Server Management - Remote Server Management
1824945 Members
3868 Online
109678 Solutions
New Discussion юеВ

iLO authentication using default Directory Schema

 
Shu-Chuan Lin
New Member

iLO authentication using default Directory Schema

the iLO firmware version is 1.80. i have configured the iLO directory services according to the instructuction. However, the test failed at 'User Authentication' with message 'Unable to authenticate test user xxxx[User Object not found] Ceasing tests.

i am sure that the test user that i had entered is a valid domain user. what is this 'User Object not foun' really means?

please help.

thanks.
Shu-Chuan Lin
12 REPLIES 12
pratap m keshava
Trusted Contributor

Re: iLO authentication using default Directory Schema

Hi,
Check if you have given the correct user context in of the user context fields in the directory settings page for the user you are trying to test the directory settings. If you don't give the correct user context, you will get the same error. the format will look like CN=Users,DC=yourdomain,DC=com
Shu-Chuan Lin
New Member

Re: iLO authentication using default Directory Schema

are you saying the test user has to be define in the 'Directory User Context'? anyway, so i added the test user to the user context. the test failed at the same 'User Authentication' with message 'Unable to authenticate test user '.
pratap m keshava
Trusted Contributor

Re: iLO authentication using default Directory Schema

What i mean is, You need to add the "Context" of the user in the directory settings page. You don't need to include user name in the context. Only the context for the parent folder of the user would be enough.
For eg: Say the user "abc" is in the Path "Users" in the Active directory in domain say "yourdomian.com". You need to give the context as CN=Users,DC=yourdomain,DC=com and NOT CN=abc,CN=Users,DC=yourdomain,DC=com
Shu-Chuan Lin
New Member

Re: iLO authentication using default Directory Schema

that was exactly what i entered in the 'context'. the test still failed at 'User Authentication' with message 'Unable to authenticate test user xxxx. Without (User Object not found) after the User Context was added.

this is the first time we are trying th iLO authentication using default schema. Thank you very much for being patience with me.
pratap m keshava
Trusted Contributor

Re: iLO authentication using default Directory Schema

Hi,
The error may be because you haven't added the user to any of the groups (either default or customizable) in iLO. Try the following steps

In the Active directory create a group say "testgrp" in "Users". Make the user "abc" a Member of "testgrp".

This can be done by select "testgrp" -> right-click -> select properties. In "members" add the user "abc".

In directory settings page -> "Administer groups". Select one group say "Administrator". In the field "Security Group Distinguished Name" enter CN=testgrp,CN=Users,DC=mydomain,DC=com.

(Make sure there is no extra space in the string) Set appropriate rights (login right is default) for the group "testgrp". These rights will be available for all the members of the group "testgrp". Save the information.

Re: iLO authentication using default Directory Schema

Hi

I have nearly the same error. I cannot bind to directory server. "Unable to authenticate test user" is the message, credentials invaled. But they are valid :-)

In the Active directory create a group say "testgrp" in "Users". Make the user "abc" a Member of "testgrp".
==> done

In directory settings page -> "Administer groups". Select one group say "Administrator". In the field "Security Group Distinguished Name" enter CN=testgrp,CN=Users,DC=mydomain,DC=com.
==> done

(Make sure there is no extra space in the string) Set appropriate rights (login right is default) for the group "testgrp". These rights will be available for all the members of the group "testgrp". Save the information.
==> done

But I don't know if I have the right config on the Directory settings screen. Perhaps you can help me? I have my actual settings enclosed.

Thank you very much in advance!
pratap m keshava
Trusted Contributor

Re: iLO authentication using default Directory Schema

Hi, In the image you have sent, the Directory user context field is missing. The fields "LOM object Distinguished name" and "LOM object Password" and "LOM object password confirm" are not relevent to Default schema settings.

You need to enter the Directory user context in one of the 3 User context fields. Say if you have user "abc" in directory "Users" in Active directory, you need to enter in the Directory user context field, CN=abc,CN=Users,DC=yourdomain,DC=com. This should solve the problem as you have done other settings.

Re: iLO authentication using default Directory Schema

Hi!

I've deleted the LOM lines and inserted the context, but still I get the error credentials are invalid.

I took a user who isn't in a iLO-Group and got the error No login rights, so I know, that this works.

But why it tells me the credentials are invalid??
Shu-Chuan Lin
New Member

Re: iLO authentication using default Directory Schema

Exactly. I think I will call the HP response center for help. Thank you all for your help.

Re: iLO authentication using default Directory Schema

Well, login via CN now is working :-) but not the login via user@domain.com

In the iLO-Help there is written:

==============
Example 3
(Active Directory only)
Microsoft Active Directory allows an alternate user credential format. Search contexts in this format cannot be tested except by successful login using them. A user may login as:
user@domain.hp.com
in which case a search context of
@domain.hp.com
allows the user to login as
user
==============

Is "Active Directory only" only works with HP schema extension or with the schema-less integration also?
Sharon Almog_1
Advisor

Re: iLO authentication using default Directory Schema

Andre,

When you select "Default Schema" then you dont need the HP Schema objects nor expanding the Active Directory Schema !

The HP Schema expansion, provides you additional benefit of migrating the ILO cards into an OU and link HP Security Roles (which of course being added by the Schema Expansion via HP Tools), and by that gain full ILO management via Active Directory from all aspects.

Sharon
Leader in HP/Compaq Technologies
Rob Ingenthron
New Member

Re: iLO authentication using default Directory Schema

This thread was interesting and informative, but it doesn't address my specific issue, though it touches on related settings.

Schema-free works for me when using a CN/Display Name.

Our schema has the HP schema extensions, so I switched an iLo to use them.

After many days of trial and error and fruitless searches, I am stumped.

Logging in with "name@domain.com" or "domain\name" both fail with the same error. Here's the error from the test:
-----
Initiating Directory Settings diagnostic for server dc2.domain.com
Directory Server address dc2.domain.com resolved to 172.24.36.10
Accepting Directory Server certificate for /CN=dc2.domain.com signed by /EMAIL=ca-admin@domain.net/C=US/ST=California/L=Sunnyvale/O=Our Company, Inc./OU=Our Company Certificate Authority/CN=Our Company Root CA
Unable to access directory with LOM Object Password.
Test user user@domain.com authenticated.
Role CN=GOMS-iLo-Access-All,OU=Roles,OU=HP,OU=Common,DC=domain,DC=com
Cumulative rights gained:

None
Unable to authorize test user.


Tests complete.
----------

The only tests that fail are the "LOM Object password" and "User authorization".

I've tried to just login, too, and those logins fail. Only the local "administrator" account defined for the iLo works.

The LOM object obviously exists, and I've tried creating it with no password, the word "password"... Doesn't matter. The user ID is fine, and it works with the schema-free setup.

There is NO documention on this error, there's almost NO documentation on the LOM Object Password usage. There's no help file with guidelines for the LOM objects.

The user ID has FULL rights to the LOM object, based on the role applied.

The LOM object is nested (ie, under a couple of OU's) as are the roles.

I'm at a loss.

Any suggestions welcome!!!


-- Rob --