ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO2 Active Directory integration

 
SOLVED
Go to solution
acherevatyy
Occasional Contributor

ILO2 Active Directory integration

ILO2 Active Directory integration


Hello every one! I have a problem with ILO2 integration with Active Directory.

Server ProLiant DL580 G5

I can't login to ILO2 via my Active Directory account.

I try loginname (testuser or testuser@domain.local) and Distinguished Name (Test User).

When I try it I get message from ILO2:

"iLO 2 has detected a failed login attempt. Cause: Unauthorized.  Please wait for login prompt. NOTE: Username and password are case sensitive."

iLO 2 Firmware Version:     2.25   04/14/2014
License Type:     iLO 2 Advanced

I Setup it in Administration-> Settings -> Directory

I Use "Use Directory Default Schema"


My settings:

Directory Server Address: myserver.domain.local

Directory Server LDAP Port:636

Directory User Context 1:DC=domain,DC=local

When I test settings I get this:

Results
Overall Status:     Passed

Test Description     Status
Ping Directory Server    Passed
Directory Server IP Address    Not run
Directory Server DNS Name    Passed
Connect to Directory Server    Passed
Connect using SSL    Passed
Certificate of Directory Server    Passed
Bind to Directory Server    Passed
Directory Administrator login    Not run
User Authentication    Passed
User Authorization    Passed
Directory User Context 1    Not run
Directory User Context 2    Not run
Directory User Context 3    Not run
Directory User Context 4    Not run
Directory User Context 5    Not run
Directory User Context 6    Not run
Directory User Context 7    Not run
Directory User Context 8    Not run
Directory User Context 9    Not run
Directory User Context 10    Not run
Directory User Context 11    Not run
Directory User Context 12    Not run
Directory User Context 13    Not run
Directory User Context 14    Not run
Directory User Context 15    Not run
LOM Object exists    Not run
LOM Object password    Not run
    
Test Log
Initiating Directory Settings diagnostic for server myserver.domain.local
Directory Server address myserver.domain.local resolved to 10.10.10.8
Accepting Directory Server certificate for /CN=MYSERVER.domain.local signed by /DC=local/DC=domain/CN=DOMAIN CA
Test user CN=Test User,OU= ,OU= ,OU= GPO,DC=domain,DC=local authenticated.

In Administer Groups I set:

Administrator Group Settings

Security Group Distinguished Name: CN=ILO-Admins,OU=Group for ILO Access,OU=Domaingroups,DC=domain,DC=local

Administer Group Accounts:
Remote Console Access: Allowed
Virtual Power and Reset: Allowed
Virtual Media: Allowed
Configure iLO 2 Settings: Allowed

My Test User is member of this group.

3 REPLIES
waaronb
Respected Contributor
Solution

Re: ILO2 Active Directory integration

For the "directory server address" you can/should use the domain name of your AD domain, not a specific server. If you only have one domain controller then it's the same thing, but if you have multiple DC's, using the domain name ensures it will use DNS to resolve the address of any of the controllers.

For us, we have all user accounts in an OU like Accounts/Users (there's also one Accounts/Services and Accounts/Groups, just to give you an idea).

Therefore, in the "Directory User Context 1:" field we use this for the context:
OU=Users,OU=Accounts,DC=domain,DC=com

For the "Administrator Group Settings" we're just using the domain "Administrators" group membership, although you could create your own "ILO Administrators" group or something... but here's what the context looks like for us using that default DC Administrators:
CN=Administrators,CN=Builtin,DC=domain,DC=com

As long as you've double-checked all of your contexts for proper paths and it can reach a DC okay, it should work. I use my user's DN to login, like "Joe User" instead of joeuser or joeuser@domain.com.

When you do the test, you *should* see it say "Test user <context path> authenticated" followed by the "Cumulative rights gained:" listing all of the rights that user has, whether it's an ILO admin or user, or whatever permissions you granted to that domain group.

It seems like you might want to:
1) point to the domain instead of DC specifically... it works, but it won't be redundant

2) specify a more exact context for the directory context path to the users - it authenticated your test user okay so that's not really an issue, but having specific context paths can prevent ambiguity.

3) In the security group context I guess make sure the path is right... org units/containers/etc all specified correctly.

It seems like it's all correct except where it matches up that test user with the group, so it's that part I'd really focus on. Maybe even start with a simpler path and see if that works (like the built in administrators group) and then work back from there.

I always feel better when I get some "proof of concept" tests done so I know that it works to some degree, then I can get more specific with it. At that point I know that whenever it stops working, it's something I did and not some bug. :)
acherevatyy
Occasional Contributor

Re: ILO2 Active Directory integration

Thank you for your help!

 

Now It's work. I just set full LDAP path to OU with my users.

Ken Krubsack
Trusted Contributor

Re: ILO2 Active Directory integration

I did see the other thing in your post that we found is critical for ILO2's to work with AD config.  It's called the v2.25 firmware.

 

I never got the ILO2's working in AD before v2.25.

 

Ken