topic Re: iLO authentication using default Directory Schema in Server Management - Remote Server Management

iLO authentication using default Directory Schema

Shu-Chuan Lin — Tue, 20 Sep 2005 12:49:27 GMT

the iLO firmware version is 1.80. i have configured the iLO directory services according to the instructuction. However, the test failed at 'User Authentication' with message 'Unable to authenticate test user xxxx[User Object not found] Ceasing tests.

i am sure that the test user that i had entered is a valid domain user. what is this 'User Object not foun' really means?

please help.

thanks.
Shu-Chuan Lin

Re: iLO authentication using default Directory Schema

pratap m keshava — Wed, 21 Sep 2005 05:59:17 GMT

Hi,
Check if you have given the correct user context in of the user context fields in the directory settings page for the user you are trying to test the directory settings. If you don't give the correct user context, you will get the same error. the format will look like CN=Users,DC=yourdomain,DC=com

Re: iLO authentication using default Directory Schema

Shu-Chuan Lin — Wed, 21 Sep 2005 08:57:18 GMT

are you saying the test user has to be define in the 'Directory User Context'? anyway, so i added the test user to the user context. the test failed at the same 'User Authentication' with message 'Unable to authenticate test user '.

Re: iLO authentication using default Directory Schema

pratap m keshava — Wed, 21 Sep 2005 23:55:36 GMT

What i mean is, You need to add the "Context" of the user in the directory settings page. You don't need to include user name in the context. Only the context for the parent folder of the user would be enough.
For eg: Say the user "abc" is in the Path "Users" in the Active directory in domain say "yourdomian.com". You need to give the context as CN=Users,DC=yourdomain,DC=com and NOT CN=abc,CN=Users,DC=yourdomain,DC=com

Re: iLO authentication using default Directory Schema

Shu-Chuan Lin — Thu, 22 Sep 2005 08:29:19 GMT

that was exactly what i entered in the 'context'. the test still failed at 'User Authentication' with message 'Unable to authenticate test user xxxx. Without (User Object not found) after the User Context was added.

this is the first time we are trying th iLO authentication using default schema. Thank you very much for being patience with me.

Re: iLO authentication using default Directory Schema

pratap m keshava — Thu, 22 Sep 2005 23:40:18 GMT

Hi,
The error may be because you haven't added the user to any of the groups (either default or customizable) in iLO. Try the following steps

In the Active directory create a group say "testgrp" in "Users". Make the user "abc" a Member of "testgrp".

This can be done by select "testgrp" -> right-click -> select properties. In "members" add the user "abc".

In directory settings page -> "Administer groups". Select one group say "Administrator". In the field "Security Group Distinguished Name" enter CN=testgrp,CN=Users,DC=mydomain,DC=com.

(Make sure there is no extra space in the string) Set appropriate rights (login right is default) for the group "testgrp". These rights will be available for all the members of the group "testgrp". Save the information.

Re: iLO authentication using default Directory Schema

Sandra Inderbitzin — Wed, 28 Sep 2005 09:02:24 GMT

Hi

I have nearly the same error. I cannot bind to directory server. "Unable to authenticate test user" is the message, credentials invaled. But they are valid :-)

In the Active directory create a group say "testgrp" in "Users". Make the user "abc" a Member of "testgrp".
==> done

In directory settings page -> "Administer groups". Select one group say "Administrator". In the field "Security Group Distinguished Name" enter CN=testgrp,CN=Users,DC=mydomain,DC=com.
==> done

(Make sure there is no extra space in the string) Set appropriate rights (login right is default) for the group "testgrp". These rights will be available for all the members of the group "testgrp". Save the information.
==> done

But I don't know if I have the right config on the Directory settings screen. Perhaps you can help me? I have my actual settings enclosed.

Thank you very much in advance!

Re: iLO authentication using default Directory Schema

pratap m keshava — Thu, 29 Sep 2005 00:23:01 GMT

Hi, In the image you have sent, the Directory user context field is missing. The fields "LOM object Distinguished name" and "LOM object Password" and "LOM object password confirm" are not relevent to Default schema settings.

You need to enter the Directory user context in one of the 3 User context fields. Say if you have user "abc" in directory "Users" in Active directory, you need to enter in the Directory user context field, CN=abc,CN=Users,DC=yourdomain,DC=com. This should solve the problem as you have done other settings.

Re: iLO authentication using default Directory Schema

Sandra Inderbitzin — Fri, 30 Sep 2005 08:41:38 GMT

Hi!

I've deleted the LOM lines and inserted the context, but still I get the error credentials are invalid.

I took a user who isn't in a iLO-Group and got the error No login rights, so I know, that this works.

But why it tells me the credentials are invalid??

Re: iLO authentication using default Directory Schema

Shu-Chuan Lin — Fri, 30 Sep 2005 12:42:13 GMT

Exactly. I think I will call the HP response center for help. Thank you all for your help.

Re: iLO authentication using default Directory Schema

Sandra Inderbitzin — Mon, 03 Oct 2005 08:52:20 GMT

Well, login via CN now is working :-) but not the login via user@domain.com

In the iLO-Help there is written:

==============
Example 3
(Active Directory only)
Microsoft Active Directory allows an alternate user credential format. Search contexts in this format cannot be tested except by successful login using them. A user may login as:
user@domain.hp.com
in which case a search context of
@domain.hp.com
allows the user to login as
user
==============

Is "Active Directory only" only works with HP schema extension or with the schema-less integration also?

Re: iLO authentication using default Directory Schema

Sharon Almog_1 — Mon, 31 Oct 2005 07:26:43 GMT

Andre,

When you select "Default Schema" then you dont need the HP Schema objects nor expanding the Active Directory Schema !

The HP Schema expansion, provides you additional benefit of migrating the ILO cards into an OU and link HP Security Roles (which of course being added by the Schema Expansion via HP Tools), and by that gain full ILO management via Active Directory from all aspects.

Sharon

Re: iLO authentication using default Directory Schema

Rob Ingenthron — Thu, 26 Oct 2006 17:56:50 GMT

This thread was interesting and informative, but it doesn't address my specific issue, though it touches on related settings.

Schema-free works for me when using a CN/Display Name.

Our schema has the HP schema extensions, so I switched an iLo to use them.

After many days of trial and error and fruitless searches, I am stumped.

Logging in with "name@domain.com" or "domain\name" both fail with the same error. Here's the error from the test:
-----
Initiating Directory Settings diagnostic for server dc2.domain.com
Directory Server address dc2.domain.com resolved to 172.24.36.10
Accepting Directory Server certificate for /CN=dc2.domain.com signed by /EMAIL=ca-admin@domain.net/C=US/ST=California/L=Sunnyvale/O=Our Company, Inc./OU=Our Company Certificate Authority/CN=Our Company Root CA
Unable to access directory with LOM Object Password.
Test user user@domain.com authenticated.
Role CN=GOMS-iLo-Access-All,OU=Roles,OU=HP,OU=Common,DC=domain,DC=com
Cumulative rights gained:

None
Unable to authorize test user.

Tests complete.
----------

The only tests that fail are the "LOM Object password" and "User authorization".

I've tried to just login, too, and those logins fail. Only the local "administrator" account defined for the iLo works.

The LOM object obviously exists, and I've tried creating it with no password, the word "password"... Doesn't matter. The user ID is fine, and it works with the schema-free setup.

There is NO documention on this error, there's almost NO documentation on the LOM Object Password usage. There's no help file with guidelines for the LOM objects.

The user ID has FULL rights to the LOM object, based on the role applied.

The LOM object is nested (ie, under a couple of OU's) as are the roles.

I'm at a loss.

Any suggestions welcome!!!

-- Rob --