What is the format of the login name you are trying to use. Is it 1.short name Ex : sriv s 2.Distinguished name Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com 3.loginname@domain.com format Ex : sriv@mycompu.com 4.Netbios name
Please configure iLO with the appropriate directory settings and Group distinguished name. Follow the steps below.
1.Logon to iLO with the appropriate login and password. 2.Click Administration->Directory settings. 3.Configure "directory settings" with appropriate parameters as under 1.Directory Server address Ex : dlilo1.india.hp.com 2.LDAP port as "636". 3.Fill in appropriate "Directory User Context 1 Ex:CN=Users,DC=mycompu,DC=com 4.Click "Apply Settings" to save the directory settings.
5.Repeat "Step 2" to go back to directory settings page. 4.Now click on "Administer Groups". 5.Select the appropriate group. Ex : custom1 6.Fill in the Group distinguished name. Ex : CN=newgroup,CN=Users,DC=mycompu,DC=com NOTE : Please don't give any extra space. 7.Enable the appropriate access rights for this group.
8.Click on "Save Group Information" save the group settings.
Please ensure the following. 1.In windows Active directory setup the same group(Ex:newgroup) exists. 2.User who tries to login to iLO is present in this group.
I entered the information you suggested, of course substituting the correct information, for Directory User Context 1. However, when I click Apply Settings, I get an alert box with the message: "LOM Object distinguished name is not specified. Applying these settings will prevent directory authentication."
I also tried entering the information in the LOM ODM field, but authentication still does not work.
Under Modify Group, I listed the CN for the lowest level of the group, and moved up to dc=com. Ex: cn=IT,cn=LoginScripts,cn=groups,dc=[domain],dc=com. (no real CN's listed here.)
I have tried loging in with the following: doman\username username@domain.com
The directory server address is resolved. It accepts the certificate. Unable to authenticate domain\user [object not found]. -OR- Unable to authenticate test user, user@domain.com.
Please use the HP Lights Out directory migration utility(HPQLOMIG.exe) which helps you to configure iLO for either Default Schema or Extended Schema.This is a GUI based tool.
iLO directory configuration pictures I have attached the ZIP file which has the pictures of the iLO directory configuration for your reference. 1.iLOdirsettings.bmp This picture shows the directory settings for default schema. NOTE: Please ensure you fill in the hostname field in "Directory server address" field. This is required for logging using "loginname@domain.com" and Netbios name format(Domain name\loginname)
Assuming "sriv" is the login name Ex : loginname@domain.com sriv@mycompu.com Ex : Netbios name (domain\loginmame) MYCOMPU\sriv
M.S.Srivatsa...I see that you have password for the "LOM object password". That would only be needed for the HP Schema extension right? Since I am doing the schema-free, no objects for the iLO are create in AD?
QUESTION ASKED I see that you have password for the "LOM object password". That would only be needed for the HP Schema extension right?
ANSWER YES. LOM Object Distinguished Name,LOM Object Password and LOM Object Password Confirm fields in "iLO directory settings page" are needed only for HP Extended schema. For "Schema-free directory integration" these fields can be ignored.
For "Directory User Context 1:", is this field required to be filled out for schema-free, the white papers on iLO AD skipped this section using the GUI utility.
And if required, so far I've placed the container which the user/group resided in AD as such:
For schema-free should we use port 636 or 389. Here is a comment from Microsoft. The LDAP "Well-known" ports have been established as 389 for LDAP and 636 for LDAP SSL.
I think since I am not using SSL at all, I should use port 389?
QUERY 1 For schema-free "Directory User Context 1" field is required. CN=Users,DC=ibx,DC=com is correct as long as it matches with Active directory server configuration.
QUERY 2 iLO supports LDAP over SSL.So default LDAP port should be 636
I know that this has been along time but I am having a ton of problems setting up schema free integration. I have ILO 2 and want to make sure the ldap over ssl is working but unfortunatelly for some reason ilo 2 does not have the option through the web interface. Is there another way to test the connectivity?
1.Logon to iLO2 Web interface with appropriate login and password. 2.Click on "Security" tab" (Present on the left hand side). 3.Click on "Directory".This will display the directory settings. 4.There is a "Test Settings" tab at the bottom. Hope this information helps.
Thanks for writing back. I was able to figure it out with your help , what happened is they changed the location of the directory tab in ilo2.
Ok so I know I am very close. I am failing on the test at the following
Test Log Initiating Directory Settings diagnostic for server Testserver Directory Server address Testserver resolved to 10.10.10.2 Accepting Directory Server certificate for /CN=Testserver.ad.test.com signed by /DC=com/DC=test/DC=ad/CN=Lab Root CA Unable to authenticate test user dan [Invalid credentials] Ceasing tests.
now dan is a domain admin and the administrator group in directory is setup as CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com. on the previous screen there is the Directory User Context 1: line that the directions say to put in an entry but I don't have one in there.
Assuming 1.Full name of the user : sriv s 2.Login name : sriv
Question What is the format of the login name you are trying to use for "Test Settings". Is it 1.short name Ex : sriv s 2.Distinguished name Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com 3.loginname@domain.com format Ex : sriv@mycompu.com 4.Netbios name Ex : mycompu/sriv
I was trying to use 4.Netbios name Ex : mycompu/sriv or test.com/testuser. In reality I was hoping to be able to just user testuser but not sure if that is possible or not.
OK I have tried every combination I can think of and it is still not working. I figured I would start from the beginning.
the name of the display name of the account I am testing is Test, Dan the account name is dtest The user is a mamber if the domain admins group. so in AD the user full name is Test, Dan
In the directory settings screen, I have the correct server fully quallified, the port 636 and Directory User Context 1 set to CN=Users,DC=ad,DC=test,DC=com
Now I go into the administer groups page and select custom1. in there I add CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com and allowed for all items
So I tried testing the following combonations with no luck
After trying all of these I still fail on User Authentication
Results Overall Status: Problem Detected
-------------------------------------------------------------------------------- Test Description Status Ping Directory Server Passed Directory Server IP Address Not run Directory Server DNS Name Passed Connect to Directory Server Passed Connect using SSL Passed Certificate of Directory Server Passed Bind to Directory Server Not run Directory Administrator login Not run User Authentication Failed User Authorization Not run Directory User Context 1 Not run Directory User Context 2 Not run Directory User Context 3 Not run LOM Object exists Not run LOM Object password Not run
This is an ancient thread, but the forum indicates a recurring theme, so I believe it's worth clarifying what happened here, and giving some details about how the process worked and how it has changed in later versions of iLO.
Unfortunately the correct form of username was never used.
iLO sends exactly what you type to the LDAP server, so it has to be a form that would be supported by Active Directory itself. The LDP.exe tool using "SIMPLE" bind and LDAP SSL port 636 can be used to test or check ldap connection and authentication in the same way iLO does.
If the user full name is "Test, Dan", the distinguished name will typically be "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com" AD servers may require escaping that first comma too.
In the "Active Directory Users and Computers" tool, on the view menu, there's a setting for "Advanced Features", if this setting is enabled, the properties page of user objects will include an "Object" tab, which shows the "canonical name" of the user object. The "CN" of the user object is the last part of that name. It's also displayed next to the user icon on the "General tab"
For normal user logins, iLO can attempt to build a better username using the configured search contexts, by simply appending the context to the entered username.
In this example the "CN=Users,DC=ad,DC=test,DC=com" context would allow you to enter usernames that appear directly in that "Users" container. The "Test, Dan" user does not.
Unfortunately, for iLO 2, the test settings screen cannot use search contexts or alternate forms of the username, so a fully qualified DN like "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com" is required.
On the login page, the pre-windows 2000 user logon name from the "Account" tab of Users & Computers can be used, "adtest\dtest" should work - The direction of the slash does matter.
iLO 2 used a microsoft activeX control in the webpage to do the translation, and was limited by that to web sessions using IE on domain-authenticated workstations.
iLO 3 and iLO 4 do the name translation internally, and no longer require the ActiveX control, and can support "adtest\dtest" or "Test, Dan" forms of user names in the Directory "Test Settings" page and for user login.
