Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II)
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO LDAP integration letting everyone in!?

wreigle1
Occasional Visitor

iLO LDAP integration letting everyone in!?

I have configured iLO with LDAP directory integration. I am able to successfully login to iLO using my AD credentials. However, other AD users are also able to login to iLO. Users who are NOT in the "iloadmins" security group shown below are able to successfully login to iLO.

Settings I am using:
Administration > Security > Directory
"User Directory Default Schema"
Directory Server Address: <FQDN of AD server>
Port: 636
Directory User Context 1: OU=groups,OU=employees,DC=contoso,DC=dc,DC=com

Administration > User Administration
Directory Groups: CN=iloadmins,OU=groups,OU=employees,DC=contoso,DC=dc,DC=com

5 REPLIES
Oscar A. Perez
Honored Contributor

Re: iLO LDAP integration letting everyone in!?

Go to "Administration->User Administration"  and remove the "Authenticated Users" from the Directory Groups.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
wreigle
Occasional Advisor

Re: iLO LDAP integration letting everyone in!?

Thanks for the suggestion Oscar but that did not resolve my issue. I deleted the Autehnticated Users group all together.  Another user was still able to login to iLO.

wreigle
Occasional Advisor

Re: iLO LDAP integration letting everyone in!?

Any other ideas here? A bug in iLO 4 (version 2.40)?

wreigle
Occasional Advisor

Re: iLO LDAP integration letting everyone in!?

I tried again with the latest iLO 2.44. Still no luck, it's letting everyone in with their domain creds. Oh well.

Oscar A. Perez
Honored Contributor

Re: iLO LDAP integration letting everyone in!?

Every time we get a case like this, it ends up being caused by a misconfiguration. Like for example, the iLO group you've created is inheriting permissions from other groups or, there are nested groups associated with this iLO group.   If user "Bob", for example, is a member of such groups, he will be able to login to iLO. 

Please have a hard look at how your AD groups are setup and check for all "effective" permissions user "Bob" has.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!