BladeSystem - General
1748221 Members
4553 Online
108759 Solutions
New Discussion юеВ

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

 
chuckk281
Trusted Contributor

Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Christian had a customer question:

 

****************

 

Hi All,

 

Just wondering if anyone has some thoughts on this issue.

 

A couple days ago, the customer found they could no longer log into their OAтАЩs with LDAP accounts (about 18 enclosures). However, they can still log in to Virtual Connect modules in the same enclosures using the LDAP accounts that donтАЩt work on the OAтАЩsтАж Any ideas?? OAтАЩs are version 3.21. There have been no changes to anything as far as IтАЩm aware.

 

If I run a test settings for an LDAP account I get тАШUnable to authenticate test user Domain\username [LDAP Server Connect Failed]тАЩ

 

***************

 

Monty engaged:

 

***************

 

The error message you provided below indicates the OA cannot connect to the configured LDAP server.

 

Check that the LDAP server configured on the OA has not changed.

 

*******************

 

Any other suggestions or comments for Christian?

 

12 REPLIES 12
finlandrobert
Visitor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Strange. This exact same issue just started happening on my site. Is there any answer for this? Nothing has changed on the server LDAP connects to. I would think that if it did, the change would also kill the Virtual Connect authentication as well. The same cert is used for the OA console and the Virtual Connect console. 

J├╝rgen B├╝chs
Occasional Advisor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

The same situation here. I can't logon to OAs (2 enclosures) using an LDAP account. Already updated all firmware and checked the configuration again and again. Exactly the same user, group and LDAP server is working with the iLOs.

finlandrobert
Visitor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

I think I have the answer! I noticed this little bit of information (that I didn't understand the consequences of before) on the folowing window of the blade... Enclosure Information, Users/Authentication,Directory Settings:

 

 "Use of single sign-on to ProLiant iLO 2 when logged into Onboard Administrator using a directory- based (LDAP) user account requires an iLO Select license. If you have not purchased an iLO Select license or the Insight Control Environment for BladeSystem, please contact HP or your HP partner sales representative for more information"

 

>Soooo.... it looks like we're going to have to use local authentication or give HP more money to use this. The only idea I have now is that there was some sort of "grace period" that allowed the LDAP to AD authentication to work for a couple months, then locked it down(?). I know I don't have the advanced iLO Select license.

 

There is another error in the blade system log, found through: Enclosure Information, Active Onboard Administrator, System Log:

 

"OA: Authentication failure for user (username) from (ip address), requesting web service"

 

It looks like HP is controlling the access through the web services functions that the iLO select advanced license permits.

 

To find out what license you have, in the blade enclosure, navigate to Enclosure Information, Device Bays, any server, iLO. There, select "Web Administration" and it will open a new web page for that server ,and under Licensing, it will give you the information. There is also this link:

 

You may learn more about iLO licensing at www.hp.com/go/ilo, including downloading a free trial license key.

 

BR,

Robert

Sebastian.Koehler
Honored Contributor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Can you please confirm the exact error you're receiving? For exmaple our enclosures running with current (3.32) and less current firmware (3.12) and the test procedure also fails. We see the following kind of error message during test authentification on Onboard Administrator and Virtual Connect modules while ILO1, ILO2 and ILO3 is working as expected.

Initiating Directory Settings diagnostic for server dc.domain.com
Directory Server address dc.domain.com resolved to 192.168.100.200
Accepting Directory Server certificate for /CN=dc.domain.comsigned by /DC=com/DC=domain/CN=dc-DC-CA
Accepting Directory Server certificate for /CN=dc.domain.comsigned by /DC=com/DC=domain/CN=dc-DC-CA
Successful SSL connection (TLSv1/SSLv3, AES128-SHA, 128 bits)
Unable to authenticate test user DOMAIN\ldapuser [LDAP Server Connect Failed]
Some diagnostics FAILED for server dc.domain.com
Tests complete.

 

You're right, some features need ILO Select or Advanced, but not the basic LDAP authentification to the Onboard Administrator itself! We're currently working with HP to resolve this issue, any detailed feedback is welcome.

 

Regards,

Sebastian

Omega786
Visitor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Hi !

I have a similar problem, all of a sudden AD logon's to OA stopped working. Under Test settings I get  [LDAP Server Connect Failed]
The workaround which works for me is I have specified another LDAP server, and instead of IP addresses I provided FQDN.

However I am still looking to find why it stopped working in the first place and I would like to know why I can't use the same LDAP server. The LDAP server is question is providing other services which seems to be working fine.

Any info would be useful!

Thanks

 

 

Assign a kudo to this post, if you find it useful.

29th Feb 2012.

This has stopped working again on alternate DC's so don't know what's going on!!

Sebastian.Koehler
Honored Contributor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Can you please verify if the certificate of the root CA or the one used for on the DC for LDAPS has expired in the meantime? We've seen indications that the verification of OA/VCM is more strict than other components.

 

Regards,

Sebastian

Omega786
Visitor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Hi!

The certificate had expired in Jan, and a new one was issued. The problem started happening mid Feb, and as per the logs OA integration was working.

I did however rebooted my domain controllers, and this started working, so for now if's fixed but don't know what would be the exact reason for this!

 

Thanks

Sebastian.Koehler
Honored Contributor

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

If you have a Windows 2003 DC, this can be the issue. We see this on Windows 2008 SP2 and the new certificate is not accepted. Seems that the OBA/VCM does are more strict certificate check than ILO for example.

http://support.microsoft.com/kb/932834

http://support.microsoft.com/kb/839514

Regards,
Sebastian

Seyfeddine
Collector

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

We have a similar issue here, the AD integration with the OA and itтАЩs working fine.

 

The test for the AD integration returns the following:

 

  1. When inserting the right credentials: Couldn't find user DN (search context issue, likely)
  2. When inserting the wrong credentials (on pourpose): Not able to connect with LDAP server - authentification faillure (likely)at an adress that is accessible from VC

 As you may see, the VC is contacting the LDAP server. Otherwise the VC couldnтАЩt know that the credentials are wrong.

 

The error that we get when inserting the right credentials is the same as the HP Customer Advisory c01677143 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01677143&jumpid=reg_R1002_USEN), although we are already running a higher firmware version.

 

This error occurs in all enclosures we have, and they are having the same firmware levels. The versions are:

  • OA Firmware: 3.21
  • VC ETH Firmware: 3.17
  • VC FC 8GB Firmware: 1.04
  • VC FC 4GB Firmware: 1.41

 

Please note that we are not using a Microsoft LDAP Server, but a Novell one.