Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ilO Card - Schema-Free AD authentication

Occasional Visitor

ilO Card - Schema-Free AD authentication

All,

good day first. I'm currently running in an issue using the schema-free authentication when logging on to my > 200 iLO card managed servers. Some of my colleagues can not log on to the ilO's while others can.

Basic investigation shows that the one and only difference between the working and the non-working account is the number of AD groups a user is member of.

I.e., my account is member of approx. 60 AD groups and is working fine. My colleague is member of more than 130 groups and his account does not work, the iLO card reboots immediately when he tries to log on. This behaviour is reproducible.

We're running the latest firmware version which is 1.89.

My question is if someone has already seen this and if there is a workaround.

Many thanks in advance.
4 REPLIES
Occasional Advisor

Re: ilO Card - Schema-Free AD authentication

User access to a particular iLO is based upon whether the user has read access to a role object that contains the corresponding iLO object.
Also, check the inheritable permissions. All these are better explained in is a customer advisory.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?locale=en_US&objectID=c00756037
Honored Contributor

Re: ilO Card - Schema-Free AD authentication

Please open a support case for this issue. It sounds like iLO might be having a problem with your directory setup.
Occasional Visitor

Re: ilO Card - Schema-Free AD authentication

@TimeOut,

thanks for your answer, but we do not have any iLO objects in the AD.


@acartes,

yes, but not with the AD setup in general. It seems to be a buffer overflow/-run as soon as the number of groups a user is member of exceeds 128. My assumption is that the number of AD groups is counted by a byte counter in the iLO itself. Interesting thing is that it affects only direct group memberships. Memberships through nested groups are not having any effect (I'm having users with more than 240 nested memberships).

Will try to get a case opened through our key account manager in Germany.
Honored Contributor

Re: ilO Card - Schema-Free AD authentication

>> My assumption is that the number of AD groups is counted by a byte counter in the iLO itself.

Not quite, but it is a good way to think about it. Directory search results are not explicitly enumerated that way, but essentially, iLO has to look at the user's group membership.

>> Interesting thing is that it affects only direct group memberships. Memberships through nested groups are not having any effect

Nested group support is not currently supported. This support is imminent, though.

At this time, the lights-out processors only look at the groups the user is a direct member-of.
//Add this to "OnDomLoad" event