active Directory Server
ProcedureThe CIMC can be configured to use Active Directory for user authentication and authorization. To use Active Directory, configure users with an attribute that holds the user role and locale information for the CIMC. You can use an existing LDAP attribute that is mapped to the CIMC user roles and locales or you can modify the Active Directory schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1. For more information about altering the Active Directory schema, see http://technet.microsoft.com/en-us/library/bb727064.aspx.
Use this procedure to create a custom attribute on the Active Directory server.
Note
This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the CIMC user roles and locales.
Step 1 Ensure that the Active Directory schema snap-in is installed. Step 2 Using the Active Directory schema snap-in, add a new attribute with the following properties: Step 3 Add the CiscoAVPair attribute to the user class using the Active Directory snap-in: Step 4 Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to CIMC:
Role
CiscoAVPair Attribute Value
admin
shell:roles="admin"
user
shell:roles="user"
read-only
shell:roles="read-only"
Note For more information about adding values to attributes, see http://technet.microsoft.com/en-us/library/bb727064.aspx.
What to Do Next
Use the CIMC to configure Active Directory.
Configuring Active Directory in CIMC
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, click User Management. Step 3 In the User Management pane, click the Active Directory tab. Step 4 In the Active Directory Properties area, update the following properties:
Name Description Enabled check box
If checked, user authentication and role authorization is performed by Active Directory for user accounts not found in the local user database.
If you check this box, CIMC enables the rest of the fields in this section.
Server IP Address field
The Active Directory server IP address.
Timeout field
The number of seconds the CIMC waits until the LDAP search operation times out.
If the search operation times out, CIMC tries to connect to the next domain controller or global catalog listed on this tab, if one is available.
Enable Encryption check box
If checked, the server encrypts all information it sends to Active Directory.
Domain field
The IPv4 domain that all users must be in.
This field is required unless you specify at least one Global Catalog server address.
Attributes field
An LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.
The LDAP attribute must have the following attribute ID:
1.3.6.1.4.1.9.287247.1
Note If you do not specify this property, user access is restricted to read-only.
Step 5 Click Save Changes. Step 6 To log into the Active Directory server, enter the domain name, back slash (\), and the Active Directory username. For example, if the domain name is mydomain.com and the Active Directory username is admin, then the login name would be mydomain.com\admin.
Viewing User Sessions
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, click User Management. Step 3 In the User Management pane, click the Sessions tab. Step 4 View the following information about current user sessions:
Tip Click a column header to sort the table rows, according to the entries in that column.
Name Description Session ID column
The unique identifier for the session.
Username column
The username for the user.
IP Address column
The IP address from which the user accessed the server.
Type column
The method by which the user accessed the server. For example, CLI, vKVM, and so on.
Action column
If your user account is assigned the admin user role, this column displays Terminate if you can force the associated user session to end. Otherwise it displays N/A.
Note You cannot terminate your current session from this tab.