HPE Community
Server Management - Remote Server Management
1752513 Members
5308 Online
108788 Solutions
New Discussion юеВ

Re: Active Directory and ILO2, I am almost there!!!!

 
Dan Fitzgerald
Advisor

тАО03-21-2008 06:25 AM

тАО03-21-2008 06:25 AM

Active Directory and ILO2, I am almost there!!!!

OK I have been at setting up LDAP authentication through ad and ILO for about a week and have gotten really close and have tried every tid out there but still have one outstanding issue.

I am able to login with my DN string
CN=Test\, Dan,CN=Users,DC=ad,DC=domain,DC=com
(I got the string from the ldp utility and if it was not for a poster I would never have figured out the \ after Test)

I then was able to add
CN=Users,DC=ad,DC=domain,DC=com
to the Directory User Context 1: and now I can login with just Test\, Dan.

Obviously I can't leave it like this because users aren't gogin to know there DN especially with the \ after there last name.

I am looking to do what everyone else is trying to do and that is to be able to use the login name that is "dtest" for this user. I have tried adding the @ad.domain.com to the Directory User Context and that did not work.

I did see that there was mention of Active X having to be enabled and I have setup my active x setttings for "Internet" for the following
Allow previously unused ActiveX controls to run without prompt
Disable
Allow Scriptlets
Disable
Automatic prompting for ActiveX controls
Disable
Binary and script behaviors
Enable
Display video and animation on a webpage that does not use external media player
Disable
Download signed ActiveX controls
Prompt
Download unsigned ActiveX controls
Disable
Initialize and script ActiveX controls not marked as safe for scripting
Prompt
Run ActiveX controls and plug-ins
Enable
Script ActiveX controls marked as safe for scripting*
Enable

With no luck

Now I am not sure if there is a group policy pushing down to deny the active x ability to run and if anyone know the key to check that would be great.

well that is where I stand and if anyone knows of any more things to check that would be great.
0 Kudos
Reply
14 REPLIES 14
barnett chan
Trusted Contributor

тАО03-21-2008 08:39 AM

тАО03-21-2008 08:39 AM

Re: Active Directory and ILO2, I am almost there!!!!

Is your users in a group called test? ie CN=Test,CN=Users,DC=ad,DC=domain,DC=com. If so, add CN=TEST to your contest.

Your client needs to be in the same domain as your directory server for the short name to work. Try dtest@ad.domain.com.
Need to enable
Initialize and script ActiveX controls not marked as safe for scripting
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-21-2008 12:21 PM

тАО03-21-2008 12:21 PM

Re: Active Directory and ILO2, I am almost there!!!!

Hey BWC,

I do have a group similar to test called iLO (has the user dtest in it) so I added that to the string
CN=iLO,CN=Users,DC=ad,DC=domain,DC=com
I also made the change to the active X and tried logging in with dtest@ad.domain.com, ad.domain.com\dtest all without success.
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО03-23-2008 08:41 AM

тАО03-23-2008 08:41 AM

Re: Active Directory and ILO2, I am almost there!!!!

Please try modifying the following settings from the Network settings page
(Administration->Network) which would help the directory user to login with "Email"(loginname@domain) and "NetBios name"(domain/loginname)
formats.

Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

Domain Name
This domain should be same as the domain for which the
Active directory server is configured.


One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-25-2008 06:01 AM

тАО03-25-2008 06:01 AM

Re: Active Directory and ILO2, I am almost there!!!!

Hi M.S

I did what you said and:

-Primary/Secondary/Tertiary DNS Server
The Primary/Secondary/Tertiary DNS server IP address should be same
as the Active directory server IP address.

It is, I only have one AD server in this test environment and it is also the only dns server.

-Domain Name
This domain should be same as the domain for which the
Active directory server is configured.

It is, ad.domain.com

-One other suggestion
Please ensure "Directory Server Address" under "Administration->Security->Directory" has "FQDN"(Fully qualified
domain name) instead of IP address.
Example : test.rind.com

This also was setup correctly.


I tried logging in as ad.domain.com/dtest and it did not work. It came up as unauthorized. Man this is a good one..
0 Kudos
Reply
barnett chan
Trusted Contributor

тАО03-25-2008 06:36 AM

тАО03-25-2008 06:36 AM

Re: Active Directory and ILO2, I am almost there!!!!

Since you are able to login with Test\,Dan; I believe your setup is correct. The problem is with the context. iLO is not able to find your users in the context specified in iLO.

Do you have a Container (folder) called Test? I used the wrong term of group earlier.

If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

If above is true. Then you should be able to login as ad.domain.com\dan or dan@ad.domain.com

Is it possible to get a screenshot of your mmc for the "AD Users and Computers" where the users are located?
0 Kudos
Reply
barnett chan
Trusted Contributor

тАО03-25-2008 07:56 AM

тАО03-25-2008 07:56 AM

Re: Active Directory and ILO2, I am almost there!!!!

ad.domain.com\dtest may not work. Try using ad\dtest or dtest@ad.domin.com. Assuming dtest is your login name.
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-25-2008 12:11 PM

тАО03-25-2008 12:11 PM

Re: Active Directory and ILO2, I am almost there!!!!

Hey BWC,

I dontt have a container called test. I have one called ilo so in ad under the USERS group I created the user dtest and also in the USERS folder I created the group ilo and added the user dtest to the ilo group. Is that the issue? Should the group ILO not be ing the USERS group that is created with AD? rather it should be under a new ou? I can get screen shots tomorow because it is in our test environment.

As far as this question
If you look at the User property for Account Dan, does it show "User logon name" as Dan follow by @ad.domain.com or is it Dtest?

it is dtest then @ad.analog.com
0 Kudos
Reply
barnett chan
Trusted Contributor

тАО03-25-2008 03:08 PM

тАО03-25-2008 03:08 PM

Re: Active Directory and ILO2, I am almost there!!!!

Dan,

If the users and groups are in the Users container, iLO should be able to locate the users. To make it simple to trouble shoot, go ahead and remove the group for now.
Are you using the "extended schema" method?
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-26-2008 04:31 AM

тАО03-26-2008 04:31 AM

Re: Active Directory and ILO2, I am almost there!!!!

No I am using the default schema or Schema-less approach. so you are saying to remove the user from the ilo group adn leave it in the users group? so the search context and the administrator group string would just be
CN=Users,DC=ad,DC=domain,DC=com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.