Authentication-Only mode should not be used on the Chassis Management Module (CMM) - IBM Flex Systems
RETAIN tip: H21336
The Chassis Management Module (CMM) supports Authentication-Only Mode (AOM), whereby an external Lightweight Directory Access Protocol (LDAP) server can be used for user authentication, but not for user authorization.
User credentials are verified at the external LDAP server, and group membership information is retrieved. Assuming that the credentials are correct, the user authorization portion occurs on the CMM.
The group membership information retrieved from the LDAP server is used to find matching locally configured groups on the CMM. The permissions associated with those matched groups (which also are configured locally on the CMM) are then assigned to the user.
This useful feature does not require users to configure authorization information on the external LDAP server. This is an important requirement because many LDAP administrators do not want to modify the contents of their server for any reason.
The pertinent issue with this feature is that the Integrated Management Module (IMM) and Flexible System Processor (FSP) do not support it.
This means that if the CMM is pointing to an external LDAP server, the IMM code is able to authenticate to that LDAP server, but it could fail in finding permissions associated with the user.
If the LDAP administrator has not configured permissions for a user (which most likely is the case), then the IMM or FSP are unable to associate permissions with a given user. This results in a failed authentication request. Essentially, this breaks the IMM or FSP.
The system can be any of the following IBM servers:
The system is configured with one or more of the following IBM options:
This tip is not software specific.
The Build ID: 2PET10K and earlier firmware for the CMM is affected.
This behavior will be corrected in a future release of CMM, IMM, and FSP firmware.
The target date for this release is third quarter 2013.
The file is or will be available by selecting the appropriate Product Group, type of System, Product name, Product machine type, and Operating system on IBM Support's Fix Central web page, at the following URL:
Do not use the AOM feature on the CMM.
This feature should not be enabled on CMM until IMM and FSP support is available.
Applicable countries and regions
Document id: MIGR-5093128