- Integrated Systems
- About Us
- Integrated Systems
- About Us
07-17-2014 01:35 PM
Unable to get iLO2 working with Active Directory for authentication
I'm at my wits end. I'm trying to get an iLO-2 equipped server to use Active Directory for authentication and failing miserably. I've read dozens of posts and articles and used an HP utility to try to get this set up right and nothing I try is working.
This server is a ProLiant DL380 G6, iLO 2 firmware is version 2.25. I've gone to Administration -> Security -> Directory and set the following:
Use Directory Default Schema
Local User Accounts: Enabled
Directory Server Address: dmadc01.mydomain.com
Directory Server LDAP Port: 636
The security group I am wanting to use is the built-in Domain Admins group in AD. My account is a member of this group. The DistinguishedName of this group is CN=Domain Admins,CN=Users,DC=mydomain,DC=com.
In "Directory User Context 1:" I have entered CN=Users,DC=mydomain,DC=com.
I then click on "Administer Groups", confirm that "Administrator" is highlighted and click View/Modify. I set the Security Group Distinguished Name as CN=Domain Admins,CN=Users,DC=mydomain,DC=com and set all permissions to Allowed. I go back to Administration -> Security -> Directory and select Test Settings. I put in my AD username in for the Test User Name in the format DOMAIN\username and put in my AD password, then click Start Test.
All tests pass except for User Authentication which always fails. The test log indicates the reason as "Invalid Credentials".
I have tried using my username as email@example.com and even tried my username as "LastName, FirstName". I've tried adjusting the search contexts and put in the directory address as an IP and not a hostname. Nothing is working.
The odd part is that we just got a new DL380 Gen8 with iLO 4 and the exact same settings worked fine in it, first try.
07-17-2014 06:02 PM
Re: Unable to get iLO2 working with Active Directory for authentication
directory server address: domain.local (don't put in a specific domain controller address here, just use the domain name and let DNS point it to any controller)
ldap port: 636
security group distinguished name (for Administrators): CN=Administrators,CN=Builtin,DC=domain,DC=local
Directory User Context 1: OU=Users,OU=Accounts,DC=domain,DC=local
We have our user accounts in that Org Unit Accounts\Users, and we're using Administrators instead of "Domain Admins" otherwise it's probably similar enough.
If your user accounts are all in CN=Users,DC=mydomain,DC=com then that's fine, same with the location of the Domain Admins group unless that was moved for some reason.
When logging in, you have to use the full account name like "Joe User", not a short name like "juser" or "joeuser" or whatever you might have set.
Don't use DOMAIN\username to login, unless you've defined that type of login as another directory context. Just "Joe User" (the user's full name) and their password.
It works for me, so be encouraged that it can and does work when properly configured. :)