[Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
Les Stott
Less at imagine-sw.com
Tue Jan 14 03:44:12 UTC 2014
Been banging my head against the wall on this one for a few days, trying to get a workable configuration for HP ILO to authenticate via FreeIPA.
I have a standard rhel6 environment (64 bit 6.4) with freeipa server (ipa-3.0.0-37.el6).
The following works for me......
HP ILO4 Firmware 1.22
Default Directory Schema
Directory Server Address: fqdn_of_myfreeipaserver
Directory Server LDAP Port: 636
Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com
Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com
....but only if I login with my full dn....
Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
The test settings button in the ILO works only with the full dn.
It doesn't work if I use the uid (less), or the cn (Les Stott).
I can then login to ILO with ....
Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
If I try to login with the cn, Les Stott I see an error in the logs...
[13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry "CN=Les Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32
I've read a lot of things about getting this to work. Apparently there are issues with HP ILO requiring the username in cn format but its in uid format in freeipa. You should also be able to login with your cn, but that doesn't work.
I had a crack at trying Kerberos authentication as well, but it doesn't work and errors with "Additional Pre-authentication required".
Has anyone successfully been able to get HP ILO to work with FreeIPA such that you can login with just the username (i.e. "less") or the CN (i.e. "Les Stott")?
Are schema changes required?
Alternatively has anyone been able to get HP ILO to work with Kerberos auth to FreeIPA?
Any help would be greatly appreciated.
Regards,
Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140114/814926b9/attachment.htm>
More information about the Freeipa-users
mailing list