Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

Highlighted
swiss_ewoki
Acclaimed Contributor

ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

We want to use a Cisco ACE4710 as a Loadbalancer for all Secure-LDAP-Connections to our Active Directory (Client -> Cisco -> AD-Server). But we have the problem, that the login into ILO2 with an AD-Username like Domain\username failed. If we try the same with the AD-Server as LDAP-Server directly (not through the Cisco Loadbalancer), the login is successful. The Login through the Cisco Loadbalancer as LDAP-Server is only successful if we use the distinguished name of the AD-Userobject.

The "Directory tests" from the ILO2-Config-Pages was successful with both LDAP-Config-Servers. Both LDAP-Servers are pingable from the client.

I think the ActiveX Controls for the domain/name format translation have a problem, but I don't know which :-(.

Did anyone know what is the problem ?

Our Systemconfig is the follow one:

Client:
Windows Vista SP2
IE8.0.6001.18975

Server with ILO2:
Typ: ProLiant BL460c G6
ILO2-Firmware: 2.01

Loadbalancer:
Cisco ACE4710
Version A3(2.5)

AD-Server:
OS: Windows Server 2008 R2
Role: Active Directory Domain Service
Domain Functional Level: Windows Server 2003
Forest Functional Level: Windows Server 2008 R2

Thanks for your help.
4 REPLIES
swiss_ewoki
Acclaimed Contributor

Re: ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

Good and bad news: I have found the problem. The Cisco Loadbalancer is configured to route the requests to the LDAPS-Port (TCP/636). The ActiveX Control from the ILO2 need Port 135 and the random ports (1024-65535) to resolve the domain\username format into the ldap-format (distinguished name).

The problem is, that the Loadbalancer should only route the LDAPS-Port (Port 636). Esspecialy the port 135 and the random ports are not very helpful.

What solutions are possible, if the LDAP-Server which is configured in ILO2 is not a Windows Server, without to open a big range on Cisco Loadbalancer ?
Ali
HPE Pro

Re: ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

Hi Swiss,

you may refer to ILO 2 security guide to know about the ports used by ILO.
refer to page 23

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf

this will help you to understand what all ports are required to be opened for ILO LDAP integration to work.

thanks,
Aftab
I work for HP
Looking for a quick resolution to a technical issue for your HP Enterprise products? HP Support Center Knowledge-base – Just a Click Away!
See Self Help Post for more details
swiss_ewoki
Acclaimed Contributor

Re: ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

Thank you for your reply. The connections from ILO to the Directory Service (Active Directory; LDAPS TCP/636) is not the problem. This works fine over this one port.

The problem makes the ActiveX Control on the ILO-Login-Page. This ActiveX Control runs on the client, where you want to login via Browser onto the ILO-Website. If you use a LDAP-conform Logincontext like CN=Username,OU=Organization,DC=domain,DC=com this Control isn't needed. You can login without problems.

But if you use the Loginname like DOMAIN\Username or Username@Domain.com the ActiveX Control on your client tries to translate this syntax into LDAP-conform context.

This ActiveX Control opens a connection from your client to the Directroy Service on Port 135. Then it use a random port between 1024 and 65535. But it use the same server from the ilo-config.

In our case, this is the loadbalancer, which offer only port 636 to the directory service. All other connections to the directory service must use the direct connection to the directory service servers (Domain Controller).

It would be helpful, if the ActiveX Control use one port to transform the Username (for example the global catalog on port TCP/3269) or if you could set the serversettings especially for the Username-transformation.

Is it possible to integrate this option into ILO-config ? This would be great !
Oscar A. Perez
Esteemed Contributor

Re: ILO2-Login-Problem with LDAPS, Cisco Loadbalancer and Active Directory

For the login page, iLO2 uses Microsoft NameTranslate object that comes with the client OS (ADSI).
You need to look at Microsoft documentation to see if it would be possible to configure/bind those port numbers.



__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
//Add this to "OnDomLoad" event