HPE Community
Server Management - Remote Server Management
1752510 Members
4889 Online
108788 Solutions
New Discussion

Re: ILOm - Enable LDAP V3 Support

 
Roehmer
Visitor

‎04-19-2020 11:30 PM

‎04-19-2020 11:30 PM

ILOm - Enable LDAP V3 Support

Hi,

we're using an OpenLDAP Server for central authentication. LDAPv2 isn't enabled by default. OpenLDAP says to Version 2.0: "LDAPv2 should be avoided. LDAPv2 is disabled by default."

Based on the user guide LDAPv2 only is supported when using directory integration.

The result ist if we're using OpenLDAP with default settings: "Server Error Message: historical protocol version requested, use LDAPv3 instead" 

My questions are: Why LDAP v3 isn't supported? Could this be done? 

Kind Regards

0 Kudos
Reply
6 REPLIES 6
SanjeevGoyal
HPE Pro

‎04-22-2020 06:33 AM

‎04-22-2020 06:33 AM

Re: ILOm - Enable LDAP V3 Support

Hello,

 

Please explain your query.

1. What is the server model or ILO version ( iLO3, ILO 4 or ILO5)

2. What is the ILO firmware version?

3. What is the exact your query?

Regards,

 

 


I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
Roehmer
Visitor

‎04-22-2020 09:40 PM - edited ‎04-22-2020 09:41 PM

‎04-22-2020 09:40 PM - edited ‎04-22-2020 09:41 PM

Re: ILOm - Enable LDAP V3 Support

Hi,

thanks for your reply.

1. ILO4 and 5

2. 2.70(ILO4) and 1.43(ILO5), but it doesn't matter. Concerns all versions

3. ILO LDAP Client presupposes LDAPv2 as minimum protocol version. Connect ILO to a fresh installed OpenLDAP Server (ILO Login->Security->Directory->generic LDAP (use directory default schema).  The OpenLDAP Server will show you the following error during a bind operation:

LDAP Server Error (2)
Server Error Message: historical protocol version requested, use LDAPv3 instead

Regarding to ILO documentation OpenLDAP as LDAP dIrectory is supportet. But OpenLDAP prohibits the usage of LDAPV2. 

I would like to ask if it would be possible to use LDAPv3 in ILO firmware when connection to an LDAP Directory? Especially since the ldapv3 specification existes since 1997.

0 Kudos
Reply
SanjeevGoyal
HPE Pro

‎04-23-2020 06:14 AM

‎04-23-2020 06:14 AM

Re: ILOm - Enable LDAP V3 Support

Hello,

I hope the below documents will help you for more clarification.

HPE Integrated Lights Out (iLO 4) - Troubleshooting Directory Issues

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00045760en_us

HPE Integrated Lights-Out (iLO)

https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04154343.pdf

Regards,

 


I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
Roehmer
Visitor

‎04-23-2020 08:55 PM

‎04-23-2020 08:55 PM

Re: ILOm - Enable LDAP V3 Support

Hi,

no it doesnt help. 

ILO Formware (LDAP CLient) has to talk LDAPv3 instead of LDAPv2.

Kind regards

0 Kudos
Reply
AmRa
HPE Pro

‎04-28-2020 09:58 PM

‎04-28-2020 09:58 PM

Re: ILOm - Enable LDAP V3 Support

Hi

Standards—iLO directory support is based on the LDAP 2.0 standard for secure directory access. iLO Kerberos support is based on LDAP v3.

Please refer HPE iLO 5 User Guide (Page number 249 ) for steps to configuring Kerberos authentication settings in iLO

https://support.hpe.com/hpesc/public/docDisplay?docId=a00018324en_us

I am an HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
Roehmer
Visitor

‎04-28-2020 10:16 PM

‎04-28-2020 10:16 PM

Re: ILOm - Enable LDAP V3 Support

Hi,

I read the ILO docúmentation. Im talking about LDAP Authentication and not Kerberos SSO. This documentaiton is a bit confusing because LDAP has noting to do whith Kerberos. I really don't understand 'iLO Kerberos support is based on LDAP v3.' 

The point is that HP iLO officially supports OpenLDAP as directory backend. OpenLDAP has disabled LDAPv2 by default because of security considerations. So, you have to enable this old LDAPv2 if you want to connect your iLO boards. Wouldn't ist be better to fully support LDAPv3? We're living in 2020...

 

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.