- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- Re: ILO LDAP auth with OpenLDAP server
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-28-2005 08:53 AM
тАО03-28-2005 08:53 AM
ILO LDAP auth with OpenLDAP server
"unable to read restrictions. Not a member?"
I suspect the card is checking for some attrib I don't have defined, but I haven't been able to figure it out.
I even tried doing an ldifde on a working windows server to compare the output and it's basically the same (ignoring the above objectclass differences).
Here's the LDIF of the hpqTarget --
dn: host=ilo06,ou=hp devices,dc=foo,dc=com
userid: ilo06
objectClass: top
objectClass: account
host: ilo06
objectClass: hpqTarget
hpqRoleMembership: cn=rib-admin,ou=roles,dc=foo,dc=com
and here's the hpqRole --
dn: cn=rib-admin,ou=roles,dc=foo,dc=com
objectClass: top
cn: rib-admin
objectClass: hpqRole
objectClass: groupOfNames
member: uid=luser,ou=users,dc=foo,dc=com
hpqTargetMembership: host=ilo06,ou=hp devices,dc=foo,dc=com
objectClass: hpqLOMv100
hpqLOMRightConfigureSettings: TRUE
hpqLOMRightLocalUserAdmin: TRUE
hpqLOMRightLogin: TRUE
hpqLOMRightRemoteConsole: TRUE
hpqLOMRightServerReset: TRUE
hpqLOMRightVirtualMedia: TRUE
Has anyone else tried this? Successes/failures?
Any iLO/LDAP gurus out there that might shed some light on this?
regards,
-b
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-28-2005 10:12 AM
тАО03-28-2005 10:12 AM
Re: ILO LDAP auth with OpenLDAP server
You might want to consult the HP Directory Services Schema Information Booklet here:
http://h200005.www2.hp.com/bc/docs/support/UCR/SupportManual/TPM_325823-001_rev1_us/TPM_325823-001_rev1_us.pdf
The test user credentials are used to read the LOM object hpqTarget. The target object (iLO) is managed by association with 0 or more hpqRoles. The user must have read access to the role to gain the rights in the role. The role object has attributes including hpqRoleIPRestrictions, hpqRoleIPRestrictionDefault, hpqRoleTimeRestriction, and hpqTargetMembership.
It is probable that the test user is not a role member, and therefore cannot read the role. Therefore, he gains no rights specified by that role.
Stated in English:
If the user can do all of these:
- read the iLO in the directory
- read the roles for that iLO
- meets the access restrictions in those roles,
then he gains the iLO rights in the role.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2005 01:23 AM
тАО03-29-2005 01:23 AM
Re: ILO LDAP auth with OpenLDAP server
How does the ILO board determine if a given user DN is a member of the role? Does it use the 'member' attribute the role inherits from the 'group' objectclass? You'll note that I do have a 'member' attribute in the role and it's set to the 'luser' account DN.
But that didn't work.
What am I missing?
thanks,
-b
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2005 02:10 AM
тАО03-29-2005 02:10 AM
Re: ILO LDAP auth with OpenLDAP server
>> is a member of the role?
iLO authenticates to the directory using the user credentials specified at login or as "test user" on the Directory Tests page.
During authorization, iLO reads the role(s) using the user's credentials. If the read succeeds, then the rights for that role can be granted.
Essentially, rights in a role can be granted to the user that can read the role. This includes:
- (member): Users that are a member of a role
- (owner): The user that created the role
- (admin): The directory administrator
Read privilege is enforced by the directory.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2005 11:08 AM
тАО03-29-2005 11:08 AM
Re: ILO LDAP auth with OpenLDAP server
However, this environment is created by hand, and the reason the iLO can't read the restrictions is probably because the restrictions are missing from the role.
There are supposed to be restriction attributes on the roles, and they're supposed to have values.
The schema information booklet describes the restriction attributes and the appropriate values for them. Typically, you want the default values in them. They are:
- hpqRoleIPRestrictions - no values.
- hpqRoleIPRestrictionDefault - TRUE
- hpqRoleTimeRestriction - 0xFF {42} (42 bytes of 0xFF)
A user is considered to be a member of the role if the user can read the role. Permissions for the directory object must be set such that only members (and administrators) of the role have the right to read the role.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-22-2007 12:22 AM
тАО07-22-2007 12:22 AM
Re: ILO LDAP auth with OpenLDAP server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-21-2010 06:21 PM
тАО09-21-2010 06:21 PM
Re: ILO LDAP auth with OpenLDAP server
did you get any solution for this? can you share if you have any?
--praveen