IBM Flex System CMM and Active Directory Integration

I’ve got lot of questions from people about integrating IBM Flex System CMM with Active Directory or LDAP authentication, because lets face it – IBM documentation is not the best in the industry and this part is kinda missing there :/

For those of you who worked with IBM BladeCenter AMM before it might be easy, as configuration is basically same and most importantly, documentation for this actually exist – to some extent.

You can check it out here: Configuring LDAP in BladeCenter AMM / Flex CMM


If you don’t want to spend time reading the manual, here is simplified version:

Note: I configured IP and DNS information in advance.

 

  1. Login to CMM console.
  2. Go to Mgt Module Management>Network>LDAP Client
  3. Specify following settings (the rest is optional mostly used to tweak search performance and improve security):
    1. LDAP Authentication: Use LDAP Servers for Authentication Only (with local authorization)
    2. LDAP Servers: Use DNS to find LDAP Servers
    3. Domain Name: uniadmin.local
    4. Binding method: w/ Login credentials
    5. Apply
    6. CMM Active Directory Properties

 
Now we have to pair Roles in CMM with Active Directory groups.
Go to Mgt Module Management>User Accounts>Group Profiles>Add a Group.

Note: Group ID or Group Profile Name is actually group name in Active Directory.

 
CMM AD group mapping

Last step is to specify order of authentication. Mgt Module Management>User Accounts>Accounts>Global Login Settings>General. Select one User authentication method with External server. I suggest to always have Local as backup…

CMM authentication order

You are done!
Logout from CMM and try to login with your domain credentials.

The following two tabs change content below.
Dusan has over 6 years experience in Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015 and 2016 awards by VMware for his contribution to the community. Opinions are my own!

About Dusan Tekeljak

Dusan has over 6 years experience in Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015 and 2016 awards by VMware for his contribution to the community. Opinions are my own!
Bookmark the permalink.

6 Comments

  1. Thanks so much for this; saved a headache.

  2. Thank you, you’re a star.

  3. Dusan, thanks for you work, but have one question. What if i have forest and would like to grand access for users not only from root but sub domains?

    • Find out it myself – just select “LDAP Servers” – “Use Pre-configured servers”. Add servers by domain name example:
      root.local 3268
      sub1,root.local 3268
      sub2.root.local 3268

      Create group in root domain (security – domain local group). Add users from subdomains to group.

      PS: of course you need correct DNS servers setup.

  4. Thanks for your example Dmitriy!
    Unfortunately I don’t have environment to test it right now, but what I think could work also:

    If you want to have access from multiple domains – create security group in root domain as you suggested and
    Use DNS to find LDAP Servers
    Active Directory Forest Name: domain.local
    Domain Name: domain.local

    Another option:
    Create group in sub-domain (just to manage it on the correct place – like infra.domain.local) – you should be able to add members from the other domains as well
    Use DNS to find LDAP Servers
    Active Directory Forest Name: domain.local
    Domain Name: infra.domain.local

Comments are closed