Monday, September 12, 2011

HP ILO2 Authentication through OpenLDAP on HP DL385G2


Many companies are using HP servers because of the easier management of ILO(Integrated Lights-Out). After you deployed a large number of HP servers, you'll find one problem which is to manage all the ILO administrator password. Since the ILO provides the directory setting which you can use the centralized LDAP database for authentication, but HP doesn't documented how to configure it through OpenLDAP.

This articles guides you to configure a openldap server specially for doing HP ILO2 authentication. I'm using RedHat Enterprise Linux 4 update 5 and OpenLDAP. It's only being tested on HP DL385G2 server although it might be working for other models too.

The following is the some important concept for enabling ilo2 authentication through openldap.

On OpenLDAP:
  • Adding ‘memberOf’ attribute and ‘user’ objectclass into openldap (details later)
  • Allow version 2 binding in /etc/openldap/slapd.conf which is ‘allow bind_v2’
  • Slapd must also listen on port 636(ldaps)
On ILO2:

  • Using schema-free configuration in ILO
  • Specify port 636 and OpenLDAP servername or IP address
  • Configuring user context and group DN
Special schema for ilo auth in /etc/openldap/slapd.conf
[root@repo openldap]# grep -e ilo.schema -e bind_v2 /etc/openldap/slapd.conf
include /etc/openldap/schema/ilo.schema
allow bind_v2

[root@repo openldap]# grep TLS /etc/openldap/slapd.conf
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
Note: must enable TLS for listening on port 636 for ilo ldaps connection

[root@repo openldap]# more /etc/openldap/schema/ilo.schema
attributetype ( 1.3.6.1.4.1.15959.9.1.1
NAME 'memberOf'
DESC 'Group which user belongs to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

objectclass ( 1.3.6.1.4.1.15959.9.2.1
NAME 'memberOf'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
MUST ( memberOf )
)

objectclass ( 1.3.6.1.4.1.15959.9.2.2
NAME 'user'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
)
Import ldif
Note: replace ou=linuxtechres and dc=blogspot,dc=com with your organization ones.

[root@repo ldif]# more base.ldif
dn: dc=blogspot,dc=com
dc: blogspot
description: Root LDAP entry
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: linuxtechres

dn: ou=groups,ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: groups
dn: ou=users,ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: users
[root@repo ldif]# more user.ldif
dn: cn=jephe.wu,ou=users,ou=linuxtechres,dc=blogspot,dc=com
cn: jephe.wu
uid: jephe.wu
sn: Wu
uidnumber: 1000
homedirectory: /home/jephe.wu
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectclass: inetorgperson
objectClass: memberOf
objectClass: user
shadowLastChange: 13650
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 100
displayname: Jephe Wu
userPassword: {SSHA}7znBGbK5/GMGWVryUuunxgQ87N8L38/b
memberOf: cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
[root@repo ldif]# more groups.ldif
dn: cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
cn: iloadmin
objectClass: top
objectClass: groupofnames
member: cn=jephe.wu,ou=linuxtechres,dc=blogspot,dc=com

ILO Configuration

Enable the following options on ILO2 (Administration-Security- Directory Settings)
Use Directory Default Schema
Local User Accounts Enabled
Directory Server Address: FQDN of openldap server or ip address
Directory Server LDAP Port 636
Directory User Context 1 ou=users,ou=linuxtechres,dc=blogspot,dc=com
 
Then go to ‘Administrator Groups’:
Security Group Distinguished Name cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
Administer Group Accounts Allowed 
Remote Console Access Allowed
Virtual Power and Reset Allowed
Virtual Media Allowed 
Configure iLO 2 Settings Allowed
That's it. Now you can login ILO2 as jephe.wu with your openldap entry password for every HP servers in your data center which are configured with openldap authentication.