Configuring remote authentication service using CLI

You can use the command-line interface (CLI) to configure the SAN Volume Controller to use remote authentication.

To use the SAN Volume Controller with a remote authentication service, follow these steps:

  1. Configure the cluster with the location of the remote authentication server.

    To change settings, issue the svctask chauthservice command. To view settings, issue the svcinfo lscluster command.

    You can use either an http or https connection to the server. If you use an http option, the user and password information is transmitted in clear text over the IP network.

  2. Configure user groups on the cluster by matching those that are used by the authentication service.
    For each group of interest known to the authentication service, a SAN Volume Controller user group must be created with the same name and with the remote setting enabled. If, for example, members of a group called sysadmins require the SAN Volume Controller Administrator (admin) role, issue the following command:
    svctask mkusergrp -name sysadmins -remote -role Administrator

    If none of the groups for a user match any of the SAN Volume Controller user groups, the user is not permitted to access the cluster.

  3. Configure users who do not require Secure Shell (SSH) access.

    SAN Volume Controller users who are to use the remote authentication service and do not require SSH access should be deleted from the system. The superuser cannot be deleted and cannot use the remote authentication service.

  4. Configure users who require SSH access.

    All SAN Volume Controller users who are to use the remote authentication service and require SSH access must have their remote settings enabled and the same password set both on the cluster and on the authentication service.

    The remote setting instructs SAN Volume Controller to check the authentication service for group information for determining the role of the user.

  5. Configure the system time.

    The current time of both the SAN Volume Controller cluster and the system that is running the remote authentication service must match. The easiest way to do this is to use the same Network Time Protocol (NTP) server for both.

    Attention: Failure to follow this step could result in either poor interactive performance of the SAN Volume Controller user interface or in incorrect user-role assignments.
Parent topic: Configuring user authentication
Library | Support | Terms of use | Feedback
© Copyright IBM Corporation 2003, 2009. All Rights Reserved.