uploading directory server certificate with hponcfg

I figured it out after consulting the ilo5 scripting guide.  Here is my procedure in case it helps anyone else.  :)

# Get a list of domain controllers.
/usr/bin/dig SRV _ldap._tcp.domain +noall +answer | awk '{ print $8 }' \
| sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1
DIRSRV='<name from dig command>'
#
# Use the one most appropriate for this server.
#
# Log on to the server with the iLO you want to change and switch to root.
# Define this function:
retrieve-cert() {
   REMHOST=${1}
   REMPORT=${2:-443}
   echo | \
   openssl s_client connect ${REMHOST}:${REMPORT} 2>&1 | \
   /bin/sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}
# Extract the current iLO settings:
cd /var/tmp
# On systems where the iLO encryption settings are anything other
# than production, you will have to provide a user name and password:
PASSWORD='password'
USER=administrator
hponcfg --all -writeconfig ilo.xml --user ${USER} --password ${PASSWORD}
# Can edit the xml file to embed the username and password:
sed -i "s|^\(.*LOGIN USER_LOGIN=\"\).*\(\" PASSWORD=\"\).*\(\">\)$|\1${USER}\2${PASSWORD}\3|" ilo.xml
# Get rid of the comments line:
sed -i '/^<!--/d' ilo.mxl
#
# First, need to make sure dns resolvers are set correctly.  Pair down
# the xml file to just the network information:
sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<DIR_INFO mode="write"><MOD_DIR_CONFIG>/,/<\/<\/MOD_DIR_CONFIG><\/<DIR_INFO>/d' \
    -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \
    -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \
    -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \
    -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \
    -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \
    -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-net.xml
#
# Now, update the DNS servers (if not already correct).
DNS1='<ip of first dns server>'
DNS2='<ip of second dns server>'
sed -i "s|^\(    <PRIM_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS1}\2|" ilo-net.xml
sed -i "s|^\(    <SEC_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS2}\2|" ilo-net.xml
#
# Now, write the file to iLO (Note: this will reset iLO.  It might take a couple of minutes):
hponcfg -f ilo-net.xml
#
# Get the directory server certificate file into an xml file.
sed -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' ilo-net.xml > ilo-cert.xml
sed-i '/<LOGIN USER_LOGIN= a\
    <DIR_INFO MODE="write"> \
        <IMPORT_LDAP_CA_CERTIFICATE> \
        </IMPORT_LDAP_CA_CERTIFICATE> \
    </DIR_INFO>' ilo-cert.xml
#
while read line; do
   echo ${line}
   echo ${line} | grep -q "<IMPORT_LDAP_CA_CERTIFICATE>"
   [ ${?} -eq 0 ] && "$(retrieve-cert ${DIRSRV} 636)"
done < ilo-cert.xml > ilo-cert-new.xml
# Upload to iLO:
hponcfg -f ilo-cert-new.xml
#
# Now, need to set up information to enable authentication with active directory.
# Again, pair down the original xml file:
sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \
    -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \
    -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \
    -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \
    -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \
    -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-dir.xml
#
# Now, edit to put in correct information:
sed -i -e 's|\(<DIR_AUTHENTICATION_ENABLED VALUE="\).*\("/>\)|\1Y\2|' \
    -e    "s|\(<DIR_SERVER_ADDRESS VALUE=\"\).*\(\"/>\)|\1${DIRSRV}\2|" \
    -e    's|\(<DIR_USER_CONTEXT_1 VALUE="\).*\("/>\)|\1DC=my,DC=com\2|' \
    -e    's|\(<DIR_USER_CONTEXT_2 VALUE="\).*\("/>\)|\1@my.com\2|' \
    -e    's|\(<DIR_ENABLE_GRP_ACCT VALUE="\).*\("/>\)|\1Y\2|' ilo-dir.xml
#
# Add in group accounts.  Repeat for however many groups you are adding:
GRP=iLOAdmins
PRIVVAL='1,2,3,4,5,6'
# and
GRP=iLOUser
PRIVVAL='2,3,4,6'
#
RETURN=$(adquery group --all ${GRP} | grep -E '^dn:|^sid:')
DN=$(echo ${RETURN} | tr ' ' '\n' | grep '^dn:' | cut -d: -f2)
SID=$(echo ${RETURN} | tr ' ' '\n' | grep '^sid:' | cut -d: -f2)
# Need to find the current number of group accounts:
NUM=$(grep DIR_GRPACCT ilo.xml | cut -c6-17 | sort -u | tail -1)
NEWNUM=$((${NUM:$((${#NUM}-1)):1}+1))
# For the second group, just increment the NEWNUM variable:
((NEWNUM++))
sed -i "/<DIR_KERBEROS_ENABLED VALUE/i\    <DIR_GRPACCT${NEWNUM}_NAME VALUE=\"${DN}\">\n    <DIR_GRPACCT${NEWNUM}_PRIVVALUE=\"${PRIVVAL}\">\n    <DIR_GRPACCT${NEWNUM}_SID VALUE=\"${SID}\">" ilo-dir.xml
#
# End of repeat section.
# Now write to iLO:
hponcfg -f ilo-dir.xml
#
# Should be all set!  Remove your files:
/bin/rm ilo*