ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO LDAP Configuration not working

 
Highlighted
Advisor

ILO LDAP Configuration not working

Hi there,

i´m trying various different ways on connecting our ILOs to Active directory using LDAP.
So far everytime i configure a new ILO it works for a couple of minutes but then breaks. After that i´m unable to make it working again. I tried with ILO3 - ILO5 in various different firmware levels but for whatever reason it keeps breaking.

from the ILO5 test im getting the line

Connect to Directory Server 	Success 	 
Connect using SSL 	Failed 	Error code 0 (ok). Consult the Integrated Lights-Out User Guide for details. 

Error code 0 (ok) seems good to me?!
So there is no real reason for me why that should stop here as error code 0 is fine ?!

Has anyone gotten this to work?


BR
Johannes

5 REPLIES 5
Highlighted
HPE Pro

Re: ILO LDAP Configuration not working

Hi Johannes, 

Kindly verify the pre-requisities mentioned in the user guide and provide us with the outcome. 

Prerequisites for configuring authentication and directory server settings:

1.Verify that your iLO user account has the Configure iLO Settings privilege.

2.Install an iLO license that supports this feature.

3.Configure your environment to support Kerberos authentication or directory integration.

4.The Kerberos keytab file is available (Kerberos authentication only).

For more information please refer HPE iLO 5 User Guide (Page number 249 - 256)

Link:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00018324en_us

BR, 

Shruthi

I am an HPE employee
Accept or Kudo
Highlighted
Advisor

Re: ILO LDAP Configuration not working

Hi,

I only want to use LDAPs and no Kerberos till now and from what I understand this is not a requirement?

All the other things are correct implemtented.
From what i was seeing is that the Directory User Context is not working with our Active Directory LDAP.

Another problem seems beeing that the test is failing but login works just fine.

BR
Johannes

Highlighted
HPE Pro

Re: ILO LDAP Configuration not working

Hi, 

Please log a case with the HPE support team for further assistance on this since the pre-requirements are already met. 

Link to log a case: https://support.hpe.com/portal/site/hpsc/scm/home?ac.admitted=1470780193089.125225703.1938120508

Br, 

Shruthi

I am an HPE employee
Accept or Kudo
Highlighted
HPE Pro

Re: ILO LDAP Configuration not working

Hi Johannes

The certificates on the domain controllers must use 1024-bit encryption and not 2048-bit encryption. As per Microsoft KB article Q321051 the private keys must not have strong protection enabled to be able to use third party LDAP over SSL authentication. For authentication to work correctly between iLO and the domain controller in AD, the domain controller must have LDAP over SSL capabilities. This means the domain controller must have a certificate assigned by a Certificate Authority. See the Microsoft Knowledge Base for more information on installing a Certificate Server on a domain controller so that other domain controllers can automatically obtain certificates. The existing PKI infrastructure can be used to obtain certificates. For information about this, refer to Microsoft Knowledge Base article in the following URL.

Click on below link to access the article titled "How to enable LDAP over SSL with a third-party certification authority"  

https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority


For an alternate method to check SSL, use the Microsoft ldp.exe tool. If AD authentication fails, check the event log for an LDAP error.

In addition above action also check by reset iLO from iLO web console.

I am an HPE Employee

Accept or Kudo
Highlighted
Advisor

Re: ILO LDAP Configuration not working

Hi,

i´m pretty sure we are meeting all this as there are tons of other tools connecting to our LDAPs servers.
I couldn´t find any advise to use only 1024 instead the MS KB mentions 

KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.

Not sure if this is the right place here but actually the LDAP test is giving more questions then it solves, is there a way to better debug whats going on?

BR