[Freeipa-users] Revisiting ILO
Nathan Kinder
nkinder at redhat.com
Wed Nov 6 23:23:51 UTC 2013
On 11/05/2013 11:51 AM, KodaK wrote:
> If I use the whole connection string:
>
> uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
>
> I can authenticate.
The HP iLO documentation doesn't list using the uid value as a supported
form of specifying the login. You can use the CN value or the full DN.
They say that "DOMAIN\user" and "user at domain" forms are also accepted,
but that likely only works against Active Directory.
-NGK
>
>
> On Tue, Nov 5, 2013 at 1:40 PM, KodaK <sakodak at gmail.com
> <mailto:sakodak at gmail.com>> wrote:
>
> I'm attempting to get HP ILO authenticating against IPA again.
>
> I've configured the user context in ILO as:
>
> cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
>
> When ILO tries to connect, it sends the string:
>
> CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
>
> Which, of course, doesn't exist. IPA uses uid=<username>, but as
> far as I can tell I can't tell ILO to use a different username
> attribute. It doesn't even look like it's trying to use a
> username attribute.
>
> I've tried to force it to look for uid=jebalicki by using
> "uid=jebalicki" in the login field, but that fails too. The
> errors in the errors log look like this:
>
>
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "jebalicki": 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry "uid=jebalicki": 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file
> ipa_lockout.c, line 645]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
> [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file
> ipa_lockout.c, line 421]: Failed to retrieve entry
> "CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com":
> 32
>
> And the access log looks like this:
>
> [05/Nov/2013:13:32:06 -0600] conn=214941 fd=438 slot=438 SSL
> connection from 10.200.10.192 to 10.200.16.170
> [05/Nov/2013:13:32:06 -0600] conn=214941 SSL 256-bit AES
> [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 BIND
> dn="uid=jebalicki" method=128 version=2
> [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
> [05/Nov/2013:13:32:06 -0600] conn=214941 op=1 BIND
> dn="CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com"
> method=128 version=2
> [05/Nov/2013:13:32:07 -0600] conn=214941 op=1 RESULT err=32 tag=97
> nentries=0 etime=1
> [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 UNBIND
> [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 fd=438 closed - U1
> [05/Nov/2013:13:32:07 -0600] conn=214942 fd=439 slot=439 SSL
> connection from 10.200.10.192 to 10.200.16.170
> [05/Nov/2013:13:32:07 -0600] conn=214942 SSL 256-bit AES
> [05/Nov/2013:13:32:07 -0600] conn=214942 op=0 BIND
> dn="uid=jebalicki" method=128 version=2
> [05/Nov/2013:13:32:07 -0600] conn=214942 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
> [05/Nov/2013:13:32:07 -0600] conn=214942 op=1 UNBIND
> [05/Nov/2013:13:32:07 -0600] conn=214942 op=1 fd=439 closed - U1
> [05/Nov/2013:13:32:07 -0600] conn=214943 fd=438 slot=438 SSL
> connection from 10.200.10.192 to 10.200.16.170
> [05/Nov/2013:13:32:07 -0600] conn=214943 SSL 256-bit AES
> [05/Nov/2013:13:32:07 -0600] conn=214943 op=0 BIND
> dn="CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com"
> method=128 version=2
> [05/Nov/2013:13:32:07 -0600] conn=214943 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
> [05/Nov/2013:13:32:07 -0600] conn=214943 op=1 UNBIND
> [05/Nov/2013:13:32:07 -0600] conn=214943 op=1 fd=438 closed - U1
>
> Is there any way to force things on the IPA side? Can I
> automatically attach on the necessary components to the provided
> username?
>
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131106/26c9a72e/attachment.htm>
More information about the Freeipa-users
mailing list