Unsolved
1 Rookie
•
22 Posts
0
2042
May 26th, 2021 07:00
iDrac 9 and LDAP configuration
I am running into a problem trying to configure LDAP and iDrac. My schema is using groupOfUniqueNames for the group objectClass and uniqueMember for the group membership attribute.
My config:
Generic LDAP: Enabled
Use Distinguished Name: Enabled
Base DN to Search: ou=people,dc=domain,dc=com
Attribute if User Login: uid
Attribute of Group Membership: uniqueMember
Search filter: blank
GroupDN: cn=monitoring,ou=groups,dc=domain,dc=com
Group Privilege: Read OnlyGroup attributes:
objectClass: groupOfUniqeNames
cn: monitoring
uniqueMember: uid=monitor,ou=groups,dc=domain,dc=comUser attributes:
objectClass: inetOrgPerson
memberOf: cn=monitoring,ou=groups,dc=domain,dc=com
uid: monitor
Results from test:
14:05:29 Initiating Directory Services Settings Diagnostics:
14:05:29 trying LDAP server server.domain.com:636
14:05:29 Server Address server.domain.com resolved to 0.0.0.0
14:05:29 connect to 0.0.0.0:636 passed
14:05:29 Connecting to ldaps://[server.domain.com]:636...
14:05:29 Test user authenticated user=cn=admin host=server.domain.com
14:05:29 Search command:
Bind DN: cn=admin
Scope: subtree
Base DN: ou=people,dc=domain,dc=com
Search filter: (uid=monitor)
Attribute list:
objectClass
memberOf
dn
uid
objectCategory
defaultNamingContext
namingContexts
ldapServiceName
supportedControl
supportedExtension
14:05:29 Connecting to ldaps://[server.domain.com]:636...
14:05:29 Test user authenticated user=uid=monitor,ou=people,dc=domain,dc=com host=server.domain.com
14:05:29 Connecting to ldaps://[server.domain.com]:636...
14:05:29 Test user authenticated user=uid=monitor,ou=people,dc=domain,dc=com host=server.domain.com
14:05:29 Search command:
Bind DN: uid=monitor,ou=people,dc=domain,dc=com
Scope: base
Base DN: cn=monitoring,ou=groups,dc=domain,dc=com
Search filter: (uniqueMember=uid=monitor,ou=people,dc=domain,dc=com)
Attribute list:
objectClass
memberOf
dn
uid
objectCategory
defaultNamingContext
namingContexts
ldapServiceName
supportedControl
supportedExtension
14:05:29 ERROR: The user is not a member of any role group that allows access to iDRAC.
No Events found!
DELL-Shine K
6 Operator
•
3K Posts
0
May 26th, 2021 09:00
Can you try "Base DN to Search" without ou as "dc=domain,dc=com"?
JScovill
1 Rookie
•
22 Posts
0
May 26th, 2021 10:00
Yes, I also tried that but same result.
Someone posted a similar situation and it was related to the fact that the group membership is checked using the authenticating users creds instead of the bind users creds and the authenticating user didn't have permissions to read the attributes of the group to determine the membership.
iDRAC6 LDAP ERROR - Dell Community
Can you confirm whether that is the behaviour with idrac 9?
DELL-Shine K
6 Operator
•
3K Posts
0
May 26th, 2021 19:00
Are you using bind dn in configuration? If yes are you giving it as just name or DN? Can you try without bindDN, If LDAP server support without bind DN. Can you also confirm whether you have latest iDRAC FW installed on the server?
JScovill
1 Rookie
•
22 Posts
0
May 27th, 2021 07:00
my bind DN in this case is cn=admin (it's RedHat 389 server).
I have the latest dRAC FW installed.
This is the result without a bind DN:
DELL-Shine K
6 Operator
•
3K Posts
0
May 27th, 2021 07:00
Can you try bindDn in dn format (e.g. cn=admin,ou=people,dc=domain,dc=com) and try
JScovill
1 Rookie
•
22 Posts
0
May 27th, 2021 08:00
That doesn't work either as the actual DN is cn=admin.
DELL-Shine K
6 Operator
•
3K Posts
0
May 27th, 2021 09:00
Can you confirm the OU where the user monitor is part of
As per group user "monitor" is part of ou groups
objectClass: groupOfUniqeNames
cn: monitoring
uniqueMember: uid=monitor,ou=groups,dc=domain,dc=com
but looks like user "monitor" is part of people group
uid=monitor,ou=people,dc=domain,dc=com
JScovill
1 Rookie
•
22 Posts
0
May 27th, 2021 10:00
The group "monitoring" that the monitor user is in the 'groups' OU.
The 'monitor' user is in the 'people' OU.