BladeSystem - General
1748109 Members
4412 Online
108758 Solutions
New Discussion юеВ

Re: Help configuring LDAP integration for BladeSystem OA login

 
SOLVED
Go to solution
Mikael R├╢nnb├дck
Super Advisor

Help configuring LDAP integration for BladeSystem OA login

I am trying to configure LDAP integration for logging into our Blades using our AD-keys instead of a local user.

I have read a few threads here, for example this, http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1277300
but cannot seem to get everything in order.

What happens is that when I run the LDAP tests I get a status of authentication = success but authorization = failed.

In addition I can use HP SIM as single sign-on and get logged in with my AD-key, but that's not completely what I want.

So obviously I have the servers in place and these settings correctly configured, but I am missing something in regards to actual access.

So, what should I actually put into each field, I am not sure after reading the manual ( http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00705292/c00705292.pdf ) what should actually be in each field.

Here's what I have
Directory Server address: myserver.mydomain.net
Directory Server SSL Port: 636
Search Context 1: OU=My OU,CN=Admin,CN=MainOU,DC=mydomain,DC=net

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

And in which case should CN= be used or OU= be used ? is CN= only for users or groups and OU= for OU's ? (As you can guess I am more comfortable with the ILO authentication settings and config syntax... :-))

Additionally I have enabled the "Use NT Account Name Mapping (DOMAIN\username)" setting, is this only for easy login or for account lookup as well ?

On top of this I have added two domain groups, using their AD names, and granted the groups Administrator access, and I am member of the groups.

Still I get authorization failed ?
13 REPLIES 13
Adrian Clint
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Have you seen the threads on the iLO forum?
http://forums11.itrc.hp.com/service/forums/categoryhome.do?categoryId=298

There are a lot more on the ILO/OA AD integration.
Mikael R├╢nnb├дck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Do you have any specific thread in mind, since from when I look the threads in the ILO forum mainly seems to concern AD integration of ILO, not AD integration of OA ?
Cederberg
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Did you upload the Certificates from Active directory on your OA-card? you need thoose to get access to your AD.

And for the questions about wich ou to point out. You need to point to the OU where the users are as 2.31 and down doesn't support nested groups. Thats a new feature in 2.32

ou=Users,dc=MyCompany,dc=com
Mikael R├╢nnb├дck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Yes, the test result status says certificates are successfully read, and all tests pass (including authentication), except actual authorization.

I thought that would be related to membership in groups specified to allow access ?
Mikael R├╢nnb├дck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Btw, I have the 2.32 OA firmware in place.
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

This is my first question, should the search context point to the path where the USER is or the path where the GROUP in which the user is a member is ?

It should Point to the group in which user is member.

Try the below search Context:
Search Context 1: OU=My OU,OU=Admin,OU=MainOU,DC=mydomain,DC=net

If the Groups are directly under Users in Domain, Use CN otherwise use OU.
Mikael R├╢nnb├дck
Super Advisor

Re: Help configuring LDAP integration for BladeSystem OA login

Thank you, so, the Search contect should be in the form of OU= (not CN=) and point to the OU where the GROUPS are located. Check :)

And I've added the actual groups in that OU that I want to grant access.

But I still can't get things to work, I only get authentication success and authorization failure. So I must still be doing something wrong somewhere ?
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

Try logging to OA with the directory User.
Don't use the test LDAP Test Page. Does it work?
Raghuarch
Honored Contributor

Re: Help configuring LDAP integration for BladeSystem OA login

R├Г┬╢nnb├Г┬дck,

Try the attachment, is it same as your directory structure?
try the search context if it matches.