Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO LDAP auth with OpenLDAP server

Occasional Advisor

ILO LDAP auth with OpenLDAP server

I'm trying to get ILO to authenticate against a server running OpenLDAP 2.0.27 on RedHat Enterprise 3. I've got the schema loaded (with a few tweaks b/c of the reliance on `user' and `group' object classes that aren't defined in OL). When I run the directory test, everything checks out OK except the 'User Authorization' phase and I get the following message back:
"unable to read restrictions. Not a member?"

I suspect the card is checking for some attrib I don't have defined, but I haven't been able to figure it out.

I even tried doing an ldifde on a working windows server to compare the output and it's basically the same (ignoring the above objectclass differences).

Here's the LDIF of the hpqTarget --
dn: host=ilo06,ou=hp devices,dc=foo,dc=com
userid: ilo06
objectClass: top
objectClass: account
host: ilo06
objectClass: hpqTarget
hpqRoleMembership: cn=rib-admin,ou=roles,dc=foo,dc=com

and here's the hpqRole --
dn: cn=rib-admin,ou=roles,dc=foo,dc=com
objectClass: top
cn: rib-admin
objectClass: hpqRole
objectClass: groupOfNames
member: uid=luser,ou=users,dc=foo,dc=com
hpqTargetMembership: host=ilo06,ou=hp devices,dc=foo,dc=com
objectClass: hpqLOMv100
hpqLOMRightConfigureSettings: TRUE
hpqLOMRightLocalUserAdmin: TRUE
hpqLOMRightLogin: TRUE
hpqLOMRightRemoteConsole: TRUE
hpqLOMRightServerReset: TRUE
hpqLOMRightVirtualMedia: TRUE


Has anyone else tried this? Successes/failures?
Any iLO/LDAP gurus out there that might shed some light on this?

regards,
-b
6 REPLIES
Honored Contributor

Re: ILO LDAP auth with OpenLDAP server

That error occurs when the test user account that you enter in the directory tests page is used to access the directory. You got far enough to authenticate to the directory, but not authorized for any iLO access. This probably means that the test user is not a member of any hpqRoles associated with that hpqTarget.

You might want to consult the HP Directory Services Schema Information Booklet here:
http://h200005.www2.hp.com/bc/docs/support/UCR/SupportManual/TPM_325823-001_rev1_us/TPM_325823-001_rev1_us.pdf

The test user credentials are used to read the LOM object hpqTarget. The target object (iLO) is managed by association with 0 or more hpqRoles. The user must have read access to the role to gain the rights in the role. The role object has attributes including hpqRoleIPRestrictions, hpqRoleIPRestrictionDefault, hpqRoleTimeRestriction, and hpqTargetMembership.

It is probable that the test user is not a role member, and therefore cannot read the role. Therefore, he gains no rights specified by that role.

Stated in English:
If the user can do all of these:
- read the iLO in the directory
- read the roles for that iLO
- meets the access restrictions in those roles,
then he gains the iLO rights in the role.
Occasional Advisor

Re: ILO LDAP auth with OpenLDAP server

Thanks, but I suppose I should have stated my question a bit more clearly.

How does the ILO board determine if a given user DN is a member of the role? Does it use the 'member' attribute the role inherits from the 'group' objectclass? You'll note that I do have a 'member' attribute in the role and it's set to the 'luser' account DN.
But that didn't work.

What am I missing?

thanks,
-b
Honored Contributor

Re: ILO LDAP auth with OpenLDAP server

>> How does the ILO board determine if a given user DN
>> is a member of the role?

iLO authenticates to the directory using the user credentials specified at login or as "test user" on the Directory Tests page.

During authorization, iLO reads the role(s) using the user's credentials. If the read succeeds, then the rights for that role can be granted.

Essentially, rights in a role can be granted to the user that can read the role. This includes:
- (member): Users that are a member of a role
- (owner): The user that created the role
- (admin): The directory administrator

Read privilege is enforced by the directory.
Honored Contributor

Re: ILO LDAP auth with OpenLDAP server

In a normal environment, with a HP-installed schema & snapins, the only reason you wouldn't be able to read a restriction is if you're not a member.

However, this environment is created by hand, and the reason the iLO can't read the restrictions is probably because the restrictions are missing from the role.

There are supposed to be restriction attributes on the roles, and they're supposed to have values.

The schema information booklet describes the restriction attributes and the appropriate values for them. Typically, you want the default values in them. They are:
- hpqRoleIPRestrictions - no values.
- hpqRoleIPRestrictionDefault - TRUE
- hpqRoleTimeRestriction - 0xFF {42} (42 bytes of 0xFF)

A user is considered to be a member of the role if the user can read the role. Permissions for the directory object must be set such that only members (and administrators) of the role have the right to read the role.
Occasional Visitor

Re: ILO LDAP auth with OpenLDAP server

I've got basic authentication working which is using directory default schema in ILO2 on HP DL385G2. Please check my article at http://linuxtechres.blogspot.com/2007/07/hp-ilo2-authentication-through-openldap.html

Occasional Visitor

Re: ILO LDAP auth with OpenLDAP server

hi,

did you get any solution for this? can you share if you have any?

--praveen