Unsolved
4 Posts
0
2777
Device onboarding not working with LDAP account
I have an R620, running the most recent iDrac firmware. This is configured to allow a domain user, (username dellomesvc) to authenticate via LDAP with administrator permissions. I can log in using this account via webgui, ssh and WS-MAN. Once logged in, full administrative permissions are confirmed.
I can use this account to discover the system and add it to OpenManage Enterprise, however onboarding fails with the following message:
Messages:
Running
There was an error in finding supplied user's details.
Task Failed. Execution has completed
I have attempted to manually perform onboarding with the username formatted differently (local\dellomesvc, dellomesvc.local) with no success. I can perform onboarding successfully with a local iDRAC administrator account. Sadly, the use of local accounts is not possible in the long term as we need to regularly rotate our passwords.
The slightly cryptic error message suggests onboarding is perhaps only checking the local administrator list and not finding a match - any suggestions?
Cheers, Mike
MikeyDeeBee
4 Posts
1
June 20th, 2018 06:00
Um, yep, that was it, it checks the local user list only. I've added a local user with the same username (dellomesvc), supplied it with admin privileges and set a random password (not the same password as the domain account) and disabled it.
This seems to be doing the trick - I can now onboard devices.
So flow is:
discovery against idrac using dellomesvc > local user list shows dellomesvc as disabled user > idrac attempts ldap auth (bit surprised by this, you'd think it would stop here) > ldap auth successful > discovery complete.
Onboarding against idrac using dellomesvc > local user list shows dellomesvc as disabled user > idrac attempts ldap auth > ldap auth successful > OME does "something" to query the local admin user list, if no match is found, onboarding fails, if administrator is found with matching username (even a disabled account), onboarding completes.
Hope that helps someone. And hope this is fixed in a later release.
dwatadventsol
37 Posts
0
September 19th, 2018 12:00
Hey MikeyDeeBee
Nice work around, I'm going to use this in our environment, thankfully I can use puppet to add a local user via IPMI. Alternatively I guess a bash script with ipmitool in a loop would be an ok alternative to do this at scale.
something like:
I've not got access test the above at the moment, so check the ipmitool man page, but should be a good starter.
DELL-Pupul M
1K Posts
0
September 20th, 2018 05:00
Hi,
Thanks for your question. When using AD credentials for performing discovery, there is no direct way to figure out the privileges of a user from idrac as the privileges are stored in AD. Which is why, OME is designed to assume that user has admin privilege on the server which is discovered.
You will be able to run all the operations from OME on the server. If the user does not have enough privilege for any operation, then the task would fail with the error message that user does not have enough privilege to perform the operation. I hope this answers your question.
MikeyDeeBee
4 Posts
0
September 20th, 2018 06:00
Yep, I called the racadm tool from powershell (this was a while ago now):
$Logtextfile = ".\updatedraclog_$((Get-Date).ToString('yyyy-MM-dd')).txt"
$dracs = import-csv c:\scripts\idracs\insertcsvhere.csv
$env:Path = $env:Path + ";C:\Program Files\Dell\SysMgt\rac5\"
$binddn = "SecretDN"
$bindpw = "Secretpassword"
$admingrpdn = "SecretDN"
foreach ($drac in $dracs){
$drac.hostname,$drac.username,$drac.password,$drac.dns1,$drac.dns2,$drac.binddn,$drac.bindpw,$drac.admingrpdn | out-null
write-host "starting job for $($drac.hostname)"
"starting job for $($drac.hostname)`n" | Out-File $Logtextfile -Append
$hostname = $drac.hostname
$username = $drac.username
$password = $drac.password
$dns1 = $drac.dns1
$dns2 = $drac.dns2
try {
racadm.exe -r $hostname -u $username -p $password sslcertupload -t 2 -f c:\scripts\idracs\CA.cer | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapCertValidationenable 1 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapEnable 1 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapServer ldap.secret.com | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapPort 636 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapBaseDN """SecretDN""" | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapBindDN $binddn | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapBindpassword $bindpw | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapCertValidationenable 0 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapGroupAttribute """member""" | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldap -o cfgLdapUserAttribute """samaccountname""" | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldaprolegroup -i 1 -ocfgLdapRoleGroupDN $admingrpdn | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgldaprolegroup -i 1 -ocfgLdapRoleGroupPrivilege 0x1ff | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgLanNetworking -o cfgDNSServer1 $dns1 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgLanNetworking -o cfgDNSServer2 $dns2 | Out-File $Logtextfile -Append
#racadm.exe -r $hostname -u $username -p $password config -g cfgUserAdmin -i 2 -o cfgUserAdminUserName dellomesvc | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgUserAdmin -i 3 -o cfgUserAdminUserName dellomesvc | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgUserAdmin -i 3 -o cfgUserAdminPassword "SecretPW" | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgUserAdmin -i 3 -o cfgUserAdminPrivilege 0x1ff | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password config -g cfgUserAdmin -i 3 -o cfgUserAdminEnable 0 | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password ping 8.8.8.8 | Out-File $Logtextfile -Append
#DRAC will reset after these:
racadm.exe -r $hostname -u $username -p $password sslkeyupload -t 1 -f c:\scripts\idracs\star.key | Out-File $Logtextfile -Append
racadm.exe -r $hostname -u $username -p $password sslcertupload -t 1 -f c:\scripts\idracs\star.pem | Out-File $Logtextfile -Append
}
catch{
"unable to connect to $($drac.hostname)" | Out-File $Logtextfile -Append
$_.Exception.Message | Out-File $Logtextfile -Append
}
}
MikeyDeeBee
4 Posts
0
September 20th, 2018 07:00
Pupul, I think you have perhaps misunderstood the issue. I believe user privileges are stored on the idrac (you assign a domain group admin privileges "locally", the ACL is stored on the idrac, an AD bind is done with all group memberships enumerated, these groups are then checked against the local idrac ACLs, if an admin privilege is found, access is permitted with appropriate privilege).
Authentication and admin privilege was found to be working on the webgui, ssh and WS-MAN. However for the onboarding task, the local ACLs for an authenticated LDAP account are not checked - as posted, I did find a workaround.
dwatadventsol
37 Posts
0
September 20th, 2018 12:00
My guess is that part of the onboarding process checks that the user has admin by checking in the local users table only, which is accessible via wsman, where as it should probably check the local users and I’d AD/LDAP is enabled check the resulting set of privileges for the user.