Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO and Active Directory Integration

Occasional Contributor

ILO and Active Directory Integration

I have setup my ILO port via the LDAP Migration utility (We are using LDAP without the schema changes). I have followed the instructions and validated the setup on the ILO port but for some reason I cannot get the darn thing to validate me. Every time I attempt to test the logon (user@domain.com) it responds with:

Unable to authenticate test user user@domain.com
Ceasing tests.

If I try using the domain\user logon method I get the following response:

Unable to authenticate test user domain\user [Invalid credentials]
Ceasing tests.


I have tried just about everything I can think of. One thing I have noticed is that the test for Directory User Context 1 is not being run before it attempts to validate my account. How can it do that? Shouldn't it validate my context before it attempts to validate my logon credentials?

This is very frustrating. Can anyone who has made this work without extending their schema lend me some assistance?

Thanks,
Tim
8 REPLIES
Honored Contributor

Re: ILO and Active Directory Integration

The authentication failures mean that iLO was denied a connection to the directory server when it used those credentials. It also attempts to use search contexts as applied to those credentials.

However, if the credentials fail and if none of the contexts work either, then none of them can be validated.

It would not get to this stage if there was not a directory server responding, so that is probably okay. Perhaps there is some ambiguity in the username.

Do you know the fully distinguished username to try using that?
Trusted Contributor

Re: ILO and Active Directory Integration

In the administrator groups part of directory settings in the ILO have you setup the group. Make sure you use a group that you created and not and in built group.

try run the ilo test with your display name as well.


If you do not have active x running on your pc try using your display name eg joe bloggs.

If you do not have active x running on your pc try using your acount name. username@domain.com or domain\username.




I did get directory integration to work without schema changes.

steven
Trusted Contributor

Re: ILO and Active Directory Integration

see

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1005787

this is the info I use to get the integration to work.


steven
Occasional Contributor

Re: ILO and Active Directory Integration

I was able to authenticate using the fully qualified name (CN=xxxx\, xxx,OU=ouname,dc=domain,dc=com)

I will follow up on the other ideas and let you know what I find out.

Tim
Trusted Contributor

Re: ILO and Active Directory Integration

Like Steven said, please make sure your clients ActivX is enabled.
Occasional Contributor

Re: ILO and Active Directory Integration

This is such a frustrating setup. I have verified that Active-X is enabled on my machine. Then I checked to make sure that my user account is a member of the group that I have defined. My directory context is dc=domain,dc=com.

Here are the results of my login attempts:

Full Qualified Name - Successful login
domain\username - Invalid credentials
username@domain - unable to authenticate no reason given

Any other ideas?
Trusted Contributor

Re: ILO and Active Directory Integration

I could only get joe bloggs to work in the testing part of the ILO and not domain\username or username@domain.com.



however when I try to login to the ilo from my pc I could login as domain\username or username@domain.com with activx enabled.


I hope this helps.


steven
Honored Contributor

Re: ILO and Active Directory Integration

<>
The Login page to iLO uses ActiveX to resolve the username with greater precision.

The iLO Directory settings test page does not use ActiveX. In he iLO directory tests case, the only resolution attempted is by applying the search contexts. This implies that you may have greater credentials flexibility on the login page than on the directory tests page.

As far as the tests, the credentials must be authenticated before any of the successive memberships can be applied. However, the search contexts are applied in an attempt to authenticate; they just cannot be validated unless they are part of a successful authentication.

You might want to install a search context like
ou=ouname,dc=domain,dc=com
or
@domain.com

and then iLO will apply the username to those search contexts. Of course, if the directory service rejects them...

You may want to try using a different tool to access the directory: the LDP tool that ships with Windows.
Try a simple ldap authentication using the same name/password. Use the "SIMPLE" method under the "Advanced" area of the Bind dialog and do not use the "domain" checkbox or text. Type the name as given to ilo "domain\username" or "user@domain" in the username box. LDP will give you more details on why the invalid credentials error is occurring.
//Add this to "OnDomLoad" event