HPE Community
ProLiant Servers (ML,DL,SL)
1753768 Members
5669 Online
108799 Solutions
New Discussion

How to set the Directory User Context

 
senthilpk0411
New Member

‎03-14-2013 03:50 PM

‎03-14-2013 03:50 PM

How to set the Directory User Context

I would like to hook our HP DL380 G7's (ILO3) to our 389 Directory Server.
I've attempted to add the server under Administration->Directory->Security->Directory,
But I'm not sure how to set the Directory User Context. 
Also, when I try to test the settings, it succeeds at contacting the LDAP server, but fails at the SSL step. 

Do you have any example configs for how to set up ILO3 with 389 Directory/Red Hat Directory, or OpenLDAP?

 

To hook the ILO up to our 389 Directory installation.  I have the following set:

LDAP Directory Authentication: Use Directory Default Schema
Port: 636
Directory Server Address: la1-ldap01.w.warnerbros.com
Directory user Context 1: dc=warnerbros,dc=com

When I attempt to test the connection, I get an SSL error which says: "You may need to install a certificate for your server to allow SSL connections."  I tried to install the directory server root certificate onto the "SSL Certificate" tab, but it would not import since it was generated on a different server.

I also tried HP SIM SSO, and imported the Root CA certificate, and set “Single Sign-On trust Mode” to “Trust All”.  The SSL test is still failing when I run it.  I’ve used the same certificate to configure some of our Dell iDracs, so I’m confident that it works.  I’m just not sure why it isn’t taking on the ILO. 

0 Kudos
Reply
2 REPLIES 2
Suman_1978
HPE Pro

‎03-14-2013 04:18 PM

‎03-14-2013 04:18 PM

Re: How to set the Directory User Context

Hi,

 

Do refer to this document, page# 37.

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02111169/c02111169.pdf

 

Also mention the operating system and the service pack installed.

 

 

Thank You!

I am a HP employee.


I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
Hariom
HPE Pro

‎03-15-2013 04:27 AM

‎03-15-2013 04:27 AM

Re: How to set the Directory User Context

I'have got OpenLDAP integration working with ILO2 using below steps. You can perform same for ILo3.

 

On OpenLDAP:


Adding ‘memberOf’ attribute and ‘user’ objectclass into openldap
Allow version 2 binding in /etc/openldap/slapd.conf which is ‘allow bind_v2’
Slapd must also listen on port 636(ldaps)


On ILO2:

 

Using schema-free configuration in ILO

Specify port 636 and OpenLDAP servername or IP address
Configuring user context and group DN

 

-----
Special schema for ilo auth in /etc/openldap/slapd.conf

 

[root@Test openldap]# grep -e ilo.schema -e bind_v2 /etc/openldap/slapd.conf
include /etc/openldap/schema/ilo.schema
allow bind_v2

 

[root@Test openldap]# grep TLS /etc/openldap/slapd.conf
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
Note: must enable TLS for listening on port 636 for ilo ldaps connection

 

[root@Test openldap]# more /etc/openldap/schema/ilo.schema
attributetype ( 1.3.6.1.4.1.15959.9.1.1
NAME 'memberOf'
DESC 'Group which user belongs to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

 

objectclass ( 1.3.6.1.4.1.15959.9.2.1
NAME 'memberOf'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
MUST ( memberOf )
)

 

objectclass ( 1.3.6.1.4.1.15959.9.2.2
NAME 'user'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
)


Import ldif

Note: replace ou=iss and dc=gcc,dc=com with your organization ones.

 

[root@Test ldif]# more base.ldif
dn: dc=gcc,dc=com
dc: gcc
description: Root LDAP entry
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=iss,dc=gcc,dc=com
objectclass: top
objectclass: organizationalunit
ou: iss

dn: ou=groups,ou=iss,dc=gcc,dc=com
objectclass: top
objectclass: organizationalunit
ou: groups
dn: ou=users,ou=iss,dc=gcc,dc=com
objectclass: top
objectclass: organizationalunit
ou: users


[root@Test ldif]# more user.ldif
dn: cn=jephe.wu,ou=users,ou=iss,dc=gcc,dc=com
cn: john
uid: john.p
sn: p
uidnumber: 1000
homedirectory: /home/john.p
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectclass: inetorgperson
objectClass: memberOf
objectClass: user
shadowLastChange: 13650
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 100
displayname: John P
userPassword: {SSHA}7znBGbK5/GMGWVryUuunxgQ87N8L38/b
memberOf: cn=iloadmin,ou=groups,ou=iss,dc=gcc,dc=com
[root@Test ldif]# more groups.ldif
dn: cn=iloadmin,ou=groups,ou=iss,dc=gcc,dc=com
cn: iloadmin
objectClass: top
objectClass: groupofnames
member: cn=jephe.wu,ou=iss,dc=gcc,dc=com

 

ILO Configuration

 

Enable the following options on ILO2 (Administration-Security- Directory Settings)
Use Directory Default Schema
Local User Accounts Enabled
Directory Server Address: FQDN of openldap server or ip address
Directory Server LDAP Port 636
Directory User Context 1 ou=users,ou=iss,dc=gcc,dc=com
 
Then go to ‘Administrator Groups’:
Security Group Distinguished Name cn=iloadmin,ou=groups,ou=iss,dc=gcc,dc=com
Administer User Accounts Allowed
Remote Console Access Allowed
Virtual Power and Reset Allowed
Virtual Media Allowed
Configure iLO Settings Allowed
Login Privilege Allowed

 

Follow these steps, it should work for ILo3 as well.

 

 

--------

 

I am an HP employee.
Was this post useful? - You may click the KUDOS! Star.


I work for HPE

Accept or Kudo

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.