Help

Systems Management General

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Last reply by 11-23-2022 Unsolved
Start a Discussion
1 Amber
1 Amber
183
‎11-23-2022 06:54 AM

iDRAC 7 and LDAP with password+totp pin login not working due to duplicate binding as user

Hi, we're trying to implement 2FA authentication onto our LDAP for our critical infrastructure including out-of-band management, but we hit a roadblock with iDRAC where it doesn't work as it's trying to reuse the same credentials multiple times (first for login, then for LDAP BIND, even when a dedicated Bind DN credentials are specified).

Is there a way how to make it work without credential reuse or make the second bind not use the credentials of the authenticating user (for example, specifying a search filter)?

LDAP Server we use is FreeIPA with Yubikey OTP.

Things tried:

  • iDRAC firmware is up to date
  • Tried soft and hard restart of the iDRAC
  • LDAP with just password login and no totp PIN works

Here's how the Generic LDAP Configuration and Management is setup with sensitive information replaced with placeholders:

Enable Generic LDAPYes
Use Distinguished Name to Search Group MembershipNo
LDAP Server Addressdomain.example.com
LDAP Server Port636 (LDAPS)
Bind DNuid=binduser,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
Update Bind Passwordyes
Bind Password 
Base DN to Searchcn=compat,dc=domain,dc=example,dc=com
Attribute of User Loginuid
Attribute of Group MembershipmemberUid
Search Filter 

 

Log from testing the LDAP connection with sensitive information replaced with placeholders:

16:34:47  Initiating Directory Services Settings Diagnostics:
16:34:47  trying LDAP server domain.example.com:636
16:34:47  Server Address domain.example.com resolved to 192.168.0.1
16:34:47  connect to 192.168.0.1:636 passed
16:34:47  Connecting to ldaps://[domain.example.com]:636...
16:34:47  Test user authenticated user=uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com 
host=domain.example.com
16:34:47  Search command:
   Bind DN: uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
   Scope: subtree
   Base DN: cn=compat,dc=domain,dc=example,dc=com
   Search filter: (uid=full.name)
   Attribute list:
   objectClass
   memberOf
   dn
   uid
   objectCategory
   defaultNamingContext
   namingContexts
   ldapServiceName
   supportedControl
   supportedExtension
16:34:47  Connecting to ldaps://[domain.example.com]:636...
16:34:47  Test user authenticated user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.com
###Here's where credentials are reused with the token that's invalid as it was already used for previous login
16:34:47  Connecting to ldaps://[domain.example.com]:636...
16:34:48  ERROR: bind failed: Invalid credentials, (null): 
user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.com

Is there a way how to make this work?

Thank you 

0 Kudos
Accept as Solution
Reply (1)
MOD
MOD
99
‎11-23-2022 11:59 AM

Thundersteak,

With this question I would suggest calling in to support and working with software support high complexity group, as it is likely going to take access to the systems.

 

 


Chris Hawk
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#Iwork4Dell

Did I answer your query? Please click on ‘Accept as Solution’
‘Kudo’ the posts you like!
0 Kudos
Accept as Solution
Latest Solutions
Load more
See More
Top Contributor