Server Management - Remote Server Management
1748114 Members
3324 Online
108758 Solutions
New Discussion

Re: ILO with AD integration

 
M.S.Srivatsa
Valued Contributor

Re: ILO with AD integration

1.Logon to iLO2 Web interface with appropriate login and password.
2.Click on "Security" tab" (Present on the left hand side).
3.Click on "Directory".This will display the directory settings.
4.There is a "Test Settings" tab at the bottom.
Hope this information helps.
Dan Fitzgerald
Advisor

Re: ILO with AD integration

Thanks for writing back. I was able to figure it out with your help , what happened is they changed the location of the directory tab in ilo2.

Ok so I know I am very close. I am failing on the test at the following

Test Log
Initiating Directory Settings diagnostic for server Testserver
Directory Server address Testserver resolved to 10.10.10.2
Accepting Directory Server certificate for /CN=Testserver.ad.test.com signed by /DC=com/DC=test/DC=ad/CN=Lab Root CA
Unable to authenticate test user dan [Invalid credentials]
Ceasing tests.

now dan is a domain admin and the administrator group in directory is setup as CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com. on the previous screen there is the Directory User Context 1: line that the directions say to put in an entry but I don't have one in there.
M.S.Srivatsa
Valued Contributor

Re: ILO with AD integration

To understand this problem better:

Assuming
1.Full name of the user : sriv s
2.Login name : sriv

Question
What is the format of the login name you
are trying to use for "Test Settings".
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name
Ex : mycompu/sriv
Dan Fitzgerald
Advisor

Re: ILO with AD integration

I was trying to use 4.Netbios name
Ex : mycompu/sriv or test.com/testuser. In reality I was hoping to be able to just user testuser but not sure if that is possible or not.
M.S.Srivatsa
Valued Contributor

Re: ILO with AD integration

Please try with the following login name format for test settings:
CN=testuser,DC=test,DC=com
(Distinguished name)
Dan Fitzgerald
Advisor

Re: ILO with AD integration

OK I have tried every combination I can think of and it is still not working. I figured I would start from the beginning.

the name of the display name of the account I am testing is Test, Dan the account name is dtest
The user is a mamber if the domain admins group. so in AD the user full name is Test, Dan

In the directory settings screen, I have the correct server fully quallified, the port 636 and Directory User Context 1 set to CN=Users,DC=ad,DC=test,DC=com

Now I go into the administer groups page and select custom1. in there I add CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com and allowed for all items

So I tried testing the following combonations with no luck

CN=Test Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Dan Test,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=dtest,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Test Dan,DC=ad,DC=test,DC=com

CN=dtest,DC=ad,DC=test,DC=com

After trying all of these I still fail on User Authentication


Results
Overall Status: Problem Detected

--------------------------------------------------------------------------------
Test Description Status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS Name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Not run
Directory Administrator login Not run
User Authentication Failed
User Authorization Not run
Directory User Context 1 Not run
Directory User Context 2 Not run
Directory User Context 3 Not run
LOM Object exists Not run
LOM Object password Not run
wildman
New Member

Re: ILO with AD integration

try this info
http://www.davidstclair.co.uk/Configure-Windows-ADS-Authentication-for-HP-iLO-2-card 

yrp5474
Occasional Contributor

Re: ILO with AD integration

I'm having the exact same issues. Everythingn looks correct but it fails with User Authenication.
Chris Davenport
Advisor

Re: ILO with AD integration

This is an ancient thread, but the forum indicates a recurring theme, so I believe it's worth clarifying what happened here, and giving some details about how the process worked and how it has changed in later versions of iLO.

 

 

Unfortunately the correct form of username was never used.

 

iLO sends exactly what you type to the LDAP server, so it has to be a form that would be supported by Active Directory itself.  The LDP.exe tool using "SIMPLE" bind and LDAP SSL port 636 can be used to test or check ldap connection and authentication in the same way iLO does.

 

If the user full name is "Test, Dan", the distinguished name will typically be "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com"   AD servers may require escaping that first comma too.

 

 

In the "Active Directory Users and Computers" tool, on the view menu, there's a setting for "Advanced Features", if this setting is enabled, the properties page of user objects will include an "Object" tab, which shows the "canonical name" of the user object. The "CN" of the user object is the last part of that name. It's also displayed next to the user icon on the "General tab" 

 

For normal user logins, iLO can attempt to build a better username using the configured search contexts, by simply appending the context to the entered username.

In this example the "CN=Users,DC=ad,DC=test,DC=com" context would allow you to enter usernames that appear directly in that "Users" container. The "Test, Dan" user does not.

 

Unfortunately, for iLO 2, the test settings screen cannot use search contexts or alternate forms of the username, so a fully qualified DN like "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com" is required.

 

On the login page, the pre-windows 2000 user logon name from the "Account" tab of Users & Computers can be used, "adtest\dtest" should work -  The direction of the slash does matter.

iLO 2 used a microsoft activeX control in the webpage to do the translation, and was limited by that to web sessions using IE on domain-authenticated workstations.

 

iLO 3 and iLO 4 do the name translation internally, and no longer require the ActiveX control, and can support "adtest\dtest" or "Test, Dan" forms of user names in the Directory "Test Settings" page and for user login.