Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel

Privileges of group accounts (iLO)

SOLVED
Go to solution
Highlighted
Tim Dekker
Frequent Contributor.

Privileges of group accounts (iLO)

Hello,

I am trying to configure ILO's.

The XML Script is like this:

RIBCL VERSION="2.27">




















The "User" (DIR_GRPACCT2) get the privilege to login to iLO und to monitor the server.
That means:
Administer Group Accounts: Prohibited
Remote Console Access: Prohibited
Virtual Power and Reset: Prohibited
Virtual Media: Prohibited
Configure iLO 2 Settings: Prohibited

What is the value of
Value = 1 allows administering Group Accounts, Value = 2 allows access to remote console, and so on.
What is the value, if all is prohibited? I tried "0", "". I know you can prohibite all of the settings via browser, but there has to be a setting for configuring via script.
14 REPLIES
SamMan
Trusted Contributor.

Re: Privileges of group accounts (iLO)

Leaving the as is should do what you need.

How I obtained this information is I configured a group in the browser to disable all features. Then using the Get_Directory.XML file in the iLO Script examples I launched CPQLOCFG.EXE and I was able to see the Group privileges and this is what I received for my Test Group:


Tim Dekker
Frequent Contributor.

Re: Privileges of group accounts (iLO)

@SamMan: You're right. I did it the same way with the same results, but when i try to configure ILO with the xml-script, i receive a mistake that "" is wrong. it doesn't know this command.
SamMan
Trusted Contributor.
Solution

Re: Privileges of group accounts (iLO)

@Tim,
I tested this and this is what I have come up with. I definitely see what you mean by not recognizing the command. So I just removed that line and sure enough I checked the "Users" group on the web browser as well as ran the Get_Directory.XML using CPQLOCFG.exe and MyTestGroup was there. I can't confirm this, but it seems like by default the Users, Custom1, Custom2, etc.. have ALL options Prohibited until you enable them. Try this and see what yo get.
Tim Dekker
Frequent Contributor.

Re: Privileges of group accounts (iLO)

@ SamMan: Excellent idea. I did it the way you suggested and it works. Suer it would be better to know the command to set all privileges to "prohibited".
However, thank you!
Tim Dekker
Frequent Contributor.

Re: Privileges of group accounts (iLO)

There lasts a problem. When there is for example 1 group account with all rights allowed and I want to overwrite it like you described (leaving out the line "DIR_GRPACCT..." for setting all privileges to prohibited), it doesn't change anything. The pre-configured privileges will be taken. So the groupm account is allowed to do everything, even though the script doesn't give any privileges.
SamMan
Trusted Contributor.

Re: Privileges of group accounts (iLO)

Man I have been banging my head on this one.
My assumptions towards HP's thinking and design of the iLO Group Account privileges are that if you were to prohibit a group of all privileges then just remove the Group's Security Group Distinguished Name. Now I haven't been able to find out a way to script the name removal but you can script a rename of the Security Group Distinguished Name. Renaming it to "Disabled" or random characters ("c-Mh!&hgTe"). I tested this and it works for me.
From what I can tell in your original post you are wanting to give user in the Administrators group on your domain full privileges and keep those in the Users group out. So by setting your Security Group Distinguished Name as "CN=Administrators,OU=Accounts,OU=domain,DC=domain,DC=com" and not have any other groups setup you will succeed in this as the iLO will only authenticate users from that group. This is how we do it at our company. We have a specific group that server admins are assigned to and only those select users are able to login to the iLO, no one else.

I do agree that if something can be done in the browser then it should be able to be done via XML script. Unfortunately I don't think HP has done this.
[Glaubig]
Contributor.

Re: Privileges of group accounts (iLO)

I have successfully set DIR_GRPACCT_X when X is 3, 4, 5, or 6 to an empty string "". For some reason it doesn't work on the first two, but only on older iLO boards (version 1). Later versions of iLO actually reject the empty string entirely. I'm on current firmware as of 6/8/2011 and my iLO environment spans RILOE II through iLO 3.

iLO 3 appears to add an additional permission 6 for a login only privilege that appears to address this problem exactly, to be able to grant a login only session without granting additional privileges. In addition, granting other permissions 1-5 automatically assigns 6. The web GUI is the only option.

However this it isn't available in iLO 2 or earlier and isn't even documented in a PDF I pulled down from May 2011! Examples in the doc have options that aren't even mentioned in the descriptions immediately following the example!

Hey, HP if you're monitoring this, can we get a little consistency here?! If we can set options via a command line, we should be able to unset them and they should be documented. iLO 1 and earlier versions aside, there doesn't appear to be any reason directory settings can't at least be consistent in iLO2 and iLO3.
Oscar A. Perez
Outstanding Contributor.

Re: Privileges of group accounts (iLO)

What firmware versions do you have?

We fixed the empty string issue when removing Directory Group Names and Privileges via XML script in iLO2 2.05 and iLO3 1.20

Latest versions are iLO2 2.06 and iLO3 1.25



__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
[Glaubig]
Contributor.

Re: Privileges of group accounts (iLO)

Oscar, your response is timely, and after I just got done upgrading everyting to 2.05 and 1.20 in iLO2 and iLO3 respectively.

I've downloaded the firmware and will let you know results of testing.

Can you confirm please if simply assigning the empty string will work now for removing permissions? Also, there was another portion of my previous post where I had indicated iLO 1 devices would always accept the empty string, but it would silently fail the entire RIBCL command if attempts were made to set privilieges on groups 1 or 2 to an empty string. Setting empty strings on groups 3 to 6 would work as expected.
drewjess_sky
New Member.

Re: Privileges of group accounts (iLO)

hitting an issue with unsetting values with DIR_GRPACCT, too.  

i want to configure two groups and unconfigure all others

if you pass in XML like so:

<DIR_GRPACCT1_NAME value="Authenticated Users"/>
<DIR_GRPACCT1_PRIV value="6"/>
<DIR_GRPACCT1_SID value="S-1-5-11"/>

<DIR_GRPACCT2_NAME value="unixgroup"/>
<DIR_GRPACCT2_PRIV value="1,2,3,4,5,6"/>
<DIR_GRPACCT2_SID value=""/>

<DIR_GRPACCT3_NAME value=""/>
<DIR_GRPACCT3_PRIV value=""/>
<DIR_GRPACCT3_SID value=""/>

<DIR_GRPACCT4_NAME value=""/>
<DIR_GRPACCT4_PRIV value=""/>
<DIR_GRPACCT4_SID value=""/>

<DIR_GRPACCT5_NAME value=""/>
<DIR_GRPACCT5_PRIV value=""/>
<DIR_GRPACCT5_SID value=""/>

<DIR_GRPACCT6_NAME value=""/>
<DIR_GRPACCT6_PRIV value=""/>
<DIR_GRPACCT6_SID value=""/>

iLO 2.30 accepts this XML and returns no errors, however any groups that are configured as 3, 4, 5 and 6 are left intact.

the documentation does not show how to remove configuration despite the fact that it must be possible, as there's a "remove group" button on the web frontend.

any advice, HP? :)

 

Seppy
New Member.

Re: Privileges of group accounts (iLO)

I've encountered the very same thing with firmware 2.30.    If by any chance you set the group you are trying to clear to an arbitrary group name, does it auto-populate login privileges, regarless of the PRIV values you assign?    That was surprising to me.    I've attempted clearing those groups via WebUI (successful), but even after cleaning up, the problem comes back if you add a group, and then attempt to clear it with a null string.    return code 0, no errors logged very frustrating.    Not all version 2.30 firmware impacted seem to be impacted.     Attempted a reboot of the iLO interface, and that made no impact.     I cannot reset the interface to defaults.   It appears that the issue is impacting close to 50% of them though with 700+ interfaces  360 impacted by this.

Jean Paul Beere
Frequent Contributor.

Re: Privileges of group accounts (iLO)

HP: "We fixed the empty string issue when removing Directory Group Names and Privileges via XML script in iLO2 2.05 and iLO3 1.20" ...

Questions

And why is not working on the latest Ilo4 firmware 2.40/2.42?

So far no luck with either powershell or xml

 

Jean Paul Beere
Frequent Contributor.

Re: Privileges of group accounts (iLO)

Hi HP

You guys are so funny ... Guess what, you fixed it again in the new new ilo4 firmware 2.44

Oscar A. Perez
Outstanding Contributor.

Re: Privileges of group accounts (iLO)

So, to summarize:   It is fixed in iLO2 v2.05, iLO3 v1.20 and now iLO4 v2.44

 

 




__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!