HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
BladeSystem - General
cancel
Showing results for 
Search instead for 
Did you mean: 

Help configuring LDAP integration for BladeSystem OA login

 
SOLVED
Go to solution
Mikael Rönnbäck
Super Advisor

Help configuring LDAP integration for BladeSystem OA login

I am trying to configure LDAP integration for logging into our Blades using our AD-keys instead of a local user.

I have read a few threads here, for example this, http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1277300
but cannot seem to get everything in order.

What happens is that when I run the LDAP tests I get a status of authentication = success but authorization = failed.

In addition I can use HP SIM as single sign-on and get logged in with my AD-key, but that's not completely what I want.

So obviously I have the servers in place and these settings correctly configured, but I am missing something in regards to actual access.

So, what should I actually put into each field, I am not sure after reading the manual ( http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00705292/c00705292.pdf ) what should actually be in each field.

Here's what I have
Directory Server address: myserver.mydomain.net
Directory Server SSL Port: 636
Search Context 1: OU=My OU,CN=Admin,CN=MainOU,DC=mydomain,DC=net

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

And in which case should CN= be used or OU= be used ? is CN= only for users or groups and OU= for OU's ? (As you can guess I am more comfortable with the ILO authentication settings and config syntax... :-))

Additionally I have enabled the "Use NT Account Name Mapping (DOMAIN\username)" setting, is this only for easy login or for account lookup as well ?

On top of this I have added two domain groups, using their AD names, and granted the groups Administrator access, and I am member of the groups.

Still I get authorization failed ?
13 REPLIES
Adrian Clint
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Have you seen the threads on the iLO forum?
http://forums11.itrc.hp.com/service/forums/categoryhome.do?categoryId=298

There are a lot more on the ILO/OA AD integration.
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Do you have any specific thread in mind, since from when I look the threads in the ILO forum mainly seems to concern AD integration of ILO, not AD integration of OA ?
Cederberg
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Did you upload the Certificates from Active directory on your OA-card? you need thoose to get access to your AD.

And for the questions about wich ou to point out. You need to point to the OU where the users are as 2.31 and down doesn't support nested groups. Thats a new feature in 2.32

ou=Users,dc=MyCompany,dc=com
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Yes, the test result status says certificates are successfully read, and all tests pass (including authentication), except actual authorization.

I thought that would be related to membership in groups specified to allow access ?
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Btw, I have the 2.32 OA firmware in place.
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

It should Point to the group in which user is member.

Try the below search Context:
Search Context 1: OU=My OU,OU=Admin,OU=MainOU,DC=mydomain,DC=net

If the Groups are directly under Users in Domain, Use CN otherwise use OU.
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Thank you, so, the Search contect should be in the form of OU= (not CN=) and point to the OU where the GROUPS are located. Check :)

And I've added the actual groups in that OU that I want to grant access.

But I still can't get things to work, I only get authentication success and authorization failure. So I must still be doing something wrong somewhere ?
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Try logging to OA with the directory User.
Don't use the test LDAP Test Page. Does it work?
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Rönnbäck,

Try the attachment, is it same as your directory structure?
try the search context if it matches.
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Thanks for the ideas but no, logging in with the user does not work, if it had I wouldn't have tried the tests in the first place ;)

Yes, I would say my OU structure resembles example 1, and so does my search context string, but I still can't get login to work.
Damien GIll
Occasional Visitor
Solution

Re: Help configuring LDAP integration for BladeSystem OA login

Hi,

ive just been doing a similar setup and after if figured out i should be using OU instead of CN started to get places.

One important thing ive found is that your group is in a different OU tree to the one where the user is located you must also specifcy the OU where the accounts exist (top level will do if the actual OU is nested below)
so i.e i have two context searches

1. OU=Groups,DC=domain,DC=com
2. OU=SiteName,DC=domain,DC=com

the user in question is in an ou 3 levels below site name and my group is in context search 1.

Hope this helps
Damien.
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Finally, thank you ever so much!

Quite funny though that it takes two OU searches, at least to me it's kind of natural that you don't keep all users and groups in the same OU, at least not with 50K+ users :-)

Still, with one search context to the where groups are and one to where the users are placed things started to just work right away.
Mikael Rönnbäck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

You must have a search context to both the OU where the groups are and one to where the users are located in case they are not located in the same OU.