On 01/13/2014 10:44 PM, Les Stott wrote: > > Been banging my head against the wall on this one for a few days, > trying to get a workable configuration for HP ILO to authenticate via > FreeIPA. > > > > I have a standard rhel6 environment (64 bit 6.4) with freeipa server > (ipa-3.0.0-37.el6). > > > > The following works for me...... > > > > HP ILO4 Firmware 1.22 > > Default Directory Schema > > Directory Server Address: fqdn_of_myfreeipaserver > > Directory Server LDAP Port: 636 > > Directory User Context 1: cn=users,cn=accounts,dc=mydomain,dc=com > > Directory Groups: cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com > > > > ....but only if I login with my full dn.... > > > > Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com > > > > The test settings button in the ILO works only with the full dn. > > > > It doesn't work if I use the uid (less), or the cn (Les Stott). > > > > I can then login to ILO with .... > > Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com > > > > If I try to login with the cn, Les Stott I see an error in the logs... > > > > [13/Jan/2014:22:36:29 -0500] ipalockout_postop - [file ipa_lockout.c, > line 473]: Failed to retrieve entry "CN=Les > Stott,cn=users,cn=accounts,dc=mydomain,dc=com": 32 > > > > I've read a lot of things about getting this to work. Apparently there > are issues with HP ILO requiring the username in cn format but its in > uid format in freeipa. You should also be able to login with your cn, > but that doesn't work. > > > > I had a crack at trying Kerberos authentication as well, but it > doesn't work and errors with "Additional Pre-authentication required". > > > > Has anyone successfully been able to get HP ILO to work with FreeIPA > such that you can login with just the username (i.e. "less") or the CN > (i.e. "Les Stott")? > > > > Are schema changes required? > > > > Alternatively has anyone been able to get HP ILO to work with Kerberos > auth to FreeIPA? > > > > Any help would be greatly appreciated. > > > > Regards, > > > > Les > > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users Have you searched freeipa-users archives? The issue sounds familiar and I vaguely recalled there was a workaround. This is the thread https://www.redhat.com/archives/freeipa-users/2013-November/msg00019.html
I think you can use compat plugin on the IPA to expose the tree in the way HP ILO expects. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
