On 01/13/2014 10:44 PM, Les Stott wrote:
>
> Been banging my head against the wall on this one for a few days,
> trying to get a workable configuration for HP ILO to authenticate via
> FreeIPA.
>
>  
>
> I have a standard rhel6 environment (64 bit 6.4) with freeipa server
> (ipa-3.0.0-37.el6).
>
>  
>
> The following works for me......
>
>  
>
> HP ILO4 Firmware 1.22
>
> Default Directory Schema
>
> Directory Server Address: fqdn_of_myfreeipaserver
>
> Directory Server LDAP Port: 636
>
> Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com
>
> Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com
>
>  
>
> ....but only if I login with my full dn....
>
>  
>
> Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
>
>  
>
> The test settings button in the ILO works only with the full dn.
>
>  
>
> It doesn't work if I use the uid (less), or the cn (Les Stott).
>
>  
>
> I can then login to ILO with ....
>
> Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
>
>  
>
> If I try to login with the cn, Les Stott I see an error in the logs...
>
>  
>
> [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c,
> line 473]: Failed to retrieve entry "CN=Les
> Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32
>
>  
>
> I've read a lot of things about getting this to work. Apparently there
> are issues with HP ILO requiring the username in cn format but its in
> uid format in freeipa. You should also be able to login with your cn,
> but that doesn't work.
>
>  
>
> I had a crack at trying Kerberos authentication as well, but it
> doesn't work and errors with "Additional Pre-authentication required".
>
>  
>
> Has anyone successfully been able to get HP ILO to work with FreeIPA
> such that you can login with just the username (i.e. "less") or the CN
> (i.e. "Les Stott")?
>
>  
>
> Are schema changes required?
>
>  
>
> Alternatively has anyone been able to get HP ILO to work with Kerberos
> auth to FreeIPA?
>
>  
>
> Any help would be greatly appreciated.
>
>  
>
> Regards,
>
>  
>
> Les
>
>  
>
>  
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Have you searched freeipa-users archives? The issue sounds familiar and
I vaguely recalled there was a workaround.
This is the thread
https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html

I think you can use compat plugin on the IPA to expose the tree in the
way HP ILO expects.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to