- Integrated Systems
- About Us
- Integrated Systems
- About Us
05-18-2014 11:17 PM
ILO2 Active Directory integration
Hello every one! I have a problem with ILO2 integration with Active Directory.
Server ProLiant DL580 G5
I can't login to ILO2 via my Active Directory account.
I try loginname (testuser or firstname.lastname@example.org) and Distinguished Name (Test User).
When I try it I get message from ILO2:
"iLO 2 has detected a failed login attempt. Cause: Unauthorized. Please wait for login prompt. NOTE: Username and password are case sensitive."
iLO 2 Firmware Version: 2.25 04/14/2014
License Type: iLO 2 Advanced
I Setup it in Administration-> Settings -> Directory
I Use "Use Directory Default Schema"
Directory Server Address: myserver.domain.local
Directory Server LDAP Port:636
Directory User Context 1:DC=domain,DC=local
When I test settings I get this:
Overall Status: Passed
Test Description Status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS Name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Passed
Directory Administrator login Not run
User Authentication Passed
User Authorization Passed
Directory User Context 1 Not run
Directory User Context 2 Not run
Directory User Context 3 Not run
Directory User Context 4 Not run
Directory User Context 5 Not run
Directory User Context 6 Not run
Directory User Context 7 Not run
Directory User Context 8 Not run
Directory User Context 9 Not run
Directory User Context 10 Not run
Directory User Context 11 Not run
Directory User Context 12 Not run
Directory User Context 13 Not run
Directory User Context 14 Not run
Directory User Context 15 Not run
LOM Object exists Not run
LOM Object password Not run
Initiating Directory Settings diagnostic for server myserver.domain.local
Directory Server address myserver.domain.local resolved to 10.10.10.8
Accepting Directory Server certificate for /CN=MYSERVER.domain.local signed by /DC=local/DC=domain/CN=DOMAIN CA
Test user CN=Test User,OU= ,OU= ,OU= GPO,DC=domain,DC=local authenticated.
In Administer Groups I set:
Administrator Group Settings
Security Group Distinguished Name: CN=ILO-Admins,OU=Group for ILO Access,OU=Domaingroups,DC=domain,DC=local
Administer Group Accounts:
Remote Console Access: Allowed
Virtual Power and Reset: Allowed
Virtual Media: Allowed
Configure iLO 2 Settings: Allowed
My Test User is member of this group.
Solved! Go to Solution.
05-19-2014 08:31 AMSolution
For us, we have all user accounts in an OU like Accounts/Users (there's also one Accounts/Services and Accounts/Groups, just to give you an idea).
Therefore, in the "Directory User Context 1:" field we use this for the context:
For the "Administrator Group Settings" we're just using the domain "Administrators" group membership, although you could create your own "ILO Administrators" group or something... but here's what the context looks like for us using that default DC Administrators:
As long as you've double-checked all of your contexts for proper paths and it can reach a DC okay, it should work. I use my user's DN to login, like "Joe User" instead of joeuser or email@example.com.
When you do the test, you *should* see it say "Test user <context path> authenticated" followed by the "Cumulative rights gained:" listing all of the rights that user has, whether it's an ILO admin or user, or whatever permissions you granted to that domain group.
It seems like you might want to:
1) point to the domain instead of DC specifically... it works, but it won't be redundant
2) specify a more exact context for the directory context path to the users - it authenticated your test user okay so that's not really an issue, but having specific context paths can prevent ambiguity.
3) In the security group context I guess make sure the path is right... org units/containers/etc all specified correctly.
It seems like it's all correct except where it matches up that test user with the group, so it's that part I'd really focus on. Maybe even start with a simpler path and see if that works (like the built in administrators group) and then work back from there.
I always feel better when I get some "proof of concept" tests done so I know that it works to some degree, then I can get more specific with it. At that point I know that whenever it stops working, it's something I did and not some bug. :)
05-20-2014 06:16 AM
Re: ILO2 Active Directory integration
I did see the other thing in your post that we found is critical for ILO2's to work with AD config. It's called the v2.25 firmware.
I never got the ILO2's working in AD before v2.25.