How to use the HP Integrated Lights-Out (iLO) with eDirectory
The big Advantage of iLO is, that you can fully control your server including BIOS Settings, remotely insert CDs, and so on. With the licensed iLO functions, a remote server can be completely installed without a person being in front of the server. ... Great!
But first you need to authenticate to the iLO - and here you may want to use your eDirectory credentials. This Cool Solution describes how to do that, without extending the Schema of your Tree (Use Directory Default Schema).
This is easy to do, because the eDir - LDAP Configuration (Attribute Mapping) can be easily changed.
You need to know the context of the users that should be able to remote control your server. In addition to this users must be member of a group. You can create more groups: One for the admins - they are allowed to do everything with your server, and one for the users that are only allowed to use the “Remote Control Function” - nothing else.
The Rights are defined later in the iLO Directory Configuration.
First your iLO must be licensed and accessible in the Network. Now you need to Authenticate to your iLO with Administration rights.
Login as Administrator and open the "Directory Settings" in the "Administration" banner.
Choose "Use Directory Default Schema" and enter the IP Address or DNS Name of your eDir Server in the "Directory Server Address" field. The “Directory Server LDAP Port” should be "636" to enable secure LDAP Connections.
Leave "LOM Object Distinguished Name" and "LOM Object Password" empty, because you don't need to extend your Schema to authenticate against eDir.
Fill in at least the "Directory User Context 1" with a valid LDAP Context. For example o=Organization or ou=Users,o=YourOrg
iLO will search for users only in the given user Context 1 to 3 - not in sub contexts.
Now press "Apply Settings" and the first part is done.
Open Administration -> Directory Settings again - you should see your saved Settings.
Now choose "Administer Groups" and select the Administrator Group.
Enter a Valid "Security Group Distinguished Name". This must be the Name of a existing Group. In our Example "cn=iLOAdminGroup,o=Organization". Notice that this is an LDAP Name, so you must use a comma (not a dot). "Save Group Information"
If you need to, you can also define a User Group, that is only allowed to remote control the server, but not to power off or on the server.
Choose Users -> View/Modify and enter a User Group. Choose the desired Rights, only "Remote Console Access".
After saving this, the iLO Admin Part is ready. Nevertheless - the test with Administration > Directory Settings -> Test Settings will fail. One additional step is required to make the Authentication work:
To explain this, here is the LDAP Trace of the Test Settings with our valid User iLOAdmin.
As you can see, the iLOAdmin could successfully log in, but the iLO searches for an attribute: "memberOf" - and that doesn't exist at this moment.
The eDirectorys Group Membership attribute in the user class is called "groupMembership".
You need to add a LDAP Attribute mapping to your LDAP – Group Object.
In iManager open the Role LDAP and choose LDAP Options. A few moments later you will see an overview of all your LDAP objects. Per default there is one Group per Server.
Choose the LDAP Group object of the server you have used in the iLO Configuration.
Click on Attribute Map and if there is no eDirectory Attribute "Group Membership", use the plus sign to add a mapping.
In the "View/Modify Mapping" choose "Group Membership" from the "eDirectory Attribute" list. In the "Maps to Primary LDAP Attribute" enter "groupMembership". This is the default, but entering the default value here, doesn't change the default behavior of your LDAP Group Object.
Now in the "Secondary LDAP Attributes (optional):" choose the + sign , and enter "memberOf".
This is the attribute what iLO wants to see. I recommend you fill in the Description too.
Press OK to change the settings.
There is a new entry in the List of Attribute Mappings:
Group Membership <-> groupMembership.
Use Apply to save the new LDAP Group Settings.
Now lets test the new function.
Open your iLO Administrator interface again, open Administration -> Directory Settings and press "Test Settings".
Enter your eDirectory credentials and "Test Directory Settings" -> Success
Now you can log on to the HP Integrated Lights-Out (iLO) with your eDirectory credentials.