HPE Community
Server Management - Remote Server Management
1820710 Members
2788 Online
109627 Solutions
New Discussion юеВ

ILO with AD integration

 
David Partow
New Member

тАО07-22-2006 01:33 PM

тАО07-22-2006 01:33 PM

ILO with AD integration

I can not seem to integrate my ILO adncaed pack with AD directory services.

I do not want to install extended schema.
I only want to use LDAP.

Why is it so hard to make it work?

Can anyone give me some simple instructions to implement ILO with AD in a Use Directory Default Schema?

Thanks,
David
0 Kudos
Reply
18 REPLIES 18
M.S.Srivatsa
Valued Contributor

тАО07-23-2006 08:16 PM

тАО07-23-2006 08:16 PM

Re: ILO with AD integration

What is the format of the login name you
are trying to use.
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name


Please configure iLO with the appropriate directory settings and Group
distinguished name.
Follow the steps below.

1.Logon to iLO with the appropriate login and password.
2.Click Administration->Directory settings.
3.Configure "directory settings" with appropriate parameters as under
1.Directory Server address
Ex : dlilo1.india.hp.com
2.LDAP port as "636".
3.Fill in appropriate "Directory User Context 1
Ex:CN=Users,DC=mycompu,DC=com
4.Click "Apply Settings" to save the directory settings.

5.Repeat "Step 2" to go back to directory
settings page.
4.Now click on "Administer Groups".
5.Select the appropriate group.
Ex : custom1
6.Fill in the Group distinguished name.
Ex : CN=newgroup,CN=Users,DC=mycompu,DC=com
NOTE : Please don't give any extra space.
7.Enable the appropriate access rights for this group.

8.Click on "Save Group Information" save the group settings.

Please ensure the following.
1.In windows Active directory setup
the same group(Ex:newgroup) exists.
2.User who tries to login to iLO is
present in this group.

0 Kudos
Reply
Jack Roberts
New Member

тАО08-11-2006 03:30 AM

тАО08-11-2006 03:30 AM

Re: ILO with AD integration

M.S.Srivatsa,

I am having trouble following your instructions.

I entered the information you suggested, of course substituting the correct information, for Directory User Context 1. However, when I click Apply Settings, I get an alert box with the message: "LOM Object distinguished name is not specified. Applying these settings will prevent directory authentication."

I also tried entering the information in the LOM ODM field, but authentication still does not work.

Under Modify Group, I listed the CN for the lowest level of the group, and moved up to dc=com. Ex: cn=IT,cn=LoginScripts,cn=groups,dc=[domain],dc=com. (no real CN's listed here.)

I have tried loging in with the following:
doman\username
username@domain.com

The directory server address is resolved.
It accepts the certificate.
Unable to authenticate domain\user [object not found].
-OR-
Unable to authenticate test user, user@domain.com.

Thank you for your help.
Jack Roberts

0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО08-13-2006 07:15 PM - last edited on тАО11-13-2020 04:12 AM by

тАО08-13-2006 07:15 PM - last edited on тАО11-13-2020 04:12 AM by

Re: ILO with AD integration

Please use the HP Lights Out directory migration utility(HPQLOMIG.exe) which helps you to configure iLO for either
Default Schema or Extended Schema.This is a
GUI based tool.

HPQLOMIG.exe is part of "HP Directories Support for Management Processors" softpaq
(SP31581.exe) which is downloadable from the
following web site.
https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_13aa310d9f23432a8d02d5ad56

iLO directory configuration pictures
I have attached the ZIP file which has the pictures of the iLO directory configuration for your reference.
1.iLOdirsettings.bmp
This picture shows the directory settings
for default schema.
NOTE: Please ensure you fill in the
hostname field in "Directory server
address" field.
This is required for logging using
"loginname@domain.com" and Netbios
name format(Domain name\loginname)

Assuming "sriv" is the login name
Ex : loginname@domain.com
sriv@mycompu.com
Ex : Netbios name (domain\loginmame)
MYCOMPU\sriv

0 Kudos
Reply
TienDNguyen
Occasional Contributor

тАО04-17-2007 07:06 AM

тАО04-17-2007 07:06 AM

Re: ILO with AD integration

M.S.Srivatsa...I see that you have password for the "LOM object password". That would only be needed for the HP Schema extension right? Since I am doing the schema-free, no objects for the iLO are create in AD?
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО04-17-2007 07:59 PM

тАО04-17-2007 07:59 PM

Re: ILO with AD integration

QUESTION ASKED
I see that you have password for the "LOM object password".
That would only be needed for the HP Schema extension right?

ANSWER
YES.
LOM Object Distinguished Name,LOM Object Password and LOM Object Password
Confirm fields in "iLO directory settings page" are needed only for HP
Extended schema.
For "Schema-free directory integration" these fields can be ignored.


0 Kudos
Reply
TienDNguyen
Occasional Contributor

тАО04-18-2007 02:49 AM

тАО04-18-2007 02:49 AM

Re: ILO with AD integration

Thank you M.S.Srivatsa.

2nd Question.

For "Directory User Context 1:", is this field required to be filled out for schema-free, the white papers on iLO AD skipped this section using the GUI utility.

And if required, so far I've placed the container which the user/group resided in AD as such:

CN=Users,DC=ibx,DC=com

Is this correct?
0 Kudos
Reply
TienDNguyen
Occasional Contributor

тАО04-18-2007 07:21 AM

тАО04-18-2007 07:21 AM

Re: ILO with AD integration

For schema-free should we use port 636 or 389. Here is a comment from Microsoft. The LDAP "Well-known" ports have been established as 389 for LDAP and 636 for LDAP SSL.

I think since I am not using SSL at all, I should use port 389?
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО04-18-2007 07:32 PM - last edited on тАО11-13-2020 04:13 AM by

тАО04-18-2007 07:32 PM - last edited on тАО11-13-2020 04:13 AM by

Re: ILO with AD integration

QUERY 1
For schema-free "Directory User Context 1" field is required.
CN=Users,DC=ibx,DC=com is correct as long as it matches with Active
directory server configuration.

QUERY 2
iLO supports LDAP over SSL.So default LDAP port should be 636

Refer the whitepaper
"Integrating HP ProLiant Lights-Out processors with Microsoft├В┬о Active
Directory"
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c00190541


0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-13-2008 09:05 AM

тАО03-13-2008 09:05 AM

Re: ILO with AD integration

I know that this has been along time but I am having a ton of problems setting up schema free integration. I have ILO 2 and want to make sure the ldap over ssl is working but unfortunatelly for some reason ilo 2 does not have the option through the web interface. Is there another way to test the connectivity?
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО03-13-2008 09:33 PM

тАО03-13-2008 09:33 PM

Re: ILO with AD integration

1.Logon to iLO2 Web interface with appropriate login and password.
2.Click on "Security" tab" (Present on the left hand side).
3.Click on "Directory".This will display the directory settings.
4.There is a "Test Settings" tab at the bottom.
Hope this information helps.
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-14-2008 06:44 AM

тАО03-14-2008 06:44 AM

Re: ILO with AD integration

Thanks for writing back. I was able to figure it out with your help , what happened is they changed the location of the directory tab in ilo2.

Ok so I know I am very close. I am failing on the test at the following

Test Log
Initiating Directory Settings diagnostic for server Testserver
Directory Server address Testserver resolved to 10.10.10.2
Accepting Directory Server certificate for /CN=Testserver.ad.test.com signed by /DC=com/DC=test/DC=ad/CN=Lab Root CA
Unable to authenticate test user dan [Invalid credentials]
Ceasing tests.

now dan is a domain admin and the administrator group in directory is setup as CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com. on the previous screen there is the Directory User Context 1: line that the directions say to put in an entry but I don't have one in there.
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО03-17-2008 03:56 AM

тАО03-17-2008 03:56 AM

Re: ILO with AD integration

To understand this problem better:

Assuming
1.Full name of the user : sriv s
2.Login name : sriv

Question
What is the format of the login name you
are trying to use for "Test Settings".
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name
Ex : mycompu/sriv
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-17-2008 04:39 AM

тАО03-17-2008 04:39 AM

Re: ILO with AD integration

I was trying to use 4.Netbios name
Ex : mycompu/sriv or test.com/testuser. In reality I was hoping to be able to just user testuser but not sure if that is possible or not.
0 Kudos
Reply
M.S.Srivatsa
Valued Contributor

тАО03-18-2008 08:44 AM

тАО03-18-2008 08:44 AM

Re: ILO with AD integration

Please try with the following login name format for test settings:
CN=testuser,DC=test,DC=com
(Distinguished name)
0 Kudos
Reply
Dan Fitzgerald
Advisor

тАО03-19-2008 10:56 AM

тАО03-19-2008 10:56 AM

Re: ILO with AD integration

OK I have tried every combination I can think of and it is still not working. I figured I would start from the beginning.

the name of the display name of the account I am testing is Test, Dan the account name is dtest
The user is a mamber if the domain admins group. so in AD the user full name is Test, Dan

In the directory settings screen, I have the correct server fully quallified, the port 636 and Directory User Context 1 set to CN=Users,DC=ad,DC=test,DC=com

Now I go into the administer groups page and select custom1. in there I add CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com and allowed for all items

So I tried testing the following combonations with no luck

CN=Test Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Dan Test,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=dtest,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Test Dan,DC=ad,DC=test,DC=com

CN=dtest,DC=ad,DC=test,DC=com

After trying all of these I still fail on User Authentication


Results
Overall Status: Problem Detected

--------------------------------------------------------------------------------
Test Description Status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS Name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Not run
Directory Administrator login Not run
User Authentication Failed
User Authorization Not run
Directory User Context 1 Not run
Directory User Context 2 Not run
Directory User Context 3 Not run
LOM Object exists Not run
LOM Object password Not run
0 Kudos
Reply
wildman
New Member

тАО07-17-2009 07:56 AM - last edited on тАО11-13-2020 04:17 AM by

тАО07-17-2009 07:56 AM - last edited on тАО11-13-2020 04:17 AM by

Re: ILO with AD integration

try this info
http://www.davidstclair.co.uk/Configure-Windows-ADS-Authentication-for-HP-iLO-2-card 

0 Kudos
Reply
yrp5474
Occasional Contributor

тАО07-21-2009 11:54 AM

тАО07-21-2009 11:54 AM

Re: ILO with AD integration

I'm having the exact same issues. Everythingn looks correct but it fails with User Authenication.
0 Kudos
Reply
Chris Davenport
Advisor

тАО10-14-2015 09:56 AM

тАО10-14-2015 09:56 AM

Re: ILO with AD integration

This is an ancient thread, but the forum indicates a recurring theme, so I believe it's worth clarifying what happened here, and giving some details about how the process worked and how it has changed in later versions of iLO.

 

 

Unfortunately the correct form of username was never used.

 

iLO sends exactly what you type to the LDAP server, so it has to be a form that would be supported by Active Directory itself.  The LDP.exe tool using "SIMPLE" bind and LDAP SSL port 636 can be used to test or check ldap connection and authentication in the same way iLO does.

 

If the user full name is "Test, Dan", the distinguished name will typically be "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com"   AD servers may require escaping that first comma too.

 

 

In the "Active Directory Users and Computers" tool, on the view menu, there's a setting for "Advanced Features", if this setting is enabled, the properties page of user objects will include an "Object" tab, which shows the "canonical name" of the user object. The "CN" of the user object is the last part of that name. It's also displayed next to the user icon on the "General tab" 

 

For normal user logins, iLO can attempt to build a better username using the configured search contexts, by simply appending the context to the entered username.

In this example the "CN=Users,DC=ad,DC=test,DC=com" context would allow you to enter usernames that appear directly in that "Users" container. The "Test, Dan" user does not.

 

Unfortunately, for iLO 2, the test settings screen cannot use search contexts or alternate forms of the username, so a fully qualified DN like "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com" is required.

 

On the login page, the pre-windows 2000 user logon name from the "Account" tab of Users & Computers can be used, "adtest\dtest" should work -  The direction of the slash does matter.

iLO 2 used a microsoft activeX control in the webpage to do the translation, and was limited by that to web sessions using IE on domain-authenticated workstations.

 

iLO 3 and iLO 4 do the name translation internally, and no longer require the ActiveX control, and can support "adtest\dtest" or "Test, Dan" forms of user names in the Directory "Test Settings" page and for user login.

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.