Dell KVM 4322DS LDAP Authentication Help

Question

Hello All, I have been working with a brand new Dell KVM 4322DS for a while now and have it up and running in pretty much every way, except for the LDAP Authentication feature. We will have quite a few people logging into and using this KVM so having LDAP work would make managing the users MUCH easier. I have everything setup correctly as far as I can tell but it still does not work right. Sometimes when I try to login with my domain user I get 'Access cannot be granted due to authentication server errors' and other times I get 'User does not have sufficient access rights'. The KVM is setup to use the Standard AD Schema and the objects are arranged in their own dedicated OU named ‘ITKVM’. In this OU I have the computer object representing the KVM called ‘ITRCS’ (I didn’t use ITKVM so that it is totally unique in the domain) and the KVM is also named ITRCS. I don’t have any computer objects for the SIPs as I don’t plan to use the ‘KVM User’ privilege level. For the groups, I have all three setup and they are named as follows: 'ITKVM RCS Administrator', 'ITKVM User Administrator', and 'ITKVM User'. Each group has the correct string set in their ‘Notes’ property as follows: 'KVM RCS Admin', 'KVM User Admin', and 'KVM User' respectively. The computer object representing the KVM is a member of all three groups and my user is a member of the ‘ITKVM RCS Administrator’ group. As far as I know, this is the exact setup called for in the instructions. Also following the instructions the best I can I have exported the Active Director Root CA certificate and it was accepted by the KVM. I also have DNS and NTP pointing directly at domain controllers and NTP has reported that it is working (which also tells me DNS is too). I still have the self-signed default web SSL certificate in place but I am not sure if that needs to be changed or not. It is setup in a simple Class C subnet that my workstation is also in and both the KVM and my workstation plug into the same switch and I am accessing the web interface by the IP address assigned to the KVM. Here is what happens. As I said above, my user is a member of the ‘ITKVM RCS Administrator’ AD group object and that group has been setup with the ‘KVM RCS Admin’ privilege but when I go to login I will get the 'User does not have sufficient access rights' error. I also sometimes get the 'Access cannot be granted due to authentication server errors' message but if I just keep trying then I will usually end up getting the first error message. What is very annoying is that when I put my AD user in the ‘ITKVM User Administrator’ group or even the ‘ITKVM User’ group it usually works but I obviously don’t get all the configuration options and sometimes I still get the ‘server errors’ message. When I login, I use the full domain name, a ‘\’, then my username with first letter capitalized (if I don’t, it never works). Has anyone ever got this to work? This is the second Dell KVM that I have tried to get to use LDAP. The first one I just gave up on but I would really like to get this one to work as many people will be using it. Does anyone have any ideas on what could be wrong? Thank you all for the help! -Ryan Lenkersdorfer

rdlenk · Accepted Answer

Well, I have found a partial solution to this and was finally able to get the KVM to use LDAP! I went over to Avocent's website (the company that actually makes the Dell-branded KVMs) and read their manual for their KVM. The section on LDAP in that manual is far more detailed than Dell's but more than that the actual Avocent KVMs give you far greater control over the configuration of LDAP. What I was able to find is that they Dell manual is, in fact, incorrect. The highest privilege level specified in the Dell manual is the 'KVM RCS Admin' but the Avocent manual has it as 'KVM Appliance Admin'. Changing the AD group to the correct string did the trick and I was finally able to login to the KVM with my AD user as a full admin. Maybe Dell had intended it to be 'RCS' instead of 'Appliance' but obviously their modified Avocent code is written differently. I still get the 'server errors' message several times before it is finally able to login but this is defiantly a step forward. It should also be noted that using the Dell Schema Extensions would also have fixed this issue but for some environments, they just aren't a good option.

I am pretty disappointed with Dell on this. They started with a great product (from Avocent) that has great features then crippled it with their own, apparently butchered, code. We will probably avoid their KVMs from now on and go directly to Avocent for our needs.

Hope this message helps other users with their Dell KVMs.

Thank you,

Ryan

rdlenk · Answer

Further details, apparently there is a 'LDAP Debug' option that you can select using the SETUP port (Serial Port) that will show you the details of the LDAP auth process including any of the errors you are having. Would have been nice to know that a while back...

KBragan · Answer

Has anyone gotten any further with this?

I am at the same exact point as you. I have set iDRACs up for AD authenication and that was simple. This on the other hand.... I have redont everything, tried different names, used a different cert. and still cannot log in using my AD credentials.

rdlenk · Answer

All I can offer is what I posted before; we don't even use Dell KVMs anymore. Give the LDAP Debug mode a try using a serial cable and Putty (we had a serial to USB converter) and use the Avocent manual (which is now part of Emerson Network Power http://www.emersonnetworkpower.com) for information. It was a pain but I was able to get it to work, then we decided Java was lame and got a KVM that had a remote app that used .NET (Raritan).

Hope it goes well for you.

-Ryan

PowerEdge Hardware General

Was this post helpful?