Configuring HP iLO for OpenLDAP

hpiloopenldap

I have been working with some new HP DL360 Gen9 server. I'm attempting to configure these for LDAP authentication against our OpenLDAP directory and not having much luck.

First, all of our Distinguished Names for user accounts start with "uid=" and not "cn=". Our LDAP groups naturally follow the same convention.

So, a user account is uid=,ou=People,dc=domain,dc=com

And a group contains these listed in it as members.

This is almost how all LDAP directories that work with Linux/Unix clients are configured. I've been able to successfully integrate several other supposed "AD only systems", but this one eludes me.

Reading the info I can find, HP is looking for the cn attribute, which while cute, is not going to work in this case. I am beginning to suspect that there is no way to do this with HP – a huge shortcoming on their part for sure.

Has anyone here successfully done this and gotten things to work, or should I just throw in the towel?

Thanks again!

Best Answer

Standard OpenLDAP overlays do include support for "memberOf", even enabled by default in recent distributions.

iLO 4 firmware v2.54 download site (hpe.com) added support for OpenLDAP, including using the "uid" attribute for user logins using short names with a search context, and support for proper LDAP-standard Group member attributes instead of the User's memberOf attribute.

Related Solutions

Ldap – Retrieve operational attributes from OpenLDAP

How come my search doesn't work when I explicitly ask for namingContexts attribute?

What is not working? Do you recieve an error?

When there is a plus sign it returns all the attributes, regardless if namingContexts is added.

Using:

ldapsearch -x -H ldap://ldap.example.com -s base -b "" namingContexts

Returns:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: o=example.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

It is also listed using:

ldapsearch -x -H ldap://ldap.example.com -s base -b "" +

Returning:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
namingContexts: o=example.com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Ldap – Configuring OpenLDAP as a Active Directory Proxy

You need to add mappings to your slapd.conf file:

moduleload rwm
...
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixGroup group 
rwm-map objectClass posixAccount person
rwm-map objectClass memberUid member

Then you can search for the uid attribute instead of the sAMAccountName attribute in your .htaccess file:

AuthLDAPURL "ldap://breauthsrv01.xxx.de:389/OU=xxx,DC=int,DC=xxx,DC=de?uid?sub"

Best Answer

Related Solutions

Ldap – Retrieve operational attributes from OpenLDAP

Ldap – Configuring OpenLDAP as a Active Directory Proxy

Related Topic