Skip to main content
Start a Conversation

Solved!

Go to Solution

beren43

5 Posts

3781

April 8th, 2020 02:00

Idrac 9 and openldap

Hi,

Trying to configure ldap authentication on idrac 9

Certificate Validation disabled

Generic LDAP enabled

Use Distinguished Name to Search Group Membership Yes

LDAP Server Address 10.10.24.4

Bind DN cn=ldap_client,ou=Users,dc=domain,dc=com

Bind Password enabled

Update Bind Password password  for ldap_client 

Base DN to Search dc=domain,dc=com

Attribute of User Login uid

Base DN to Search dc=domain,dc=com

Group DN cn=test-servers,ou=Groups,dc=domain,dc=com

But An error appears during testing

 The user is not a member of any role group that allows access to iDRAC.

 

Server Openldap

test-servers -the group that the test_ipmi user belongs to

Any ideas ?

beren43

5 Posts

April 9th, 2020 06:00

Thanks

 

dn: cn=test-servers,ou=Groups,dc=domain,dc=com
objectClass: posixGroup
gidNumber: 10016
cn: test-servers

If Attribute of Group Membership memberUid

Use Distinguished Name to Search Group Membership Disabled

Everything works

Why use a different name to search for group membership ?

 

 

 

 

 

 

DELL-Shine K

4 Operator

 • 

3K Posts

April 10th, 2020 02:00

iDRAC implementation of LDAP login is very generic. It is designed to work with any directory service solution not only OpenLDAP. That is the reason iDRAC made many configurable options.

iDRAC LDAP login can work when members in group are Distinguish name or just names. "Distinguished Name to Search Group Membership" attribute controls that. So based on this we can have either DN for group members (e.g. groupOfUniqueNames) or names (e.g. posixGroup). 

In your case, you need to disable "Distinguished Name to Search Group Membership" as members in group is specified only with uid not DN

Similarly different LDAP solution support different attributes to mention members in a group, by default iDRAC support member or uniquemember. If user have any other attribute to capture details of members in a group it need to be mentioned in "Attribute of Group Membership"

You need to specify "Attribute of Group Membership" as "memberUid" as you have "memberUid" attribute in group used to specify users on the group.

 

DELL-Shine K

4 Operator

 • 

3K Posts

April 8th, 2020 10:00

Can you confirm whether iDRAC Privilege is set for group "Group DN cn=test-servers,ou=Groups,dc=domain,dc=com"

beren43

5 Posts

April 9th, 2020 00:00

beren43_0-1586419067816.png

 

DELL-Shine K

4 Operator

 • 

3K Posts

April 9th, 2020 05:00

Can you perform ldapsearch on domain and check what attribute is mentioned to add users to group. E.g. in below example uniqueMember attribute is used to capture user information on the group. The same attribute  need to be configured for "Attribute of Group Membership" field in iDRAC

ldapsearch -x -b 'dc=domain,dc=com' '(cn=ldapgroup)'

dn: cn=ldapgroup,ou=test,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: ldapgroup
uniqueMember: cn=ldapuser,ou=test,dc=domain,dc=com

DELL-Shine K

4 Operator

 • 

3K Posts

April 9th, 2020 06:00

instead of posixGroup can you create a group with objectClass of groupOfUniqueNames and add members DN with uniqueMember (As shown below) and try to configure this group in iDRAC

 

dn: cn=ldapgroup,ou=test,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: ldapgroup
uniqueMember: cn=ldapuser,ou=test,dc=domain,dc=com

millardfillmore

3 Posts

September 3rd, 2020 15:00

I can successfully configure an iDRAC 9 with OpenLDAP. The "Test" function works fine when I enter an authorized user and password:

17:03:31  Initiating Directory Services Settings Diagnostics:
17:03:31  trying LDAP server ldap.x.x.x:636
17:03:31  Server Address ldap.x.x.x resolved to y.y.y.y
17:03:31  connect to y.y.y.y:636 passed
17:03:31  Connecting to ldaps://ldap.x.x.x.x]:636...
17:03:31  Test user authenticated user= host=ldap.x.x.x.x
17:03:31  Search command:
   Bind DN: [Anonymous]
   Scope: subtree
   Base DN: dc=example,dc=com
   Search filter: (&(uid=user)(objectClass=posixAccount))
   Attribute list:
   objectClass
   memberOf
   dn
   uid
   objectCategory
   defaultNamingContext
   namingContexts
   ldapServiceName
   supportedControl
   supportedExtension
17:03:31  Connecting to ldaps://[ldap.x.x.x.x]:636...
17:03:31  Test user authenticated user=uid=user,ou=admins,ou=People,dc=example,dc=com host=ldap.x.x.x.x
17:03:31  Connecting to ldaps://[ldap.x.x.x.x]:636...
17:03:31  Test user authenticated user=uid=user,ou=admins,ou=People,dc=example,dc=com host=ldap.x.x.x.x
17:03:31  Search command:
   Bind DN: uid=user,ou=admins,ou=People,dc=example,dc=com
   Scope: base
   Base DN: cn=group,ou=Group,dc=example,dc=com
   Search filter: (memberUid=user)
   Attribute list:
   objectClass
   memberOf
   dn
   uid
   objectCategory
   defaultNamingContext
   namingContexts
   ldapServiceName
   supportedControl
   supportedExtension
17:03:31  Privileges gained from role group 'cn=group,ou=Group,dc=example,dc=com':
   Login
   Config iDRAC
   Clear Logs
   Server Control
   Virtual Console
   Virtual Media
   Test Alerts
   Diagnostic Command
17:03:31  Test user user authorized

17:03:31  Cumulative privileges gained:
   Login
   Config iDRAC
   Clear Logs
   Server Control
   Virtual Console
   Virtual Media
   Test Alerts
   Diagnostic Command

However, when I actually try and log in as that user, I get the following error:

2020-09-03 16:54:19 USR0031 Unable to log in for user from y.y.y.y using GUI.  
 
Log Sequence Number:
69
Detailed Description:
Unsuccessful login for the username, IP address, and interface identified in the message.
Recommended Action:
Make sure the login credentials are valid and retry the operation.

 

I cannot figure out why this is happening. Any help?

Dell-DylanJ

2.9K Posts

September 4th, 2020 10:00

Hello,

 

What firmware are you running on the iDRAC? In theory, it should "just work," but I've run into a couple of cases where it didn't and running a racadm resetcfg resolved the issue. One thing to note, that would clear your configuration on the iDRAC, too. If trying that command is something you want to consider, make sure you can reconfigure the iDRAC.

millardfillmore

3 Posts

September 4th, 2020 13:00

Hi thanks for the suggestion. Doing a full reset on the iDRAC and reconfiguring it solved the problem. Weird. In case you need to know, the RAC details are:

Hardware Version 0.01
Firmware Version 4.10.10.10

 

Thanks!

View More

View All

No Events found!

Top