Unsolved
1 Message
0
433
November 23rd, 2022 04:00
iDRAC 7 and LDAP with password+totp pin login not working due to duplicate binding as user
Hi, we're trying to implement 2FA authentication onto our LDAP for our critical infrastructure including out-of-band management, but we hit a roadblock with iDRAC where it doesn't work as it's trying to reuse the same credentials multiple times (first for login, then for LDAP BIND, even when a dedicated Bind DN credentials are specified).
Is there a way how to make it work without credential reuse or make the second bind not use the credentials of the authenticating user (for example, specifying a search filter)?
LDAP Server we use is FreeIPA with Yubikey OTP.
Things tried:
- iDRAC firmware is up to date
- Tried soft and hard restart of the iDRAC
- LDAP with just password login and no totp PIN works
Here's how the Generic LDAP Configuration and Management is setup with sensitive information replaced with placeholders:
| Enable Generic LDAP | Yes |
| Use Distinguished Name to Search Group Membership | No |
| LDAP Server Address | domain.example.com |
| LDAP Server Port | 636 (LDAPS) |
| Bind DN | uid=binduser,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com |
| Update Bind Password | yes |
| Bind Password | |
| Base DN to Search | cn=compat,dc=domain,dc=example,dc=com |
| Attribute of User Login | uid |
| Attribute of Group Membership | memberUid |
| Search Filter |
Log from testing the LDAP connection with sensitive information replaced with placeholders:
16:34:47 Initiating Directory Services Settings Diagnostics:
16:34:47 trying LDAP server domain.example.com:636
16:34:47 Server Address domain.example.com resolved to 192.168.0.1
16:34:47 connect to 192.168.0.1:636 passed
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:47 Test user authenticated user=uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
host=domain.example.com
16:34:47 Search command:
Bind DN: uid=ldap_bind,cn=sysaccounts,cn=etc,dc=domain,dc=example,dc=com
Scope: subtree
Base DN: cn=compat,dc=domain,dc=example,dc=com
Search filter: (uid=full.name)
Attribute list:
objectClass
memberOf
dn
uid
objectCategory
defaultNamingContext
namingContexts
ldapServiceName
supportedControl
supportedExtension
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:47 Test user authenticated user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.com
###Here's where credentials are reused with the token that's invalid as it was already used for previous login
16:34:47 Connecting to ldaps://[domain.example.com]:636...
16:34:48 ERROR: bind failed: Invalid credentials, (null):
user=uid=full.name,cn=users,cn=compat,dc=domain,dc=example,dc=com host=domain.example.comIs there a way how to make this work?
Thank you
DELL-Chris H
Moderator
Moderator
•
9.4K Posts
0
November 23rd, 2022 09:00
Thundersteak,
With this question I would suggest calling in to support and working with software support high complexity group, as it is likely going to take access to the systems.
BytesAndBourbon
1 Rookie
1 Rookie
•
9 Posts
0
September 28th, 2023 17:37
Hello, were you able to find a solution here? Was trying to recreate this for a user and think I'm running into the same thing. Password+TOPT not working.
BytesAndBourbon
1 Rookie
1 Rookie
•
9 Posts
0
December 20th, 2023 15:47
Looks like iDRAC 7.00.60.00 fixed this