ILO with AD integration

What is the format of the login name you
are trying to use.
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name


Please configure iLO with the appropriate directory settings and Group
distinguished name.
Follow the steps below.

1.Logon to iLO with the appropriate login and password.
2.Click Administration->Directory settings.
3.Configure "directory settings" with appropriate parameters as under
1.Directory Server address
Ex : dlilo1.india.hp.com
2.LDAP port as "636".
3.Fill in appropriate "Directory User Context 1
Ex:CN=Users,DC=mycompu,DC=com
4.Click "Apply Settings" to save the directory settings.

5.Repeat "Step 2" to go back to directory
settings page.
4.Now click on "Administer Groups".
5.Select the appropriate group.
Ex : custom1
6.Fill in the Group distinguished name.
Ex : CN=newgroup,CN=Users,DC=mycompu,DC=com
NOTE : Please don't give any extra space.
7.Enable the appropriate access rights for this group.

8.Click on "Save Group Information" save the group settings.

Please ensure the following.
1.In windows Active directory setup
the same group(Ex:newgroup) exists.
2.User who tries to login to iLO is
present in this group.

M.S.Srivatsa,

I am having trouble following your instructions.

I entered the information you suggested, of course substituting the correct information, for Directory User Context 1. However, when I click Apply Settings, I get an alert box with the message: "LOM Object distinguished name is not specified. Applying these settings will prevent directory authentication."

I also tried entering the information in the LOM ODM field, but authentication still does not work.

Under Modify Group, I listed the CN for the lowest level of the group, and moved up to dc=com. Ex: cn=IT,cn=LoginScripts,cn=groups,dc=[domain],dc=com. (no real CN's listed here.)

I have tried loging in with the following:
doman\username
username@domain.com

The directory server address is resolved.
It accepts the certificate.
Unable to authenticate domain\user [object not found].
-OR-
Unable to authenticate test user, user@domain.com.

Thank you for your help.
Jack Roberts

Please use the HP Lights Out directory migration utility(HPQLOMIG.exe) which helps you to configure iLO for either
Default Schema or Extended Schema.This is a
GUI based tool.

HPQLOMIG.exe is part of "HP Directories Support for Management Processors" softpaq
(SP31581.exe) which is downloadable from the
following web site.
https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_13aa310d9f23432a8d02d5ad56

iLO directory configuration pictures
I have attached the ZIP file which has the pictures of the iLO directory configuration for your reference.
1.iLOdirsettings.bmp
This picture shows the directory settings
for default schema.
NOTE: Please ensure you fill in the
hostname field in "Directory server
address" field.
This is required for logging using
"loginname@domain.com" and Netbios
name format(Domain name\loginname)

Assuming "sriv" is the login name
Ex : loginname@domain.com
sriv@mycompu.com
Ex : Netbios name (domain\loginmame)
MYCOMPU\sriv

M.S.Srivatsa...I see that you have password for the "LOM object password". That would only be needed for the HP Schema extension right? Since I am doing the schema-free, no objects for the iLO are create in AD?

QUESTION ASKED
I see that you have password for the "LOM object password".
That would only be needed for the HP Schema extension right?

ANSWER
YES.
LOM Object Distinguished Name,LOM Object Password and LOM Object Password
Confirm fields in "iLO directory settings page" are needed only for HP
Extended schema.
For "Schema-free directory integration" these fields can be ignored.

Thank you M.S.Srivatsa.

2nd Question.

For "Directory User Context 1:", is this field required to be filled out for schema-free, the white papers on iLO AD skipped this section using the GUI utility.

And if required, so far I've placed the container which the user/group resided in AD as such:

CN=Users,DC=ibx,DC=com

Is this correct?

For schema-free should we use port 636 or 389. Here is a comment from Microsoft. The LDAP "Well-known" ports have been established as 389 for LDAP and 636 for LDAP SSL.

I think since I am not using SSL at all, I should use port 389?

QUERY 1
For schema-free "Directory User Context 1" field is required.
CN=Users,DC=ibx,DC=com is correct as long as it matches with Active
directory server configuration.

QUERY 2
iLO supports LDAP over SSL.So default LDAP port should be 636

Refer the whitepaper
"Integrating HP ProLiant Lights-Out processors with Microsoft® Active
Directory"
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c00190541

I know that this has been along time but I am having a ton of problems setting up schema free integration. I have ILO 2 and want to make sure the ldap over ssl is working but unfortunatelly for some reason ilo 2 does not have the option through the web interface. Is there another way to test the connectivity?