HPE Community
Server Management - Remote Server Management
1752318 Members
5725 Online
108786 Solutions
New Discussion юеВ

Re: ilO Card - Schema-Free AD authentication

 
Uwe Kadner
New Member

тАО05-26-2007 07:24 PM

тАО05-26-2007 07:24 PM

ilO Card - Schema-Free AD authentication

All,

good day first. I'm currently running in an issue using the schema-free authentication when logging on to my > 200 iLO card managed servers. Some of my colleagues can not log on to the ilO's while others can.

Basic investigation shows that the one and only difference between the working and the non-working account is the number of AD groups a user is member of.

I.e., my account is member of approx. 60 AD groups and is working fine. My colleague is member of more than 130 groups and his account does not work, the iLO card reboots immediately when he tries to log on. This behaviour is reproducible.

We're running the latest firmware version which is 1.89.

My question is if someone has already seen this and if there is a workaround.

Many thanks in advance.
0 Kudos
Reply
4 REPLIES 4
TimeOut
Occasional Advisor

тАО05-29-2007 02:54 AM

тАО05-29-2007 02:54 AM

Re: ilO Card - Schema-Free AD authentication

User access to a particular iLO is based upon whether the user has read access to a role object that contains the corresponding iLO object.
Also, check the inheritable permissions. All these are better explained in is a customer advisory.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?locale=en_US&objectID=c00756037
0 Kudos
Reply
acartes
Honored Contributor

тАО05-29-2007 03:29 AM

тАО05-29-2007 03:29 AM

Re: ilO Card - Schema-Free AD authentication

Please open a support case for this issue. It sounds like iLO might be having a problem with your directory setup.
0 Kudos
Reply
Uwe Kadner
New Member

тАО05-29-2007 05:26 AM

тАО05-29-2007 05:26 AM

Re: ilO Card - Schema-Free AD authentication

@TimeOut,

thanks for your answer, but we do not have any iLO objects in the AD.


@acartes,

yes, but not with the AD setup in general. It seems to be a buffer overflow/-run as soon as the number of groups a user is member of exceeds 128. My assumption is that the number of AD groups is counted by a byte counter in the iLO itself. Interesting thing is that it affects only direct group memberships. Memberships through nested groups are not having any effect (I'm having users with more than 240 nested memberships).

Will try to get a case opened through our key account manager in Germany.
0 Kudos
Reply
acartes
Honored Contributor

тАО05-29-2007 10:12 AM

тАО05-29-2007 10:12 AM

Re: ilO Card - Schema-Free AD authentication

>> My assumption is that the number of AD groups is counted by a byte counter in the iLO itself.

Not quite, but it is a good way to think about it. Directory search results are not explicitly enumerated that way, but essentially, iLO has to look at the user's group membership.

>> Interesting thing is that it affects only direct group memberships. Memberships through nested groups are not having any effect

Nested group support is not currently supported. This support is imminent, though.

At this time, the lights-out processors only look at the groups the user is a direct member-of.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.