IBM Flex System CMM and Active Directory Integration

Share this:

I’ve got lot of questions from people about integrating IBM Flex System CMM with Active Directory or LDAP authentication, because lets face it – IBM documentation is not the best in the industry and this part is kinda missing there :/

For those of you who worked with IBM BladeCenter AMM before it might be easy, as configuration is basically same and most importantly, documentation for this actually exist – to some extent.

You can check it out here: Configuring LDAP in BladeCenter AMM / Flex CMM


If you don’t want to spend time reading the manual, here is simplified version:

Note: I configured IP and DNS information in advance.

 

  1. Login to CMM console.
  2. Go to Mgt Module Management>Network>LDAP Client
  3. Specify following settings (the rest is optional mostly used to tweak search performance and improve security):
    1. LDAP Authentication: Use LDAP Servers for Authentication Only (with local authorization)
    2. LDAP Servers: Use DNS to find LDAP Servers
    3. Domain Name: uniadmin.local
    4. Binding method: w/ Login credentials
    5. Apply
    6. CMM Active Directory Properties

 
Now we have to pair Roles in CMM with Active Directory groups.
Go to Mgt Module Management>User Accounts>Group Profiles>Add a Group.

Note: Group ID or Group Profile Name is actually group name in Active Directory.

 
CMM AD group mapping

Last step is to specify order of authentication. Mgt Module Management>User Accounts>Accounts>Global Login Settings>General. Select one User authentication method with External server. I suggest to always have Local as backup…

CMM authentication order

You are done!
Logout from CMM and try to login with your domain credentials.

The following two tabs change content below.
With over 12 years of experience in the Virtualization field, currently working as a Senior Consultant for Evoila, contracted to VMware PSO, helping customers with Telco Cloud Platform bundle. Previous roles include VMware Architect for Public Cloud services at Etisalat and Senior Architect for the VMware platform at the largest retail bank in Slovakia. Background in closely related technologies includes server operating systems, networking, and storage. A former member of the VMware Center of Excellence at IBM and co-author of several Redpapers. The main scope of work involves designing and optimizing the performance of business-critical virtualized solutions on vSphere, including, but not limited to, Oracle WebLogic, MSSQL, and others. Holding several industry-leading IT certifications such as VCAP-DCD, VCAP-DCA, VCAP-NV, and MCITP. Honored with #vExpert2015-2019 awards by VMware for contributions to the community. Opinions are my own!

About Dusan Tekeljak

With over 12 years of experience in the Virtualization field, currently working as a Senior Consultant for Evoila, contracted to VMware PSO, helping customers with Telco Cloud Platform bundle. Previous roles include VMware Architect for Public Cloud services at Etisalat and Senior Architect for the VMware platform at the largest retail bank in Slovakia. Background in closely related technologies includes server operating systems, networking, and storage. A former member of the VMware Center of Excellence at IBM and co-author of several Redpapers. The main scope of work involves designing and optimizing the performance of business-critical virtualized solutions on vSphere, including, but not limited to, Oracle WebLogic, MSSQL, and others. Holding several industry-leading IT certifications such as VCAP-DCD, VCAP-DCA, VCAP-NV, and MCITP. Honored with #vExpert2015-2019 awards by VMware for contributions to the community. Opinions are my own!
Bookmark the permalink.

6 Comments

  1. Thanks so much for this; saved a headache.

  2. Thank you, you’re a star.

  3. Dusan, thanks for you work, but have one question. What if i have forest and would like to grand access for users not only from root but sub domains?

    • Find out it myself – just select “LDAP Servers” – “Use Pre-configured servers”. Add servers by domain name example:
      root.local 3268
      sub1,root.local 3268
      sub2.root.local 3268

      Create group in root domain (security – domain local group). Add users from subdomains to group.

      PS: of course you need correct DNS servers setup.

  4. Thanks for your example Dmitriy!
    Unfortunately I don’t have environment to test it right now, but what I think could work also:

    If you want to have access from multiple domains – create security group in root domain as you suggested and
    Use DNS to find LDAP Servers
    Active Directory Forest Name: domain.local
    Domain Name: domain.local

    Another option:
    Create group in sub-domain (just to manage it on the correct place – like infra.domain.local) – you should be able to add members from the other domains as well
    Use DNS to find LDAP Servers
    Active Directory Forest Name: domain.local
    Domain Name: infra.domain.local

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.