Server Management - Remote Server Management
1748078 Members
5461 Online
108758 Solutions
New Discussion

Re: ilo and OpenLDAP

 
SysNewbie
New Member

ilo and OpenLDAP

Hello together,

Since a couple of weeks, I tried to connect an OpenLDAP server with an iLO board, for an central authentication system. The LDAP server Runs with Open SuSe 10.3 on OpenLDAP 2.3.37 and is configured with PAM, so that a user registration works.
My problem is the configuration of the directory settings of iLO.
I try to describe my config of the LDAP Server and the problem which I have with the config.

In /etc/openldap/slap.conf, I included a schema called ilo.schema.
The ilo.schema looks like:

attributetype (1.3.6.1.4.1.15959.9.1.1 NAME 'memberOf'
DESC 'Group which user belongs to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)

objectclass (1.3.6.1.4.1.15959.9.2.1 NAME 'memberOf'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP'
MUST (memberOf))

objectclass (1.3.6.1.4.1.15959.9.2.2 NAME 'user'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP')

A test user for the iLO, added on the LDAP like the following schema:

# Max, my-domain.de
dn: uid = max, ou = Mitarbeiter, ou = users, dc = my-domain, dc = de
cn: Max Doe
givenName: Max
SN: Foo
gidNumber: 100
UID: Max
uidNumber: 1003
userPassword: SSHA) (passwortmax
homeDirectory: / home / max
loginShell: / bin / bash
Street:
postalCode:
l:
ST:
mail: max.mustermann@my-domain.de
telephoneNumber: +49
shadowExpire: 14152
shadowInactive: 10
shadowLastChange: 14042
shadowMax: 14
shadowMin: 1
shadowWarning: 10
memberOf: cn = iloadmin, ou = groups, dc = my-domain, dc = de
description: iLO users Max Mustermann
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: memberOf
objectClass: user
objectClass: top

the cn = iloadmin, ou = groups, dc = my-domain, dc = de look like:

dn: cn = iloadmin, ou = groups, dc = my-domain, dc = de
cn: iloadmin
objectClass: top
objectClass: groupOfNames
member: cn = Max Mustermann, ou = Mitarbeiter, ou = users, dc = my-domain, dc = de

The settings I config on iLO web interface as follows:
Under Administration -> Directory Settings ->
Use Directory DefaultSchema: running
Directory Server Address: my-domain.de [or IP]
Directory Server LDAP Port: 636
Directory User Context 1: ou = Mitarbeiter, ou = users, dc = my-domain, dc = de
And under Administration Groups -> Select a group: Administrator -> View / Modify
Security Group Distinguished Name: cn = iloadmin, ou = groups, dc = my-domain, dc = de
Administer Group and Accounts, Console Remote Access, Virtual Power and Reset, Virtual Media undConfigure iLO settings are enabled.

If I had a test run, I get the following message:
Overall status: Problem Detected
Description Test status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Not run
Directory administrator login Not Run
User Authentication Failed
User Authorization Not Run
Directory User Context 1 Not run
Directory User Not run Context 2
Directory User Context 3 Not run
LOM exists Object Not Run
LOM Word Object Not Run

Sign Test
Initiating diagnostic Directory settings for server my-domain.de
Directory Server address my-domain.de resolved to IP address
Accepting certificate for Directory Server / C = DE / ST = [state]/ O = [company] / OU = ldapserver / CN = meine-domain.de/EMAIL ca@meine-domain.de signed by / C = DE / ST = [state] / L = [place] / O = [company] / OU = [Department] / CN = [person] / EMAIL = ca@meine-domain.de
Warning: certificate does not match my Address Directory Server-domain.de.
Unable to authenticate user test max [Invalid credentials]
Ceasing tests.
Some diagnostics for server FAILED my-domain.de

Complete tests.

I read a lot of threads, but nothing could help me to find a mistake.

I hope someone could help me to find the mistake.

kind regards

SysNewbie
6 REPLIES 6
SysCrusher
New Member

Re: ilo and OpenLDAP

Having the exact same problem. when running the test, I get hung at:

Warning: certificate does not match Directory Server Address xxx.xxx.xxx.xx.
Unable to authenticate test user

Ceasing tests.
Some diagnostics FAILED for server

Anyone know why this is happening?
acartes
Honored Contributor

Re: ilo and OpenLDAP

Warning: certificate does not match Directory Server Address xxx.xxx.xxx.xx.

This error means that iLO exchanged an SSL handshake with the directory server, but the server's certificate does not match the configured iLO server name. You might want to reconfigure iLO Directory Server network address to use the same certificate subject that the directory server is using.
SysNewbie
New Member

Re: ilo and OpenLDAP

Hello together,

I believe that I have expressed little unfortunate, because the information I need in terms iLO are as follows:

1. Regarding the Seetings Directory. How do I put them in iLO that a declaration of OpenLDAP users work?
Where appropriate, what should OpenLDAP in addition Configures?

2. How can I use the HP scheme in OpenLDAP implement?
Because I take advantage of the scheme also want to use.

kind regards

SysNewbie
acartes
Honored Contributor

Re: ilo and OpenLDAP

SysNewbie
New Member

Re: ilo and OpenLDAP

Hello together,

now I finally found time to tell you, that I´m now solving the problem by myself.

After that, the iLO server switched into an endless loop at the search for the attribute "objectSID" (What´s an attribute of MS ADS, and therefore it is not integrated in OpenLDAP) , I now proceed as follows.

Here again the statement from the log file:

Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 fd=30 ACCEPT from IP=10.128.188.79:1281 (IP=0.0.0.0:636)
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 fd=30 TLS established tls_ssf=256 ssf=256
Jul 25 13:05:13 meine-domain slapd[5519]: bind: invalid dn (ilo)
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=0 RESULT tag=97 err=34 text=invalid DN
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=1 BIND dn="cn=ilo,ou=ilo,dc=meine-domain,dc=de" method=128
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=1 BIND dn="cn=ilo,ou=ilo,dc=meine-domain,dc=de" mech=SIMPLE ssf=0
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=1 RESULT tag=97 err=0 text=
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=2 SRCH base="ou=ilo,dc=meine-domain,dc=de" scope=0 deref=0 filter="(?=undefined)"
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=2 SRCH attr=objectSid
Jul 25 13:05:13 meine-domain slapd[5519]: conn=134 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

I have now created an OpenLDAP-schema which contains the complete object classes and attributes from ADS (some attributes are easily changed) with the extension to the HP iLO schema. Now I restarted Openldap and checked the Samba configuration again.

/etc/samba/smb.conf

[global]
workgroup = MEINE-DOMAIN
# netbios name = Samba LDAP Server
passdb backend = ldapsam:ldap://localhost
idmap backend = ldap:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=meine-domain,dc=de
ldap suffix = dc=meine-domain,dc=de
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=hosts
ldap idmap suffix = ou=users
ldap ssl = no
security = user
domain logons = yes
domain master = no
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
dns proxy = No
wins support = No
preferred master = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"

[netlogon]
path = /home/samba/netlogon
read only = yes
write list = root

[profiles]
path = /home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700

[homes]
comment = Homeverzeichnisse
browsable = no
valid users = %S
writeable = yes
After that I entered in the following into the DIT:

dn: ou=ilo,dc=meine-domain,dc=de
objectClass: top
objectClass: organizationalUnit
ou: ilo

dn: cn=ilo2,ou=ilo,dc=meine-domain,dc=de
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: user
objectClass: memberOf
objectClass: securityPrincipal
sn: ilo2
cn: ilo2
givenName: ilo2
uid: ilo2
homeDirectory: /home/ilo2
loginShell: /bin/bash
street: Teststr.1
postalCode: 12345
l: Teststadt
st: Test
mail: ilo2@meine-domain.de
telephoneNumber: 069 12345
shadowExpire: 14152
shadowInactive: 5
shadowLastChange: 14085
shadowMin: 0
shadowMax: 28
shadowWarning: 10
description: Benutzer ilo2
uidNumber: 1018
gidNumber: 101
userPassword: {SSHA}jslzpg2h5T0OSHV4Wwy7TL508/lfAA4o
objectSid: S-1-5-21-3224800242-2841723616-1786565096
sAMAccountName: MEINE-DOMAIN
memberOf: ou=ilo,dc=meine-domain,dc=de
memberOf: cn=iLO Full Administrators,ou=ilo,dc=meine-domain,dc=de

dn: cn=iLO Full Administrators,ou=ilo,dc=meine-domain,dc=de
objectClass: hpqRole
objectClass: container
objectClass: hpqLOMv100
cn: iLO Full Administrators
groupType: 2147483652
hpqLOMRightConfigureSettings: TRUE
hpqLOMRightLocalUserAdmin: TRUE
hpqLOMRightLogin: TRUE
hpqLOMRightRemoteConsole: TRUE
hpqLOMRightServerReset: TRUE
hpqLOMRightVirtualMedia: TRUE
member: cn=ilo2,ou=ilo,dc=meine-domain,dc=de

On iLO I configured the following:

Use Directory Default Schema:
Enable Local User Accounts: Yes

Directory Server Settings
Directory Server Address: meine-domain.de

Directory Server LDAP Port: 636

Directory User Context 1: ou=ilo,dc=meine-domain,dc=de

Under Administer Group:

Group -> Administrator

Security Group Distinguished Name : cn=iLO Full Administrators,ou=ilo,dc=meine-domain,dc=de

Administer Group Accounts Yes
Remote Console Access Yes
Virtual Power and Reset Yes
Virtual Media Yes
Configure iLO Settings Yes

And now the user, in which case the user "ilo2," could be login by used his name (CN) and password.

how far the HP Schema could be implementable, should I still testing. But at least, the authentication and authorization is now running.

I thank you for take the trouble with my problem.

kind regards

SysNewbie
SysNewbie
New Member

Re: ilo and OpenLDAP

Hello togehter,

because I solved the problem by myself, I closed thies thread.

I wannabe say retry thank to you, for take the trouble with my problem.

kind regards

SysNewbie