topic Re: Active Directory and ILO2, I am almost there!!!! in Server Management - Remote Server Management

Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Fri, 21 Mar 2008 13:25:20 GMT

OK I have been at setting up LDAP authentication through ad and ILO for about a week and have gotten really close and have tried every tid out there but still have one outstanding issue.

I am able to login with my DN string
CN=Test\, Dan,CN=Users,DC=ad,DC=domain,DC=com
(I got the string from the ldp utility and if it was not for a poster I would never have figured out the \ after Test)

I then was able to add
CN=Users,DC=ad,DC=domain,DC=com
to the Directory User Context 1: and now I can login with just Test\, Dan.

Obviously I can't leave it like this because users aren't gogin to know there DN especially with the \ after there last name.

I am looking to do what everyone else is trying to do and that is to be able to use the login name that is "dtest" for this user. I have tried adding the @ad.domain.com to the Directory User Context and that did not work.

I did see that there was mention of Active X having to be enabled and I have setup my active x setttings for "Internet" for the following
Allow previously unused ActiveX controls to run without prompt
Disable
Allow Scriptlets
Disable
Automatic prompting for ActiveX controls
Disable
Binary and script behaviors
Enable
Display video and animation on a webpage that does not use external media player
Disable
Download signed ActiveX controls
Prompt
Download unsigned ActiveX controls
Disable
Initialize and script ActiveX controls not marked as safe for scripting
Prompt
Run ActiveX controls and plug-ins
Enable
Script ActiveX controls marked as safe for scripting*
Enable

With no luck

Now I am not sure if there is a group policy pushing down to deny the active x ability to run and if anyone know the key to check that would be great.

well that is where I stand and if anyone knows of any more things to check that would be great.

Re: Active Directory and ILO2, I am almost there!!!!

barnett chan — Fri, 21 Mar 2008 15:39:35 GMT

Is your users in a group called test? ie CN=Test,CN=Users,DC=ad,DC=domain,DC=com. If so, add CN=TEST to your contest.

Your client needs to be in the same domain as your directory server for the short name to work. Try dtest@ad.domain.com.
Need to enable
Initialize and script ActiveX controls not marked as safe for scripting

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Fri, 21 Mar 2008 19:21:38 GMT

Hey BWC,

I do have a group similar to test called iLO (has the user dtest in it) so I added that to the string
CN=iLO,CN=Users,DC=ad,DC=domain,DC=com
I also made the change to the active X and tried logging in with dtest@ad.domain.com, ad.domain.com\dtest all without success.

Re: Active Directory and ILO2, I am almost there!!!!

M.S.Srivatsa — Sun, 23 Mar 2008 15:41:21 GMT

Please try modifying the following settings from the Network settings page
(Administration->Network) which would help the directory user to login with "Email"(loginname@domain) and "NetBios name"(domain/loginname)
formats.

Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

Domain Name
This domain should be same as the domain for which the
Active directory server is configured.

One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Tue, 25 Mar 2008 13:01:50 GMT

Hi M.S

I did what you said and:

-Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

It is, I only have one AD server in this test environment and it is also the only dns server.

-Domain Name
This domain should be same as the domain for which the
Active directory server is configured.

It is, ad.domain.com

-One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com

This also was setup correctly.

I tried logging in as ad.domain.com/dtest and it did not work. It came up as unauthorized. Man this is a good one..

Re: Active Directory and ILO2, I am almost there!!!!

barnett chan — Tue, 25 Mar 2008 13:36:56 GMT

Since you are able to login with Test\,Dan; I believe your setup is correct. The problem is with the context. iLO is not able to find your users in the context specified in iLO.

Do you have a Container (folder) called Test? I used the wrong term of group earlier.

If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

If above is true. Then you should be able to login as ad.domain.com\dan or dan@ad.domain.com

Is it possible to get a screenshot of your mmc for the "AD Users and Computers" where the users are located?

Re: Active Directory and ILO2, I am almost there!!!!

barnett chan — Tue, 25 Mar 2008 14:56:55 GMT

ad.domain.com\dtest may not work. Try using ad\dtest or dtest@ad.domin.com. Assuming dtest is your login name.

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Tue, 25 Mar 2008 19:11:30 GMT

Hey BWC,

I dontt have a container called test. I have one called ilo so in ad under the USERS group I created the user dtest and also in the USERS folder I created the group ilo and added the user dtest to the ilo group. Is that the issue? Should the group ILO not be ing the USERS group that is created with AD? rather it should be under a new ou? I can get screen shots tomorow because it is in our test environment.

As far as this question
If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

it is dtest then @ad.analog.com

Re: Active Directory and ILO2, I am almost there!!!!

barnett chan — Tue, 25 Mar 2008 22:08:59 GMT

Dan,

If the users and groups are in the Users container, iLO should be able to locate the users. To make it simple to trouble shoot, go ahead and remove the group for now.
Are you using the "extended schema" method?

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Wed, 26 Mar 2008 11:31:32 GMT

No I am using the default schema or Schema-less approach. so you are saying to remove the user from the ilo group adn leave it in the users group? so the search context and the administrator group string would just be
CN=Users,DC=ad,DC=domain,DC=com

Re: Active Directory and ILO2, I am almost there!!!!

barnett chan — Wed, 26 Mar 2008 15:51:10 GMT

If your "iLO User (dtest)" is in the group iLO, and the iLO group is in the "Users" container, then the "Directory User Context" should be:
CN=Users,DC=ad,DC=domain,DC=com.
The "Directory Server Address" is ad.domain.com. Verify that you can ping ad.domain.com. If not, DNS issue.
-Click on "Administrator Group" button. Point this to your iLO Group. iLO below is the "User Group". ie
CN=iLO,CN=Users,DC=ad,DC=domain,DC=com.
-Make sure popup blocker is disabled on the browser.
-Need to enable
"Initialize and script ActiveX controls not marked as safe for scripting"

Logon as ad\dtest or dtest@ad.domain.com.

Re: Active Directory and ILO2, I am almost there!!!!

Roger Sandström — Thu, 27 Mar 2008 07:56:40 GMT

Hello everyone,

IÂ´m almost having the same problem. IÂ´m able to logon using full distinguished name or username@ad.domain.com. I have put up two "Directory User Context"

1 @ad.domain.com
2 OU=Users,OU=tech,DC=ad,DC=domain,DC=com

Why canÂ´t I logon using only the user id instead of full name?

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Thu, 27 Mar 2008 13:20:41 GMT

I have contacted HP support and have not gotten nearly as far as I have from the Forums but one thing they did tell me is that it is not supported i.e dtest. So you will need to login either (in my case) dtest@ad.domain.com or ad.domain.com/dtest. At least you have the @domain working. I can't even get that far.. I have to use the the CN of Test\,

If I am wrong on this please let me know...

Re: Active Directory and ILO2, I am almost there!!!!

M.S.Srivatsa — Thu, 27 Mar 2008 17:30:43 GMT

One more note for Default Schema:
Using @domain.com in the user context only
works with HP Extended Schema which is what can prevent you from logging in with your user id.

Re: Active Directory and ILO2, I am almost there!!!!

Dan Fitzgerald — Thu, 27 Mar 2008 17:47:21 GMT

Now I am using the the default schema (schema-less) so is HP wrong that I can't use just my user id?