Configuring LDAP

Language:

System administrators can configure Oracle ILOM to use the Lightweight Directory Access Protocol (LDAP) service to authenticate users. This service is based on a client-server query model that uses a read-only proxy user account to query the LDAP server for user authentication.

The property for the LDAP service state, in Oracle ILOM, is disabled by default. To enable the LDAP service state and configure properties for using the LDAP directory service for user authentication, see these tables:

Figure 31, Table 31, Requirements for Enabling Oracle ILOM as an LDAP Client Requirements for Enabling Oracle ILOM as an LDAP Client
Figure 32, Table 32, Enabling Oracle ILOM to Use LDAP Authentication Enabling Oracle ILOM to Use LDAP Authentication

Table 31 Requirements for Enabling Oracle ILOM as an LDAP Client

Prior to configuring Oracle ILOM as an LDAP client, the LDAP server must be properly configured. Refer to the following guidelines, and Related Information section, when configuring the LDAP server to recognize Oracle ILOM as an LDAP client.

Ensure that the LDAP server is set to use the default password {crypt} format. The passwords for all LDAP users authenticating to Oracle ILOM must be stored in one of the following two {crypt} formats:

userPassword: {CRYPT}ajCa2He4PJhNo

userPassword: {CRYPT}$1$pzKng1$du1Bf0NWBjh9t3FbUgf46
Refer to the Internet Engineering Task Force Schema (RFC 2307) for adding object classes for posixAccount and shadowAccount and then populate the required property values for:

- uidnumber

- gidnumber

- uid (Oracle ILOM user name),
Enable the LDAP server to accept anonymous binds, or create a proxy user on the LDAP server to have read-only access for all user accounts authenticating to Oracle ILOM.

Related Information:

Internet Engineering Task Force Schema (RC2307) (http://www.ietf.org/rfc/rfc2307.txt)

Table 32 Enabling Oracle ILOM to Use LDAP Authentication

User Interface Configurable Target: CLI: `/SP\|CMM/clients/ldap` Web: ILOM Administration > User Management > LDAP Settings User Role: User Management (`u`) (required for all property modifications)
Property	Default Value	Description
State (`state=`)	Disabled	`Disabled` \|`Enabled` To enable Oracle ILOM to authenticate users using the LDAP directory service, set the State property to enabled. When the State property is enabled, Oracle ILOM queries the LDAP server to authenticate LDAP users. CLI State Syntax: `set /SP\|CMM/clients/ldap/ state=disabled\|enabled`
Roles (`defaultrole=`)	Operator	`Administrator` \|`Operator` \|`Advanced` To define which features in Oracle ILOM are accessible to LDAP authenticated users, set the default Roles property to one of three Oracle ILOM user roles: Administrator (a\|u\|c\|r\|o), Operator (c\|r\|o), or Advanced (`a\|u\|c\|r\|o\|s`) Authorization levels for using features within Oracle ILOM are dictated by the user privileges granted by the configured Oracle ILOM user role. For a description of privileges assigned, see the user role and user profile topics listed in the Related Information section below. CLI Roles Syntax: `set /SP\|CMM/clients/ldap/ defaultrole=administrator\|operator\|a\|u\|c\|r\|o\|s` Related Information: Figure 10, Table 10, Privileges Granted by a User Profile Figure 11, Table 11, Privileges Granted by Individual User Roles
Address (`address=`)	0.0.0.0	`IP address`\| `DNS host name` (LDAP Server) To configure the LDAP server network address, populate the Address property with the LDAP server IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational. CLI Address Syntax: `set /SP\|CMM/clients/ldap/ address=ldap_server ip_address\|ldap_server_dns_host_name` Related Information: Figure 47, Table 47, DNS Configuration Properties
Port (`port=`)	389	`389` \| `User-specified TCP port` TCP port 389 is used by Oracle ILOM to communicate with the OpenLDAP server. If necessary, configure Oracle ILOM to use another port by modifying the default Port number: 389 CLI Port Syntax: `set /SP\|CMM/clients/ldap/ port=number`
Searchbase (`searchbase=`)		`ou=organization_unit` \|`dn`=`domain_name`\|`dc`=`domain`\| The Searchbase is the location in the LDAP tree where Oracle ILOM searches to validates user credentials. Using the accepted input format, populate the Searchbase property with a Distinguished Name for the search base object, or with the LDAP tree branch for where Oracle ILOM should search for the LDAP user accounts. For example, to search the IT container in the MyCompany.com domain, you would specify a search base of: ou=IT, dc=mycompany, dc=.com CLI Searchbase Syntax: `set /SP\|CMM/clients/ldap/ searchbase= ou=organization_name, dn=``domain_name`, `dc`=`domain`
Bind DN (`binddn=`)		`ou`=`organization_unit` \|`dn`=`domain_name`\|`dc`=`domain`\|`cn`=`common_name` To provide Oracle ILOM with read-only access to the LDAP server, populate the Bind DN property with a Distinguished Name (DN) for a read-only proxy user. Note. Oracle ILOM must have read-only access to the LDAP server in order to search and authenticate LDAP users. CLI Bind DN Syntax: `set /SP\|CMM/clients/ldap/ binddn=cn=proxyuser, ou=organization _name, dc=domain`
Bind Password (`bindpw=`)		To provide Oracle ILOM with a password for the read-only proxy user, populate the Bind Password property with a password. CLI Bind Password Syntax: `set /SP\|CMM/clients/ldap/ bindpw=password`
Save		Web interface – To apply changes made to properties within the LDAP Settings page, you must click Save.