Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel

ILO with AD integration

Highlighted
David Partow
New Member.

ILO with AD integration

I can not seem to integrate my ILO adncaed pack with AD directory services.

I do not want to install extended schema.
I only want to use LDAP.

Why is it so hard to make it work?

Can anyone give me some simple instructions to implement ILO with AD in a Use Directory Default Schema?

Thanks,
David
18 REPLIES
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

What is the format of the login name you
are trying to use.
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name


Please configure iLO with the appropriate directory settings and Group
distinguished name.
Follow the steps below.

1.Logon to iLO with the appropriate login and password.
2.Click Administration->Directory settings.
3.Configure "directory settings" with appropriate parameters as under
1.Directory Server address
Ex : dlilo1.india.hp.com
2.LDAP port as "636".
3.Fill in appropriate "Directory User Context 1
Ex:CN=Users,DC=mycompu,DC=com
4.Click "Apply Settings" to save the directory settings.

5.Repeat "Step 2" to go back to directory
settings page.
4.Now click on "Administer Groups".
5.Select the appropriate group.
Ex : custom1
6.Fill in the Group distinguished name.
Ex : CN=newgroup,CN=Users,DC=mycompu,DC=com
NOTE : Please don't give any extra space.
7.Enable the appropriate access rights for this group.

8.Click on "Save Group Information" save the group settings.

Please ensure the following.
1.In windows Active directory setup
the same group(Ex:newgroup) exists.
2.User who tries to login to iLO is
present in this group.

Jack Roberts
New Member.

Re: ILO with AD integration

M.S.Srivatsa,

I am having trouble following your instructions.

I entered the information you suggested, of course substituting the correct information, for Directory User Context 1. However, when I click Apply Settings, I get an alert box with the message: "LOM Object distinguished name is not specified. Applying these settings will prevent directory authentication."

I also tried entering the information in the LOM ODM field, but authentication still does not work.

Under Modify Group, I listed the CN for the lowest level of the group, and moved up to dc=com. Ex: cn=IT,cn=LoginScripts,cn=groups,dc=[domain],dc=com. (no real CN's listed here.)

I have tried loging in with the following:
doman\username
username@domain.com

The directory server address is resolved.
It accepts the certificate.
Unable to authenticate domain\user [object not found].
-OR-
Unable to authenticate test user, user@domain.com.

Thank you for your help.
Jack Roberts

M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

Please use the HP Lights Out directory migration utility(HPQLOMIG.exe) which helps you to configure iLO for either
Default Schema or Extended Schema.This is a
GUI based tool.

HPQLOMIG.exe is part of "HP Directories Support for Management Processors" softpaq
(SP31581.exe) which is downloadable from the
following web site.
http://h18004.www1.hp.com/support/files/lights-out/us/download/23896.html

iLO directory configuration pictures
I have attached the ZIP file which has the pictures of the iLO directory configuration for your reference.
1.iLOdirsettings.bmp
This picture shows the directory settings
for default schema.
NOTE: Please ensure you fill in the
hostname field in "Directory server
address" field.
This is required for logging using
"loginname@domain.com" and Netbios
name format(Domain name\loginname)

Assuming "sriv" is the login name
Ex : loginname@domain.com
sriv@mycompu.com
Ex : Netbios name (domain\loginmame)
MYCOMPU\sriv
TienDNguyen
Frequent Contributor.

Re: ILO with AD integration

M.S.Srivatsa...I see that you have password for the "LOM object password". That would only be needed for the HP Schema extension right? Since I am doing the schema-free, no objects for the iLO are create in AD?
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

QUESTION ASKED
I see that you have password for the "LOM object password".
That would only be needed for the HP Schema extension right?

ANSWER
YES.
LOM Object Distinguished Name,LOM Object Password and LOM Object Password
Confirm fields in "iLO directory settings page" are needed only for HP
Extended schema.
For "Schema-free directory integration" these fields can be ignored.


TienDNguyen
Frequent Contributor.

Re: ILO with AD integration

Thank you M.S.Srivatsa.

2nd Question.

For "Directory User Context 1:", is this field required to be filled out for schema-free, the white papers on iLO AD skipped this section using the GUI utility.

And if required, so far I've placed the container which the user/group resided in AD as such:

CN=Users,DC=ibx,DC=com

Is this correct?
TienDNguyen
Frequent Contributor.

Re: ILO with AD integration

For schema-free should we use port 636 or 389. Here is a comment from Microsoft. The LDAP "Well-known" ports have been established as 389 for LDAP and 636 for LDAP SSL.

I think since I am not using SSL at all, I should use port 389?
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

QUERY 1
For schema-free "Directory User Context 1" field is required.
CN=Users,DC=ibx,DC=com is correct as long as it matches with Active
directory server configuration.

QUERY 2
iLO supports LDAP over SSL.So default LDAP port should be 636

Refer the whitepaper
"Integrating HP ProLiant Lights-Out processors with Microsoft® Active
Directory"
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00190541/c00190541.pdf


Dan Fitzgerald
Valued Contributor.

Re: ILO with AD integration

I know that this has been along time but I am having a ton of problems setting up schema free integration. I have ILO 2 and want to make sure the ldap over ssl is working but unfortunatelly for some reason ilo 2 does not have the option through the web interface. Is there another way to test the connectivity?
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

1.Logon to iLO2 Web interface with appropriate login and password.
2.Click on "Security" tab" (Present on the left hand side).
3.Click on "Directory".This will display the directory settings.
4.There is a "Test Settings" tab at the bottom.
Hope this information helps.
Dan Fitzgerald
Valued Contributor.

Re: ILO with AD integration

Thanks for writing back. I was able to figure it out with your help , what happened is they changed the location of the directory tab in ilo2.

Ok so I know I am very close. I am failing on the test at the following

Test Log
Initiating Directory Settings diagnostic for server Testserver
Directory Server address Testserver resolved to 10.10.10.2
Accepting Directory Server certificate for /CN=Testserver.ad.test.com signed by /DC=com/DC=test/DC=ad/CN=Lab Root CA
Unable to authenticate test user dan [Invalid credentials]
Ceasing tests.

now dan is a domain admin and the administrator group in directory is setup as CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com. on the previous screen there is the Directory User Context 1: line that the directions say to put in an entry but I don't have one in there.
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

To understand this problem better:

Assuming
1.Full name of the user : sriv s
2.Login name : sriv

Question
What is the format of the login name you
are trying to use for "Test Settings".
Is it
1.short name
Ex : sriv s
2.Distinguished name
Ex : CN=sriv s,CN=Users,DC=mycompu,DC=com
3.loginname@domain.com format
Ex : sriv@mycompu.com
4.Netbios name
Ex : mycompu/sriv
Dan Fitzgerald
Valued Contributor.

Re: ILO with AD integration

I was trying to use 4.Netbios name
Ex : mycompu/sriv or test.com/testuser. In reality I was hoping to be able to just user testuser but not sure if that is possible or not.
M.S.Srivatsa
Honored Contributor.

Re: ILO with AD integration

Please try with the following login name format for test settings:
CN=testuser,DC=test,DC=com
(Distinguished name)
Dan Fitzgerald
Valued Contributor.

Re: ILO with AD integration

OK I have tried every combination I can think of and it is still not working. I figured I would start from the beginning.

the name of the display name of the account I am testing is Test, Dan the account name is dtest
The user is a mamber if the domain admins group. so in AD the user full name is Test, Dan

In the directory settings screen, I have the correct server fully quallified, the port 636 and Directory User Context 1 set to CN=Users,DC=ad,DC=test,DC=com

Now I go into the administer groups page and select custom1. in there I add CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com and allowed for all items

So I tried testing the following combonations with no luck

CN=Test Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Dan Test,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=dtest,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com

CN=Test Dan,DC=ad,DC=test,DC=com

CN=dtest,DC=ad,DC=test,DC=com

After trying all of these I still fail on User Authentication


Results
Overall Status: Problem Detected

--------------------------------------------------------------------------------
Test Description Status
Ping Directory Server Passed
Directory Server IP Address Not run
Directory Server DNS Name Passed
Connect to Directory Server Passed
Connect using SSL Passed
Certificate of Directory Server Passed
Bind to Directory Server Not run
Directory Administrator login Not run
User Authentication Failed
User Authorization Not run
Directory User Context 1 Not run
Directory User Context 2 Not run
Directory User Context 3 Not run
LOM Object exists Not run
LOM Object password Not run
wildman
New Member.

Re: ILO with AD integration

yrp5474
New Member.

Re: ILO with AD integration

I'm having the exact same issues. Everythingn looks correct but it fails with User Authenication.
Chris Davenport
Trusted Contributor.

Re: ILO with AD integration

This is an ancient thread, but the forum indicates a recurring theme, so I believe it's worth clarifying what happened here, and giving some details about how the process worked and how it has changed in later versions of iLO.

 

 

Unfortunately the correct form of username was never used.

 

iLO sends exactly what you type to the LDAP server, so it has to be a form that would be supported by Active Directory itself.  The LDP.exe tool using "SIMPLE" bind and LDAP SSL port 636 can be used to test or check ldap connection and authentication in the same way iLO does.

 

If the user full name is "Test, Dan", the distinguished name will typically be "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com"   AD servers may require escaping that first comma too.

 

 

In the "Active Directory Users and Computers" tool, on the view menu, there's a setting for "Advanced Features", if this setting is enabled, the properties page of user objects will include an "Object" tab, which shows the "canonical name" of the user object. The "CN" of the user object is the last part of that name. It's also displayed next to the user icon on the "General tab" 

 

For normal user logins, iLO can attempt to build a better username using the configured search contexts, by simply appending the context to the entered username.

In this example the "CN=Users,DC=ad,DC=test,DC=com" context would allow you to enter usernames that appear directly in that "Users" container. The "Test, Dan" user does not.

 

Unfortunately, for iLO 2, the test settings screen cannot use search contexts or alternate forms of the username, so a fully qualified DN like "CN=Test, Dan,CN=Domain Admins,CN=Users,DC=ad,DC=test,DC=com" is required.

 

On the login page, the pre-windows 2000 user logon name from the "Account" tab of Users & Computers can be used, "adtest\dtest" should work -  The direction of the slash does matter.

iLO 2 used a microsoft activeX control in the webpage to do the translation, and was limited by that to web sessions using IE on domain-authenticated workstations.

 

iLO 3 and iLO 4 do the name translation internally, and no longer require the ActiveX control, and can support "adtest\dtest" or "Test, Dan" forms of user names in the Directory "Test Settings" page and for user login.