The main technical problem is, that for the RMCP/RMCP+ protocol for
authentication the password has to be known on both ends of the communication
in order to verify the user. For LDAP, this information is not available to
the BMC, since it is available only at the LDAP server. Other access methods to
the BMC, such as http/telnet/ssh etc. can query this information from the user
(interactively) and pass this to the LDAP server for
verification/authentication before granting access. This is typically performed
with a bind operation to the LDAP server.
For instance, in the quite easy case of RMCP and MD5 Authentication, the MD5
hash for every command after the activate session is build as hash over the
user’s password, the session Id, the raw ipmi command data, the sequence number
and again the user’s password. The BMC performs the same steps to
verify/authenticate the command. While ipmitool has been given the password as
parameter, the BMC has no way of retrieving the plain password for a given user
from the LDAP server. Only local user information is available to the BMC. Also
note, that in most cases the password itself is not stored in plain on the LDAP
server, but only in hashed or encrypted form.
The only potential technical solution would be using plain/password
authentication in the RMCP protocol, which would transmit the (Domain) password
in plain over the wire, which nobody would be interested in.
Another limitation is the fact, that the RMCP protocol specifies only 16 bytes
as maximum username length, which puts a hard limit to the domain and/or
username. Avocent\detweiler would already be too long…
Holger
From: Detweiler, Dick [mailto:dick.detwei...@avocent.com]
Sent: Monday, March 01, 2010 3:37 PM
To: Ipmitool-devel@lists.sourceforge.net
Subject: [Ipmitool-devel] ipmitool and domain usernames
Hello all,
There is a user BlahBlah defined in Windows Domain Blah with password
YadaYada. The BMC has been configured to accept authentications through the
Blah domain such that user BlahBlah can log in to the BMC’s native interface.
Is there a way to configure ipmitool so that the BMC would correctly interpret:
Ipmitool –I lanplus –L ADMINISTRATOR+ -U Blah\BlahBlah –P YadaYada ….
Or is this BMC specific? Not allowed?
Thanks for any enlightenment,
Dick
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
