Centralized Authentication

While local user accounts are fine for a small number of servers, they quickly become difficult to manage at scale. Centralized authentication allows you to integrate the BMC with your organization's existing directory service, such as LDAP, Active Directory, or RADIUS. This provides a single source of truth for user accounts and allows you to enforce access policies consistently across your entire infrastructure.

This chapter guides you through connecting the BMC to your centralized authentication system.

Integrating with LDAP / Active Directory

Lightweight Directory Access Protocol (LDAP) and Microsoft's Active Directory are the most common directory services used in enterprise environments. Configuring the BMC to use them allows your team members to log in with their standard company credentials.

1. In the sidebar menu, navigate to Security and access > LDAP.

2. Check the Enable LDAP authentication box.

3. Fill in the connection details for your directory server:

   • Service type: Select OpenLDAP or Active Directory.

   • Server URI: The address of your domain controller (e.g., ldap://dc1.example.com). Use ldaps:// and enable SSL for a secure connection.

   • Bind DN: The full Distinguished Name of the service account the BMC will use to query the directory (e.g., cn=service-account,ou=users,dc=example,dc=com).

   • Bind Password: The password for the Bind DN service account.

   • Base DN: The starting point for directory searches, which is typically the root of your domain (e.g., dc=example,dc=com).

   • User ID attribute / Group ID attribute: (Optional) Specify the attributes used for user and group mapping (e.g., uid, cn).

4. Click Save settings.

[Image, EXISTING, Source: 9.2: 顯示 LDAP 設定頁面，其中包含伺服器 URI、繫結 DN 和基礎 DN 欄位的螢幕截圖。]

Once the connection is saved, you must map your directory groups to BMC roles.

1. In the Role groups section, click Add role group.

2. Enter the exact Group name from your Active Directory or LDAP.

3. Assign the corresponding Group privilege (Administrator, Operator, or ReadOnly).

4. Click Add. Repeat for all necessary groups.

[Image, EXISTING, Source: 9.2: 顯示「新增角色群組」對話方塊，其中包含群組名稱和群組權限下拉式選單的螢幕截圖。]

Integrating with RADIUS

RADIUS (Remote Authentication Dial-In User Service) is another common authentication protocol, often used in network infrastructure.

1. Navigate to Security and access > RADIUS.

2. Check the Enable RADIUS Authentication box.

3. Enter the server details:

   • Server Address: The IP address or hostname of your RADIUS server.

   • Port: The authentication port used by the RADIUS server (the default is usually 1812).

   • Secret: The shared secret key that the BMC and RADIUS server use to communicate securely. This must match the configuration on the RADIUS server.

4. (Optional) You can map up to three RADIUS groups (Group Name1, Group Name2, Group Name3) to specific privilege levels (Privilege 1, Privilege 2, Privilege 3).

5. Click Save settings.

[Image, EXISTING, Source: 9.6: 顯示 RADIUS 設定頁面，其中包含伺服器位址、連接埠、密碼和群組對應欄位的螢幕截圖。]

Defining the PAM authentication order

When you have multiple authentication methods enabled (e.g., local users and LDAP), you need to tell the BMC which one to try first. This is controlled by the PAM (Pluggable Authentication Modules) Order.

1. Navigate to Settings > PAM Order.

2. You will see a list of the enabled authentication modules (e.g., 1 - Internal Users, 2 - LDAP/AD).

3. Drag and drop the modules to change their position in the sequence.

4. Click Save.

[Image, EXISTING, Source: 7.15: 顯示 PAM 順序頁面，其中包含可拖放的「內部使用者」和「LDAP/AD」模組的螢幕截圖。]