Authentication-Only mode should not be used on the Chassis Management Module (CMM) - IBM Flex Systems



Source

RETAIN tip: H21336

Symptom

The Chassis Management Module (CMM) supports Authentication-Only Mode (AOM), whereby an external Lightweight Directory Access Protocol (LDAP) server can be used for user authentication, but not for user authorization.

User credentials are verified at the external LDAP server, and group membership information is retrieved. Assuming that the credentials are correct, the user authorization portion occurs on the CMM.

The group membership information retrieved from the LDAP server is used to find matching locally configured groups on the CMM. The permissions associated with those matched groups (which also are configured locally on the CMM) are then assigned to the user.

This useful feature does not require users to configure authorization information on the external LDAP server. This is an important requirement because many LDAP administrators do not want to modify the contents of their server for any reason.

The pertinent issue with this feature is that the Integrated Management Module (IMM) and Flexible System Processor (FSP) do not support it.

This means that if the CMM is pointing to an external LDAP server, the IMM code is able to authenticate to that LDAP server, but it could fail in finding permissions associated with the user.

If the LDAP administrator has not configured permissions for a user (which most likely is the case), then the IMM or FSP are unable to associate permissions with a given user. This results in a failed authentication request. Essentially, this breaks the IMM or FSP.

Affected configurations

The system can be any of the following IBM servers:

  • Flex System Enterprise Chassis, type 7893, any model
  • Flex System Enterprise Chassis, type 8721, any model
  • Flex System Enterprise Chassis, type 8724, any model

The system is configured with one or more of the following IBM options:

  • Flex System Chassis Management Module, option 68Y7029, any replacement part number

This tip is not software specific.

The Build ID: 2PET10K and earlier firmware for the CMM is affected.

Solution

This behavior will be corrected in a future release of CMM, IMM, and FSP firmware.

The target date for this release is third quarter 2013.

The file is or will be available by selecting the appropriate Product Group, type of System, Product name, Product machine type, and Operating system on IBM Support's Fix Central web page, at the following URL:

  http://www.ibm.com/support/fixcentral/

Workaround

Do not use the AOM feature on the CMM.

Additional information

This feature should not be enabled on CMM until IMM and FSP support is available.

Applicable countries and regions

 


Document id:  MIGR-5093128
Last modified:  2013-06-11
Copyright © 2014 IBM Corporation