ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

How to use the HP Integrated Lights-Out (iLO) with eDirectory

How to use the HP Integrated Lights-Out (iLO) with eDirectory

The big Advantage of iLO is, that you can fully control your server including BIOS Settings, remotely insert CDs, and so on. With the licensed iLO functions, a remote server can be completely installed without a person being in front of the server. ... Great!

But first you need to authenticate to the iLO - and here you may want to use your eDirectory credentials. This Cool Solution describes how to do that, without extending the Schema of your Tree (Use Directory Default Schema).

This is easy to do, because the eDir - LDAP Configuration (Attribute Mapping) can be easily changed.

You need to know the context of the users that should be able to remote control your server. In addition to this users must be member of a group. You can create more groups: One for the admins - they are allowed to do everything with your server, and one for the users that are only allowed to use the “Remote Control Function” - nothing else.

The Rights are defined later in the iLO Directory Configuration.

First your iLO must be licensed and accessible in the Network. Now you need to Authenticate to your iLO with Administration rights.

Login as Administrator and open the "Directory Settings" in the "Administration" banner.

Click to view.

Choose "Use Directory Default Schema" and enter the IP Address or DNS Name of your eDir Server in the "Directory Server Address" field. The “Directory Server LDAP Port” should be "636" to enable secure LDAP Connections.

Click to view.

Leave "LOM Object Distinguished Name" and "LOM Object Password" empty, because you don't need to extend your Schema to authenticate against eDir.

Fill in at least the "Directory User Context 1" with a valid LDAP Context. For example o=Organization or ou=Users,o=YourOrg

iLO will search for users only in the given user Context 1 to 3 - not in sub contexts.

Now press "Apply Settings" and the first part is done.

Open Administration -> Directory Settings again - you should see your saved Settings.

Now choose "Administer Groups" and select the Administrator Group.

Enter a Valid "Security Group Distinguished Name". This must be the Name of a existing Group. In our Example "cn=iLOAdminGroup,o=Organization". Notice that this is an LDAP Name, so you must use a comma (not a dot). "Save Group Information"

Click to view.

If you need to, you can also define a User Group, that is only allowed to remote control the server, but not to power off or on the server.

Choose Users -> View/Modify and enter a User Group. Choose the desired Rights, only "Remote Console Access".

After saving this, the iLO Admin Part is ready. Nevertheless - the test with Administration > Directory Settings -> Test Settings will fail. One additional step is required to make the Authentication work:

To explain this, here is the LDAP Trace of the Test Settings with our valid User iLOAdmin.

Click to view.

As you can see, the iLOAdmin could successfully log in, but the iLO searches for an attribute: "memberOf" - and that doesn't exist at this moment.

The eDirectorys Group Membership attribute in the user class is called "groupMembership".

You need to add a LDAP Attribute mapping to your LDAP – Group Object.

In iManager open the Role LDAP and choose LDAP Options. A few moments later you will see an overview of all your LDAP objects. Per default there is one Group per Server.

Choose the LDAP Group object of the server you have used in the iLO Configuration.

Click to view.

Click on Attribute Map and if there is no eDirectory Attribute "Group Membership", use the plus sign to add a mapping.

Click to view.

In the "View/Modify Mapping" choose "Group Membership" from the "eDirectory Attribute" list. In the "Maps to Primary LDAP Attribute" enter "groupMembership". This is the default, but entering the default value here, doesn't change the default behavior of your LDAP Group Object.

Now in the "Secondary LDAP Attributes (optional):" choose the + sign , and enter "memberOf".

This is the attribute what iLO wants to see. I recommend you fill in the Description too.

Press OK to change the settings.

There is a new entry in the List of Attribute Mappings:

Group Membership <-> groupMembership.

Use Apply to save the new LDAP Group Settings.

Click to view.

Thats all!

Now lets test the new function.

Open your iLO Administrator interface again, open Administration -> Directory Settings and press "Test Settings".

Enter your eDirectory credentials and "Test Directory Settings" -> Success

Now you can log on to the HP Integrated Lights-Out (iLO) with your eDirectory credentials.

Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
what happens if the LDAP server is down?
If the LDAP Server is down you can still log in with the build in Administrator account.
Does one need to import the certificate into iLO first?

When trying against an OES2 on Linux server I do get the following warning:

Warning: certificate does not match Directory Server Address

Nope, just a warning, doesn't need to be imported.

You can put multiple ldap servers seperated by a space and a comma if you wish, if you're concerned about one going down, otherwise there always the local account if unavailable.

In iLo 3 you don't even need to map the attributes, it just works...although not as quickly as iLo 2.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-03-10 17:24
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.