Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On Thu, 16 Jan 2014, Petr Spacek wrote: On 15.1.2014 23:13, KodaK wrote: For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. Did you try the slapi-nis from FreeIPA 3.3.3? Just for the record, so we will know if it works or not. Note that it might not build or work well on RHEL 6.x. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 15.1.2014 23:13, KodaK wrote: For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. Did you try the slapi-nis from FreeIPA 3.3.3? Just for the record, so we will know if it works or not. Petr^2 Spacek On Tue, Jan 14, 2014 at 11:53 PM, Alexander Bokovoy wrote: On Wed, 15 Jan 2014, Les Stott wrote: I can confirm that the password was typed in correctly. Maybe its not matching the account because it's the compat tree? No, it is not matching because BIND over compat tree is only supported with slapi-nis 0.48+ which is not RHEL 6.x feature. As Dmitri said, it is feature available with FreeIPA 3.3.x, not 3.0. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. On Tue, Jan 14, 2014 at 11:53 PM, Alexander Bokovoy wrote: > On Wed, 15 Jan 2014, Les Stott wrote: > >> I can confirm that the password was typed in correctly. Maybe its not >> matching the account because it's the compat tree? >> > No, it is not matching because BIND over compat tree is only supported > with slapi-nis 0.48+ which is not RHEL 6.x feature. As Dmitri said, it > is feature available with FreeIPA 3.3.x, not 3.0. > > -- > / Alexander Bokovoy > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On Wed, 15 Jan 2014, Les Stott wrote: I can confirm that the password was typed in correctly. Maybe its not matching the account because it's the compat tree? No, it is not matching because BIND over compat tree is only supported with slapi-nis 0.48+ which is not RHEL 6.x feature. As Dmitri said, it is feature available with FreeIPA 3.3.x, not 3.0. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
I can confirm that the password was typed in correctly. Maybe its not matching
the account because it's the compat tree?
Also, each authentication tries multiple bind combinations, 3 or 4 different
combinations show up in the logs for 1 authentication attempt.
>From the ILO help.."iLO attempts to contact the directory service by
>distinguished name, and then applies the search contexts in order until
>successful."
I'm beginning to think this is too hardwould hate to have to fall back to
AD instead for central auth for ILO.
Regards,
Les
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Wednesday, 15 January 2014 2:13 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 07:57 PM, Les Stott wrote:
Still no joy. Although I don't profess to be a schema changing expert.
Compat plugin was already enabled. Ipa version is 3.0.0-37.el6
So I modified /etc/dirsrv/slapd-MYDOMAIN-COM/dse.ldif...
Under
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
I set the following...
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-rdn: cn=%{cn}
Left the rest as default.
When I ldapsearch against the compat tree, I see it working the way I want
(i.e. dn starts with cn instead of uid).
ldapsearch -x -b "cn=compat,dc=mydomain,dc=com" "cn=Les Stott"
# Les Stott, users, compat, mydomain.com
dn: cn=Les Stott,cn=users,cn=compat,dc=mydomain,dc=com
ILO Search context was set as: cn=users,cn=compat,dc=mydomain,dc=com
So it looks good, but when I test from ILO it fails still.
Try..
Les Stott
...It cant bind
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=47 op=1 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 BIND dn="Les Stott" authzid="(null)",
invalid bind dn
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 RESULT err=34 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=2 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=50 op=1 UNBIND
Is it just not supporting to bind against the compat tree in 3.0.0.37? or am I
doing something wrong?
Not sure, but err=49 means wrong password, and err=34 means invalid DN ("Les
Stott" is not a DN).
Regards,
Les
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Wednesday, 15 January 2014 8:36 AM
To: Les Stott
Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 04:01 PM, Les Stott wrote:
I had seen that thread...
https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html
all it says is...
On 11/05/2013 02:51 PM, KodaK wrote:
If I use the whole connection string:
uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
I can authenticate.
Which i can do successfully, but its not great to have to tell everyone your
username for ilo is uid=blah,cn=users,cn=accounts..etc
There is also mentioned in that thread...
"The HP iLO documentation doesn't list using the uid value as a supported form
of specifying the login. You can use the CN value or the full DN. They say
that "DOMAIN\user" and "user domain" forms are also accepted, but that likely
only works against Active Directory."
CN doesn't work. full DN does.
I don't see any reference to a workaround via compat plugin in that thread.
Have you got any more info on the compat workaround?
You can create a compat tree using compat plugin of IPA. It is used for NIS,
support of Solaris clients and for AD trusts in latest IPA.
As a simple test you can enable the plugin:
ipa-compat-manage enable
That will expose the tree on the cn=compat hive but using 2307 schema.
You can then change the configuration of the plugin to use uid value instead of
CN in this view, i.e expose CN as uid.
Then you can point your HP ILO to that tree.
AFAIU in the past it was not possible because we did not allow bind against
compat tree but now we allow it so it should work with the latest IPA 3.3.x
bits.
Details on how to change compat configuration can be found in the plugin
configuration here:
https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc
I am not sure that would 100% work but IMO worth a shot.
Thanks,
L
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 07:57 PM, Les Stott wrote:
Still no joy. Although I don't profess to be a schema changing expert.
Compat plugin was already enabled. Ipa version is 3.0.0-37.el6
So I modified /etc/dirsrv/slapd-MYDOMAIN-COM/dse.ldif...
Under
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
I set the following...
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-rdn: cn=%{cn}
Left the rest as default.
When I ldapsearch against the compat tree, I see it working the way I
want (i.e. dn starts with cn instead of uid).
ldapsearch -x -b "cn=compat,dc=mydomain,dc=com" "cn=Les Stott"
# Les Stott, users, compat, mydomain.com
dn: cn=Les Stott,cn=users,cn=compat,dc=mydomain,dc=com
ILO Search context was set as: cn=users,cn=compat,dc=mydomain,dc=com
So it looks good, but when I test from ILO it fails still.
Try..
Les Stott
...It cant bind
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 RESULT err=49 tag=97
nentries=0 etime=0
[14/Jan/2014:21:52:31 -0500] conn=47 op=1 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 BIND dn="Les Stott"
authzid="(null)", invalid bind dn
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 RESULT err=34 tag=97
nentries=0 etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 RESULT err=49 tag=97
nentries=0 etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=2 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 RESULT err=49 tag=97
nentries=0 etime=0
[14/Jan/2014:21:52:31 -0500] conn=50 op=1 UNBIND
Is it just not supporting to bind against the compat tree in 3.0.0.37?
or am I doing something wrong?
Not sure, but err=49 means wrong password, and err=34 means invalid DN
("Les Stott" is not a DN).
Regards,
Les
*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Wednesday, 15 January 2014 8:36 AM
*To:* Les Stott
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] HP ILO Authentication via LDAP (or even
kerberos)
On 01/14/2014 04:01 PM, Les Stott wrote:
I had seen that thread...
https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html
all it says is...
On 11/05/2013 02:51 PM, KodaK wrote:
If I use the whole connection string:
uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
I can authenticate.
Which i can do successfully, but its not great to have to tell
everyone your username for ilo is uid=blah,cn=users,cn=accounts..etc
There is also mentioned in that thread...
"The HP iLO documentation doesn't list using the uid value as a
supported form of specifying the login. You can use the CN value or
the full DN. They say that "DOMAIN\user" and "user domain" forms are
also accepted, but that likely only works against Active Directory."
CN doesn't work. full DN does.
I don't see any reference to a workaround via compat plugin in that
thread.
Have you got any more info on the compat workaround?
You can create a compat tree using compat plugin of IPA. It is used
for NIS, support of Solaris clients and for AD trusts in latest IPA.
As a simple test you can enable the plugin:
ipa-compat-manage enable
That will expose the tree on the cn=compat hive but using 2307 schema.
You can then change the configuration of the plugin to use uid value instead of
CN in this view, i.e expose CN as uid.
Then you can point your HP ILO to that tree.
AFAIU in the past it was not possible because we did not allow bind against compat tree but now we allow it so it should work with the latest IPA 3.3.x bits.
Details on how to change compat configuration can be found in the plugin configuration here:
https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc
I am not sure that would 100% work but IMO worth a shot.
Thanks,
Les
*From:*freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>] on behalf of Dmitri Pal
[d...@redhat.com <mailto:d...@redhat.com>]
*Sent:* Wednesday, January 15, 2014 3:30 AM
*To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] HP ILO Authentication via LDAP (or even
kerberos)
On 01/13/2014 10:44 PM, Les Stott wrote:
Been banging my head against the wall on this one for a few days,
trying to get a workable configuration for HP ILO to authenticate via
FreeIPA.
I have a standard rhel6 environment (64 bit 6
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
Still no joy. Although I don't profess to be a schema changing expert.
Compat plugin was already enabled. Ipa version is 3.0.0-37.el6
So I modified /etc/dirsrv/slapd-MYDOMAIN-COM/dse.ldif...
Under
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
I set the following...
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-rdn: cn=%{cn}
Left the rest as default.
When I ldapsearch against the compat tree, I see it working the way I want
(i.e. dn starts with cn instead of uid).
ldapsearch -x -b "cn=compat,dc=mydomain,dc=com" "cn=Les Stott"
# Les Stott, users, compat, mydomain.com
dn: cn=Les Stott,cn=users,cn=compat,dc=mydomain,dc=com
ILO Search context was set as: cn=users,cn=compat,dc=mydomain,dc=com
So it looks good, but when I test from ILO it fails still.
Try..
Les Stott
...It cant bind
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=47 op=0 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=47 op=1 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 BIND dn="Les Stott" authzid="(null)",
invalid bind dn
[14/Jan/2014:21:52:31 -0500] conn=48 op=0 RESULT err=34 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=48 op=1 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=48 op=2 UNBIND
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 BIND dn="CN=Les
Stott,cn=users,cn=compat,dc=mydomain,dc=com" method=128 version=2
[14/Jan/2014:21:52:31 -0500] conn=50 op=0 RESULT err=49 tag=97 nentries=0
etime=0
[14/Jan/2014:21:52:31 -0500] conn=50 op=1 UNBIND
Is it just not supporting to bind against the compat tree in 3.0.0.37? or am I
doing something wrong?
Regards,
Les
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Wednesday, 15 January 2014 8:36 AM
To: Les Stott
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 04:01 PM, Les Stott wrote:
I had seen that thread...
https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html
all it says is...
On 11/05/2013 02:51 PM, KodaK wrote:
If I use the whole connection string:
uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
I can authenticate.
Which i can do successfully, but its not great to have to tell everyone your
username for ilo is uid=blah,cn=users,cn=accounts..etc
There is also mentioned in that thread...
"The HP iLO documentation doesn't list using the uid value as a supported form
of specifying the login. You can use the CN value or the full DN. They say
that "DOMAIN\user" and "user domain" forms are also accepted, but that likely
only works against Active Directory."
CN doesn't work. full DN does.
I don't see any reference to a workaround via compat plugin in that thread.
Have you got any more info on the compat workaround?
You can create a compat tree using compat plugin of IPA. It is used for NIS,
support of Solaris clients and for AD trusts in latest IPA.
As a simple test you can enable the plugin:
ipa-compat-manage enable
That will expose the tree on the cn=compat hive but using 2307 schema.
You can then change the configuration of the plugin to use uid value instead of
CN in this view, i.e expose CN as uid.
Then you can point your HP ILO to that tree.
AFAIU in the past it was not possible because we did not allow bind against
compat tree but now we allow it so it should work with the latest IPA 3.3.x
bits.
Details on how to change compat configuration can be found in the plugin
configuration here:
https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc
I am not sure that would 100% work but IMO worth a shot.
Thanks,
Les
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on
behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
Sent: Wednesday, January 15, 2014 3:30 AM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/13/2014 10:44 PM, Les Stott wrote:
Been banging my head against the wall on this one for a few days, trying to get
a workable configuration for HP ILO to authenticate via FreeIPA.
I have a standard rhel6 environment (64 bit 6.4) with freeipa server
(ipa-3.0.0-37.el6).
The following works for me..
HP ILO4 Firmware 1.22
Default Directory Schema
Directory Server Address: fqdn_of_myfreeipaserver
Directory Server LDAP Port: 636
Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com
Directory Groups:
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 04:01 PM, Les Stott wrote: > I had seen that thread... > https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html > > all it says is... > > On 11/05/2013 02:51 PM, KodaK wrote: >> If I use the whole connection string: >> >> uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com >> >> I can authenticate. > Which i can do successfully, but its not great to have to tell > everyone your username for ilo is uid=blah,cn=users,cn=accounts..etc > > There is also mentioned in that thread... > > "The HP iLO documentation doesn't list using the uid value as a > supported form of specifying the login. You can use the CN value or > the full DN. They say that "DOMAIN\user" and "user domain" forms are > also accepted, but that likely only works against Active Directory." > > CN doesn't work. full DN does. > > I don't see any reference to a workaround via compat plugin in that > thread. > > Have you got any more info on the compat workaround? > You can create a compat tree using compat plugin of IPA. It is used for NIS, support of Solaris clients and for AD trusts in latest IPA. As a simple test you can enable the plugin: ipa-compat-manage enable That will expose the tree on the cn=compat hive but using 2307 schema. You can then change the configuration of the plugin to use uid value instead of CN in this view, i.e expose CN as uid. Then you can point your HP ILO to that tree. AFAIU in the past it was not possible because we did not allow bind against compat tree but now we allow it so it should work with the latest IPA 3.3.x bits. Details on how to change compat configuration can be found in the plugin configuration here: https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc I am not sure that would 100% work but IMO worth a shot. > Thanks, > > Les > > > *From:* freeipa-users-boun...@redhat.com > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal > [d...@redhat.com] > *Sent:* Wednesday, January 15, 2014 3:30 AM > *To:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] HP ILO Authentication via LDAP (or even > kerberos) > > On 01/13/2014 10:44 PM, Les Stott wrote: >> >> Been banging my head against the wall on this one for a few days, >> trying to get a workable configuration for HP ILO to authenticate via >> FreeIPA. >> >> >> >> I have a standard rhel6 environment (64 bit 6.4) with freeipa server >> (ipa-3.0.0-37.el6). >> >> >> >> The following works for me…… >> >> >> >> HP ILO4 Firmware 1.22 >> >> Default Directory Schema >> >> Directory Server Address: fqdn_of_myfreeipaserver >> >> Directory Server LDAP Port: 636 >> >> Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com >> >> Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com >> >> >> >> ….but only if I login with my full dn…. >> >> >> >> Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com >> >> >> >> The test settings button in the ILO works only with the full dn. >> >> >> >> It doesn’t work if I use the uid (less), or the cn (Les Stott). >> >> >> >> I can then login to ILO with …. >> >> Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com >> >> >> >> If I try to login with the cn, Les Stott I see an error in the logs… >> >> >> >> [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, >> line 473]: Failed to retrieve entry "CN=Les >> Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 >> >> >> >> I’ve read a lot of things about getting this to work. Apparently >> there are issues with HP ILO requiring the username in cn format but >> its in uid format in freeipa. You should also be able to login with >> your cn, but that doesn’t work. >> >> >> >> I had a crack at trying Kerberos authentication as well, but it >> doesn’t work and errors with “Additional Pre-authentication required”. >> >> >> >> Has anyone successfully been able to get HP ILO to work with FreeIPA >> such that you can login with just the username (i.e. “less”) or the >> CN (i.e. “Les Stott”)? >> >> >> >> Are schema changes required? >> >> >> >> Alternatively has anyone been able to get HP ILO to work with >> Kerberos auth to FreeIPA? >> >> >>
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
I had seen that thread... https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html all it says is... On 11/05/2013 02:51 PM, KodaK wrote: If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. Which i can do successfully, but its not great to have to tell everyone your username for ilo is uid=blah,cn=users,cn=accounts..etc There is also mentioned in that thread... "The HP iLO documentation doesn't list using the uid value as a supported form of specifying the login. You can use the CN value or the full DN. They say that "DOMAIN\user" and "user domain" forms are also accepted, but that likely only works against Active Directory." CN doesn't work. full DN does. I don't see any reference to a workaround via compat plugin in that thread. Have you got any more info on the compat workaround? Thanks, Les From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, January 15, 2014 3:30 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos) On 01/13/2014 10:44 PM, Les Stott wrote: Been banging my head against the wall on this one for a few days, trying to get a workable configuration for HP ILO to authenticate via FreeIPA. I have a standard rhel6 environment (64 bit 6.4) with freeipa server (ipa-3.0.0-37.el6). The following works for me…… HP ILO4 Firmware 1.22 Default Directory Schema Directory Server Address: fqdn_of_myfreeipaserver Directory Server LDAP Port: 636 Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com ….but only if I login with my full dn…. Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com The test settings button in the ILO works only with the full dn. It doesn’t work if I use the uid (less), or the cn (Les Stott). I can then login to ILO with …. Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com If I try to login with the cn, Les Stott I see an error in the logs… [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry "CN=Les Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 I’ve read a lot of things about getting this to work. Apparently there are issues with HP ILO requiring the username in cn format but its in uid format in freeipa. You should also be able to login with your cn, but that doesn’t work. I had a crack at trying Kerberos authentication as well, but it doesn’t work and errors with “Additional Pre-authentication required”. Has anyone successfully been able to get HP ILO to work with FreeIPA such that you can login with just the username (i.e. “less”) or the CN (i.e. “Les Stott”)? Are schema changes required? Alternatively has anyone been able to get HP ILO to work with Kerberos auth to FreeIPA? Any help would be greatly appreciated. Regards, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users Have you searched freeipa-users archives? The issue sounds familiar and I vaguely recalled there was a workaround. This is the thread https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html I think you can use compat plugin on the IPA to expose the tree in the way HP ILO expects. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/13/2014 10:44 PM, Les Stott wrote: > > Been banging my head against the wall on this one for a few days, > trying to get a workable configuration for HP ILO to authenticate via > FreeIPA. > > > > I have a standard rhel6 environment (64 bit 6.4) with freeipa server > (ipa-3.0.0-37.el6). > > > > The following works for me.. > > > > HP ILO4 Firmware 1.22 > > Default Directory Schema > > Directory Server Address: fqdn_of_myfreeipaserver > > Directory Server LDAP Port: 636 > > Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com > > Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com > > > > but only if I login with my full dn > > > > Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com > > > > The test settings button in the ILO works only with the full dn. > > > > It doesn't work if I use the uid (less), or the cn (Les Stott). > > > > I can then login to ILO with > > Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com > > > > If I try to login with the cn, Les Stott I see an error in the logs... > > > > [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, > line 473]: Failed to retrieve entry "CN=Les > Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 > > > > I've read a lot of things about getting this to work. Apparently there > are issues with HP ILO requiring the username in cn format but its in > uid format in freeipa. You should also be able to login with your cn, > but that doesn't work. > > > > I had a crack at trying Kerberos authentication as well, but it > doesn't work and errors with "Additional Pre-authentication required". > > > > Has anyone successfully been able to get HP ILO to work with FreeIPA > such that you can login with just the username (i.e. "less") or the CN > (i.e. "Les Stott")? > > > > Are schema changes required? > > > > Alternatively has anyone been able to get HP ILO to work with Kerberos > auth to FreeIPA? > > > > Any help would be greatly appreciated. > > > > Regards, > > > > Les > > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Have you searched freeipa-users archives? The issue sounds familiar and I vaguely recalled there was a workaround. This is the thread https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html I think you can use compat plugin on the IPA to expose the tree in the way HP ILO expects. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
Been banging my head against the wall on this one for a few days, trying to get a workable configuration for HP ILO to authenticate via FreeIPA. I have a standard rhel6 environment (64 bit 6.4) with freeipa server (ipa-3.0.0-37.el6). The following works for me.. HP ILO4 Firmware 1.22 Default Directory Schema Directory Server Address: fqdn_of_myfreeipaserver Directory Server LDAP Port: 636 Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com but only if I login with my full dn Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com The test settings button in the ILO works only with the full dn. It doesn't work if I use the uid (less), or the cn (Les Stott). I can then login to ILO with Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com If I try to login with the cn, Les Stott I see an error in the logs... [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry "CN=Les Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 I've read a lot of things about getting this to work. Apparently there are issues with HP ILO requiring the username in cn format but its in uid format in freeipa. You should also be able to login with your cn, but that doesn't work. I had a crack at trying Kerberos authentication as well, but it doesn't work and errors with "Additional Pre-authentication required". Has anyone successfully been able to get HP ILO to work with FreeIPA such that you can login with just the username (i.e. "less") or the CN (i.e. "Les Stott")? Are schema changes required? Alternatively has anyone been able to get HP ILO to work with Kerberos auth to FreeIPA? Any help would be greatly appreciated. Regards, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
