<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 01/14/2014 04:01 PM, Les Stott wrote: <blockquote cite="mid:4ED173A868981548967B4FCA27072226054E59@AACMBXP04.exchserver.com" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <style id="owaParaStyle" type="text/css"></style> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;">I had seen that thread... <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html" target="_blank"> https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html</a> all it says is... On 11/05/2013 02:51 PM, KodaK wrote: <blockquote cite="" type="cite"> <div dir="ltr">If I use the whole connection string: <div> </div> <div>uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com </div> <div> </div> <div>I can authenticate.</div> </div> </blockquote> Which i can do successfully, but its not great to have to tell everyone your username for ilo is uid=blah,cn=users,cn=accounts..etc There is also mentioned in that thread... "The HP iLO documentation doesn't list using the uid value as a supported form of specifying the login. You can use the CN value or the full DN. They say that "DOMAIN\user" and "user domain" forms are also accepted, but that likely only works against Active Directory." CN doesn't work. full DN does. I don't see any reference to a workaround via compat plugin in that thread. Have you got any more info on the compat workaround? </div> </blockquote> You can create a compat tree using compat plugin of IPA. It is used for NIS, support of Solaris clients and for AD trusts in latest IPA. As a simple test you can enable the plugin: <pre class="screen">ipa-compat-manage enable That will expose the tree on the cn=compat hive but using 2307 schema. You can then change the configuration of the plugin to use uid value instead of CN in this view, i.e expose CN as uid. Then you can point your HP ILO to that tree. AFAIU in the past it was not possible because we did not allow bind against compat tree but now we allow it so it should work with the latest IPA 3.3.x bits. Details on how to change compat configuration can be found in the plugin configuration here: <a class="moz-txt-link-freetext" href="https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc">https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc</a> I am not sure that would 100% work but IMO worth a shot. </pre> <blockquote cite="mid:4ED173A868981548967B4FCA27072226054E59@AACMBXP04.exchserver.com" type="cite"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;"> Thanks, Les <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF768698">From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dmitri Pal [<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a>] Sent: Wednesday, January 15, 2014 3:30 AM To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos) </div> <div>On 01/13/2014 10:44 PM, Les Stott wrote: <blockquote type="cite"> <style>  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}BODY {scrollbar-base-color:undefined;scrollbar-highlight-color:undefined;scrollbar-darkshadow-color:undefined;scrollbar-track-color:undefined;scrollbar-arrow-color:undefined}</style> <div class="WordSection1"> Been banging my head against the wall on this one for a few days, trying to get a workable configuration for HP ILO to authenticate via FreeIPA. I have a standard rhel6 environment (64 bit 6.4) with freeipa server (ipa-3.0.0-37.el6). The following works for me…… HP ILO4 Firmware 1.22 Default Directory Schema Directory Server Address: fqdn_of_myfreeipaserver Directory Server LDAP Port: 636 Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com ….but only if I login with my full dn…. Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com The test settings button in the ILO works only with the full dn. It doesn’t work if I use the uid (less), or the cn (Les Stott). I can then login to ILO with …. Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com If I try to login with the cn, Les Stott I see an error in the logs… [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry "CN=Les Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 I’ve read a lot of things about getting this to work. Apparently there are issues with HP ILO requiring the username in cn format but its in uid format in freeipa. You should also be able to login with your cn, but that doesn’t work. I had a crack at trying Kerberos authentication as well, but it doesn’t work and errors with “Additional Pre-authentication required”. Has anyone successfully been able to get HP ILO to work with FreeIPA such that you can login with just the username (i.e. “less”) or the CN (i.e. “Les Stott”)? Are schema changes required? Alternatively has anyone been able to get HP ILO to work with Kerberos auth to FreeIPA? Any help would be greatly appreciated. Regards, Les </div> <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Have you searched freeipa-users archives? The issue sounds familiar and I vaguely recalled there was a workaround. This is the thread <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html" target="_blank"> https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html</a> I think you can use compat plugin on the IPA to expose the tree in the way HP ILO expects. <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div> </div> </div> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>