Configure Windows ADS Authentication for HP iLO 2 card

Submitted by guvnor on Fri, 07/17/2009 - 15:25

Introduction

The HP iLO boards that come with HP servers are a useful alternative to KVM. They allow for remote console and trouble shooting - all you have to do is point a browser at the iLO board's IP address, supply login credentials and you are connected. Each iLO can either have it's own local username and password as credentials to gain access or it can use an ldap database such as Windows active directory to authenticate. This article describes how to set up your iLO to use Windows active directory.

Intended Audience

System admins who manage many HP servers using iLO and don't wish to maintain / remember iLO passwords for each server.

Step 1. Ensure your Windows 2003 Active directory supports queries over SSL.

Information on how to do this can be found here

Step 2. Create an iLO admin group in your Active directory

1. Open "Active Directory Users and Computers" MMC for the domain you wish to authenticate against. In my case my active directory is called "mytest.domain.com" 2.Under an appropriate OU create an new permissions group. I am creating mine under Users and I am naming it "ilo". This is the group that you use to grant authentication to the iLO board with. ADS MMC

Create a new user or add an existing user to this domain. I am adding a user called daves. ADS MMC

We now have an ADS user to use for iLO authentication.

Step 3. Obtain the Directory User Context for the OU which contains the the iLO group and the Security Group Distinguished Name for the iLO group

In my case the iLo group is found under "Users" OU. Therefore my context is

CN=Users,DC=mytest,DC=domain,DC=com

and my security group distinguished name is

CN=ilo,CN=Users,DC=mytest,DC=domain,DC=com

You can use a tool called ldp.exe to find this for your own setup.

Configure your iLO card

1. Open the iLO card web management page. Select the administration Tab iLO administration Tab

2. Choose User administration from the left hand pane iLO administration Tab

3. Select "Group Accounts tab iLO group accounts Tab

4. Choose a directory group. This group will be the one that you associate with your ADS iLO group. You will assign it the correct level of permissions you wish to grant. Highlight "Administrator" Click "View /Modify" iLO group accounts Tab

5. Under the Modify Group "Security Group Distinguished Name" enter the ldap path of the iLo group we created earlier. In my case it is

CN=ilo,CN=Users,DC=mytest,DC=domain,DC=com

Click the allow radio buttons for the security permission you wish to assign to members of this group. I have give all of them. Click "Save Group Information" iLO modify group

6. Now tell the iLO card the details for the domain controller for the domain. From the administration tab choose security then choose the directory tab. iLO modify group

7. Enter the details of your ADS domain controller. Choose "Use Directory Default Schema" Enter the FQDN for your domain controller (mine is mypdc.mytest.domain.com) Enter the LDAP port 636 Enter the Directory User Context 1 for the OU which contains your ADS permissions group. In my case it is

CN=Users,DC=mytest,DC=domain,DC=com

So you should have something that looks like this: iLO ADS directory settings

Now click apply. You should now be able to use the active directory account (mytest\daves or daves@mytest.domain.com) you created to login to iLO. Use the test function on this page as it is useful for troubleshooting problems. See below for an example of a working test! iLO ADS directory settings