HPE Community
HPE OneView
1753461 Members
4942 Online
108794 Solutions
New Discussion

Re: OneView 4 - Cannot Edit or Delete Group with local login disabled

 
jp24
Occasional Contributor

‎11-05-2018 02:39 AM

‎11-05-2018 02:39 AM

OneView 4 - Cannot Edit or Delete Group with local login disabled

The Appliance OneView 4.1 is configured to disable local logins for security purpose and integrated to AD/LDAP

I have a test user assigned to an AD group, this group assigned a Role in OneView 4.1.

Using a different AD Admin account assigned an Infrastructure Admin role, i cannot edit or change the Test group roles without enabling local login on the appliance.

 

My TestAccount AD Group Memberships (extracting only those groups assigned to the OneView Appliance)

PS C:\Windows\system32> (Get-ADUser rtest1 -Properties memberof | Select-Object memberof).memberof
CN=*xxx*-READ_TEST,OU=xxxx,OU=xxxxx,OU=xxxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx

 

My Admin AD Group Memberships (extracting only those groups assigned to the OneView Appliance)

PS C:\Windows\system32> (Get-ADUser padmin1 -Properties memberof | Select-Object memberof).memberof
CN=*xxx*-ADMN,OU=xxxx,OU=xxxxx,OU=xxxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx


PS C:\Windows\system32> Get-HPOVLdapGroup

Appliance Name Directory Permissions
--------- ---- --------- -----------
xxx.xxx.xxx.xxx *xxx*-ADMN xxx.xxx.xxx.xxx Infrastructure administrator  (My AD Admin account member of)
xxx.xxx.xxx.xxx *xxx*-SRVM xxx.xxx.xxx.xxx Server administrator
xxx.xxx.xxx.xxx *xxx*-BURM xxx.xxx.xxx.xxx Backup administrator
xxx.xxx.xxx.xxx *xxx*-READ xxx.xxx.xxx.xxx Read only
xxx.xxx.xxx.xxx *xxx*-NETW xxx.xxx.xxx.xxx Network administrator
xxx.xxx.xxx.xxx *xxx*-STOR xxx.xxx.xxx.xxx Storage administrator
xxx.xxx.xxx.xxx *xxx*-READ_TEST xxx.xxx.xxx.xxx Read only (My test account member of)

 

If i login and try and edit the -READ_TEST group using my Admin Infrastructure account ID, the error received is

"Cannot edit or delete the group - Enable local login or create another group with Infrastructure Administrator role before editing or deleting the group "

outcome is not to enable local login for a solution

I accept that once groups are defined then there shouldnt be any need to change but since new implementation its requiring a few tweeks

 

Any ideas for resolution?



 

0 Kudos
Reply
2 REPLIES 2
Kashyap02
HPE Pro

‎11-06-2018 08:42 PM

‎11-06-2018 08:42 PM

Re: OneView 4 - Cannot Edit or Delete Group with local login disabled

Hi JP24

HPE OneView supports both local and directory-based authentication. Please refer to the below document. 

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00054510en_us&docLocale=en_US 

As you have created a user as Infrastructure administrator on the AD and given full permissions.  Please refer to the premissions and privilages details in the above document.  As this user is created in AD, please get the AD team engaged in this to diganose the issue to verify the persmissions, test by creating a new user with this role. 

If you have already tried the above, please raise a support ticked wtih HPE. 

 

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
BhaskarV
Trusted Contributor

‎11-08-2018 12:00 AM

‎11-08-2018 12:00 AM

Re: OneView 4 - Cannot Edit or Delete Group with local login disabled

Hi @jp24

Local login should not have to be enabled to achieve this.
Using one AD Infra Admin you should have been able to edit / modify another AD Infra Admin or other user.
It is an inconvenience. 
We acknowledge this problem you are running into.
We will take this up to be addressed in a future product release.

Regards
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.