topic Re: Help configuring LDAP integration for BladeSystem OA login in BladeSystem - General

Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Thu, 18 Dec 2008 14:08:58 GMT

I am trying to configure LDAP integration for logging into our Blades using our AD-keys instead of a local user.

I have read a few threads here, for example this, http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1277300
but cannot seem to get everything in order.

What happens is that when I run the LDAP tests I get a status of authentication = success but authorization = failed.

In addition I can use HP SIM as single sign-on and get logged in with my AD-key, but that's not completely what I want.

So obviously I have the servers in place and these settings correctly configured, but I am missing something in regards to actual access.

So, what should I actually put into each field, I am not sure after reading the manual ( http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00705292/c00705292.pdf ) what should actually be in each field.

Here's what I have
Directory Server address: myserver.mydomain.net
Directory Server SSL Port: 636
Search Context 1: OU=My OU,CN=Admin,CN=MainOU,DC=mydomain,DC=net

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

And in which case should CN= be used or OU= be used ? is CN= only for users or groups and OU= for OU's ? (As you can guess I am more comfortable with the ILO authentication settings and config syntax... :-))

Additionally I have enabled the "Use NT Account Name Mapping (DOMAIN\username)" setting, is this only for easy login or for account lookup as well ?

On top of this I have added two domain groups, using their AD names, and granted the groups Administrator access, and I am member of the groups.

Still I get authorization failed ?

Re: Help configuring LDAP integration for BladeSystem OA login

Adrian Clint — Thu, 18 Dec 2008 15:16:02 GMT

Have you seen the threads on the iLO forum?
http://forums11.itrc.hp.com/service/forums/categoryhome.do?categoryId=298

There are a lot more on the ILO/OA AD integration.

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Fri, 19 Dec 2008 06:59:33 GMT

Do you have any specific thread in mind, since from when I look the threads in the ILO forum mainly seems to concern AD integration of ILO, not AD integration of OA ?

Re: Help configuring LDAP integration for BladeSystem OA login

Cederberg — Fri, 19 Dec 2008 07:29:46 GMT

Did you upload the Certificates from Active directory on your OA-card? you need thoose to get access to your AD.

And for the questions about wich ou to point out. You need to point to the OU where the users are as 2.31 and down doesn't support nested groups. Thats a new feature in 2.32

ou=Users,dc=MyCompany,dc=com

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Fri, 19 Dec 2008 09:23:48 GMT

Yes, the test result status says certificates are successfully read, and all tests pass (including authentication), except actual authorization.

I thought that would be related to membership in groups specified to allow access ?

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Fri, 19 Dec 2008 09:24:21 GMT

Btw, I have the 2.32 OA firmware in place.

Re: Help configuring LDAP integration for BladeSystem OA login

Raghuarch — Fri, 19 Dec 2008 15:23:15 GMT

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

It should Point to the group in which user is member.

Try the below search Context:
Search Context 1: OU=My OU,OU=Admin,OU=MainOU,DC=mydomain,DC=net

If the Groups are directly under Users in Domain, Use CN otherwise use OU.

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Fri, 19 Dec 2008 15:26:29 GMT

Thank you, so, the Search contect should be in the form of OU= (not CN=) and point to the OU where the GROUPS are located. Check :)

And I've added the actual groups in that OU that I want to grant access.

But I still can't get things to work, I only get authentication success and authorization failure. So I must still be doing something wrong somewhere ?

Re: Help configuring LDAP integration for BladeSystem OA login

Raghuarch — Fri, 19 Dec 2008 15:32:38 GMT

Try logging to OA with the directory User.
Don't use the test LDAP Test Page. Does it work?

Re: Help configuring LDAP integration for BladeSystem OA login

Raghuarch — Fri, 19 Dec 2008 15:50:11 GMT

RÃ¶nnbÃ¤ck,

Try the attachment, is it same as your directory structure?
try the search context if it matches.

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Mon, 05 Jan 2009 12:17:41 GMT

Thanks for the ideas but no, logging in with the user does not work, if it had I wouldn't have tried the tests in the first place ;)

Yes, I would say my OU structure resembles example 1, and so does my search context string, but I still can't get login to work.

Re: Help configuring LDAP integration for BladeSystem OA login

Damien GIll — Fri, 09 Jan 2009 20:05:37 GMT

Hi,

ive just been doing a similar setup and after if figured out i should be using OU instead of CN started to get places.

One important thing ive found is that your group is in a different OU tree to the one where the user is located you must also specifcy the OU where the accounts exist (top level will do if the actual OU is nested below)
so i.e i have two context searches

1. OU=Groups,DC=domain,DC=com
2. OU=SiteName,DC=domain,DC=com

the user in question is in an ou 3 levels below site name and my group is in context search 1.

Hope this helps
Damien.

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Mon, 12 Jan 2009 07:36:25 GMT

Finally, thank you ever so much!

Quite funny though that it takes two OU searches, at least to me it's kind of natural that you don't keep all users and groups in the same OU, at least not with 50K+ users :-)

Still, with one search context to the where groups are and one to where the users are placed things started to just work right away.

Re: Help configuring LDAP integration for BladeSystem OA login

Mikael Rönnbäck — Mon, 12 Jan 2009 07:37:25 GMT

You must have a search context to both the OU where the groups are and one to where the users are located in case they are not located in the same OU.