BladeSystem - General
cancel
Showing results for 
Search instead for 
Did you mean: 

AD/LDAP Integration w/ Onboard Administrator -- Issues

 

AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi folks -

We're in the process of bringing up a c7000 blade enclosure and our last task before putting it into production is to configure Active Directory authentication with our Onboard Administrator modules.

At this point, we're just trying to authenticate with a single domain controller, per the OA configuration guide.

Everything appears to be set up correctly (certificate uploaded, search context pointed at the OU where our group resides, domain group created in the OA matching our AD group, etc.)

Both of our OA modules are on v2.02, which I believe is the latest.

All of the troubleshooting steps in the OA guide come back as positive, so I think we're pretty close, just missing something small here.

Any help would be greatly appreciated. Thanks!

-Craig
16 REPLIES
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

Please refer to page 181 it has detailed description of the steps.

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00702815/c00702815.pdf


Regards,
Raghuarch

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

This is exactly what we have been doing..have followed the guide to the letter, just no luck.

There's really no good error reporting for this, either.. it just says "invalid username/password."

-Craig
James ~ Happy Dude
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hello Craig,
Just to make sure, You are using your ACCOUNT NAME(admin profile) to login & not the USERNAME.

Regards,
James.
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

I am listing some of the possible typo or other error which may occur.

In OA:
verify The IP address is Correct in Directory Server Address.
Verify the Search Context is correct.
Verify the group for which user is member is present under the Directory Groups of OA Page.

In Active Directory.
Verify the user is a member of Valid group.
Verify the user is member of Domain users and the new group you created.

Try installing a certificate this is Optional, LDAP should work even without a certificate.

Regards,
Raghuarch

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

The IP and port are def. correct.

For search context, we're just having it look the default 'Groups' folder, so we're using the following in the Search Context field:

OU=Groups,DC=xxxxxxxxx,DC=com

The group is in 'Directory Groups' and in the above directory path. The accounts we're trying to use are in the AD group (this is the same group we use for other devices, like our IPKVMs, for example.)

Have tried checking the 'Use NT Account Name Mapping' check box as well to no avail.

-Craig
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

Can you try these.

CN=Groups,DC=xxxxxxxxx,DC=com
or
CN=Users,DC=xxxxxxxxx,DC=com

Regards,
Raghuarch

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

No dice on those, I had already tried them :(

-Craig
jmiller_2
Occasional Visitor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Craig i have this working on 13 chassis, but i am using edirectory. configed as follows...

Directory settings
server address...DNS alias for redundancy
port 636
Search1 ou=group name,ou=city,o=organization
search2 o=organization

Group
cn=my group,ou=groups,ou=city,o=organization
privilege level admin or whatever and then select the components in the bottom

good luck...

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Where are you putting the DN for your group? In the 'Search Context 3' field?

-Craig

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

I tried putting the DN of my group I want to have rights as the name of the Directory Group in the OA, but still no dice.

I wish this had better error trapping, all I get is 'Invalid username/password'.. no idea if I'm even barking up the right tree here!

-Craig
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

This is not a solution but you can check the for the right tree.

For this you should have iLO Advanced License.

when you configure the directory setting in the
iLO there is a button called test settings. this one will let you know where you are going wrong.

Please refer to the attachment.

Regards,
Raghuarch

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Dang, that looks EXACTLY like what we need. Unfortunately, we don't have any other iLO2 than what is on these bl456s :(

I tried logging into the iLO of one of the blades just to see if I coiuld get to those settings and I can get all the way up until the Directory tab, at which time it tells me I'm not licensed for it.

Bummer!

-Craig
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

if you have below configuration:
OU=Groups,DC=xxxxxxxxx,DC=com

Try
Search Context 1: OU=Groups, DC=xxxxx,DC=Com
Search Context 2: @xxxxxxx

when you log on try giving the display name of the user.
Example: user1 is the display name for the user1 if it doesn't work.
try giving the logon name: user1@xxxxxx.com

you can get the logon name and display name by right click and select properties on the user in the Directory.

Regards,
Raghuarch
jmiller_2
Occasional Visitor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

The info I gave you earlier was for the OA in the chassis. If you do not have the Lic code for the blade iLo you can't use LDAP to go directly to the blade iLo's. The OA's give you full passthrough authentication to the blades.
Raghuarch
Honored Contributor

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

Hi Craig,

Did it work what did you try.
It will be helpful if you can share the steps to make it work.

Regards,
Raghuarch

Re: AD/LDAP Integration w/ Onboard Administrator -- Issues

No dice on getting this to work. We've given up and will try again once newer OA firmware comes out.

Every other device we have on our network that we've set up AD or RADIUS support for works like a champ.. except this.

Thanks for trying, though, it is appreciated.

-Craig