<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/13/2014 10:44 PM, Les Stott wrote:
<blockquote
cite="mid:4ED173A868981548967B4FCA2707222605488D@AACMBXP04.exchserver.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Been banging my head against the wall on
this one for a few days, trying to get a workable
configuration for HP ILO to authenticate via FreeIPA.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a standard rhel6 environment (64 bit
6.4) with freeipa server (ipa-3.0.0-37.el6).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The following works for me……<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HP ILO4 Firmware 1.22<o:p></o:p></p>
<p class="MsoNormal">Default Directory Schema<o:p></o:p></p>
<p class="MsoNormal">Directory Server Address:
fqdn_of_myfreeipaserver<o:p></o:p></p>
<p class="MsoNormal">Directory Server LDAP Port: 636<o:p></o:p></p>
<p class="MsoNormal">Directory User Context 1:
cn=users,cn=accounts,dc=mydomain,dc=com<o:p></o:p></p>
<p class="MsoNormal">Directory Groups:
cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">….but only if I login with my full dn….<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Username:
uid=less,cn=users,cn=accounts,dc=mydomain,dc=com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The test settings button in the ILO works
only with the full dn.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It doesn’t work if I use the uid (less), or
the cn (Les Stott).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I can then login to ILO with ….<o:p></o:p></p>
<p class="MsoNormal">Username:
uid=less,cn=users,cn=accounts,dc=mydomain,dc=com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I try to login with the cn, Les Stott I
see an error in the logs…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[13/Jan/2014:22:36:29 -0500]
ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to
retrieve entry "CN=Les
Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve read a lot of things about getting
this to work. Apparently there are issues with HP ILO
requiring the username in cn format but its in uid format in
freeipa. You should also be able to login with your cn, but
that doesn’t work.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I had a crack at trying Kerberos
authentication as well, but it doesn’t work and errors with
“Additional Pre-authentication required”.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Has anyone successfully been able to get HP
ILO to work with FreeIPA such that you can login with just the
username (i.e. “less”) or the CN (i.e. “Les Stott”)?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Are schema changes required?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Alternatively has anyone been able to get
HP ILO to work with Kerberos auth to FreeIPA?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help would be greatly appreciated.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Les<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Have you searched freeipa-users archives? The issue sounds familiar
and I vaguely recalled there was a workaround.<br>
This is the thread
<a class="moz-txt-link-freetext" href="https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html">https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html</a><br>
<br>
I think you can use compat plugin on the IPA to expose the tree in
the way HP ILO expects.<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>