5 Posts
0
3781
Idrac 9 and openldap
Hi,
Trying to configure ldap authentication on idrac 9
Certificate Validation disabled
Generic LDAP enabled
Use Distinguished Name to Search Group Membership Yes
LDAP Server Address 10.10.24.4
Bind DN cn=ldap_client,ou=Users,dc=domain,dc=com
Bind Password enabled
Update Bind Password password for ldap_client
Base DN to Search dc=domain,dc=com
Attribute of User Login uid
Base DN to Search dc=domain,dc=com
Group DN cn=test-servers,ou=Groups,dc=domain,dc=com
But An error appears during testing
The user is not a member of any role group that allows access to iDRAC.
Server Openldap
test-servers -the group that the test_ipmi user belongs to
Any ideas ?
beren43
5 Posts
0
April 9th, 2020 06:00
Thanks
dn: cn=test-servers,ou=Groups,dc=domain,dc=com
objectClass: posixGroup
gidNumber: 10016
cn: test-servers
If Attribute of Group Membership memberUid
Use Distinguished Name to Search Group Membership Disabled
Everything works
Why use a different name to search for group membership ?
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 10th, 2020 02:00
iDRAC implementation of LDAP login is very generic. It is designed to work with any directory service solution not only OpenLDAP. That is the reason iDRAC made many configurable options.
iDRAC LDAP login can work when members in group are Distinguish name or just names. "Distinguished Name to Search Group Membership" attribute controls that. So based on this we can have either DN for group members (e.g. groupOfUniqueNames) or names (e.g. posixGroup).
In your case, you need to disable "Distinguished Name to Search Group Membership" as members in group is specified only with uid not DN
Similarly different LDAP solution support different attributes to mention members in a group, by default iDRAC support member or uniquemember. If user have any other attribute to capture details of members in a group it need to be mentioned in "Attribute of Group Membership"
You need to specify "Attribute of Group Membership" as "memberUid" as you have "memberUid" attribute in group used to specify users on the group.
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 8th, 2020 10:00
Can you confirm whether iDRAC Privilege is set for group "Group DN cn=test-servers,ou=Groups,dc=domain,dc=com"
beren43
5 Posts
0
April 9th, 2020 00:00
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 9th, 2020 05:00
Can you perform ldapsearch on domain and check what attribute is mentioned to add users to group. E.g. in below example uniqueMember attribute is used to capture user information on the group. The same attribute need to be configured for "Attribute of Group Membership" field in iDRAC
ldapsearch -x -b 'dc=domain,dc=com' '(cn=ldapgroup)'
dn: cn=ldapgroup,ou=test,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: ldapgroup
uniqueMember: cn=ldapuser,ou=test,dc=domain,dc=com
DELL-Shine K
4 Operator
4 Operator
•
3K Posts
0
April 9th, 2020 06:00
instead of posixGroup can you create a group with objectClass of groupOfUniqueNames and add members DN with uniqueMember (As shown below) and try to configure this group in iDRAC
dn: cn=ldapgroup,ou=test,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: ldapgroup
uniqueMember: cn=ldapuser,ou=test,dc=domain,dc=com
millardfillmore
3 Posts
0
September 3rd, 2020 15:00
I can successfully configure an iDRAC 9 with OpenLDAP. The "Test" function works fine when I enter an authorized user and password:
However, when I actually try and log in as that user, I get the following error:
I cannot figure out why this is happening. Any help?
Dell-DylanJ
2.9K Posts
1
September 4th, 2020 10:00
Hello,
What firmware are you running on the iDRAC? In theory, it should "just work," but I've run into a couple of cases where it didn't and running a racadm resetcfg resolved the issue. One thing to note, that would clear your configuration on the iDRAC, too. If trying that command is something you want to consider, make sure you can reconfigure the iDRAC.
millardfillmore
3 Posts
0
September 4th, 2020 13:00
Hi thanks for the suggestion. Doing a full reset on the iDRAC and reconfiguring it solved the problem. Weird. In case you need to know, the RAC details are:
Thanks!