Managing User Accounts

C H A P T E R 4

Topics
Description	Links
Configure user accounts	Configure Single Sign On Add a User Account Change a User Account Password Assign Roles to a User Account Delete a User Account View Individual User Accounts View a List of User Accounts View a List of User Sessions View an Individual User Session


Configure SSH user key	Add an SSH Key Delete an SSH Key
Configure Active Directory settings	Enable Active Directory strictcertmode Check Active Directory certstatus Remove an Active Directory Certificate View and Configure Active Directory Settings Troubleshoot Active Directory Authentication and Authorization
Configure LDAP settings	Configure the LDAP Server Configure ILOM for LDAP
Configure LDAP/SSL settings	Enable LDAP/SSL strictcertmode Check LDAP/SSL certstatus Remove an LDAP/SSL Certificate View and Configure LDAP/SSL Settings Troubleshoot LDAP/SSL Authentication and Authorization
Configure RADIUS settings	Configure RADIUS

Related Topics
For ILOM	Chapter or Section	Guide
Concepts	User Account Management Guidelines for Managing User Accounts	Oracle Integrated Lights Out Manager (ILOM) 3.0 Concepts Guide (820-6410)
Web interface	Managing User Accounts	Oracle Integrated Lights Out Manager (ILOM) 3.0 Web Interface Procedures Guide. (820-6411)
IPMI and SNMP hosts	Managing User Accounts	Oracle Integrated Lights Out Manager (ILOM) 3.0 Management Protocols Reference Guide (820-6413)
The ILOM 3.0 Documentation Collection is available at: `http://docs.sun.com/app/docs/prod/int.lights.mgr30#hic`.

Note - Syntax examples in this chapter use the target starting with /SP/, which could be interchanged with the target starting with /CMM/ depending on your Oracle server platform. Subtargets are common across all Oracle Sun server platforms.

Configuring User Accounts

Topics
Description	Links	Platform Feature Support
Configure user accounts	Configure Single Sign On Add a User Account Assign Roles to a User Account Delete a User Account View a List of User Accounts View an Individual User Session View a List of User Sessions View an Individual User Session	x86 system server SP SPARC system server SP CMM

Before You Begin

To disable or enable Single Sign On, you need the Admin (a) role enabled.

To add or edit user account properties or assign roles, you need the User Management (u) role enabled.

Configure Single Sign On

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To enable or disable Single Sign On, type the following command:

--> set /SP/services/sso state=disabled|enabled

Add a User Account

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To add a local user account, type the following command:

--> create /SP/users/username password=password

For example:

-> create /SP/users/user5

Creating user...

Enter new password: ********

Enter new password again: ********

Created /SP/users/user5

Note - When adding a user account, it is unnecessary to provide a role or password property. The role will default to Read Only (o), and the CLI will prompt you to provide and confirm a password.

Change a User Account Password

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To change a user account password, type the following command:

--> set /SP/users/user password

For example:

-> set /SP/users/user5 password

Enter new password: ********

Enter new password again: ********

Assign Roles to a User Account

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To assign roles to a user account, type the following command:

--> set /SP/users/<username> password=<password> role=<administrator|operator|a|u|c|r|o|s>

For example:

-> set /SP/users/user5 role=aucSet ’role’ to ’auc’-> show /SP/users/user5/SP/users/user5
Targets:sshProperties:role = aucopassword = ********Commands:cdsetshow

Delete a User Account

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To delete a local user account, type the following command:

--> delete /SP/users/username

For example:

-> delete /SP/users/user5

3. When queried, type y to delete, or n to cancel.

For example:

Are you sure you want to delete /SP/users/user5 (y/n)? y
Deleted /SP/users/user5

View Individual User Accounts

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To display information about one specific user account, type the following command:

--> show /SP/users/username

For example:

-> show /SP/users/user1
 
 /SP/users/user1
    Targets:
        ssh
 
    Properties:
        role = aucros
        password = *****
 
    Commands:
        cd
        set
        show

View a List of User Accounts

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To display information about all local user accounts, type the following command:

--> show /SP/users

For example:

-> show /SP/users

/SP/users

Targets:

user1

user2

user3

user4

View a List of User Sessions

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To display information about all local user sessions, type the following command:

--> show /SP/sessions

For example:

-> show /SP/sessions
 
 /SP/sessions
    Targets:
        12 (current)
 
    Properties:
 
    Commands:
        cd
        show

View an Individual User Session

Note - To view an individual user’s role, you must be using ILOM 3.0.4 or a later version of ILOM.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To display information about an individual user session, type the following command:

--> show /SP/sessions/session_number

For example:

-> show /SP/sessions/12
 
 /SP/sessions/12
    Targets:
 
    Properties:
        username = user4
        role = aucro
        starttime = Mon Apr 13 06:25:19 2009
        type = shell
        mode = normal
 
    Commands:
        cd
        show

Configuring SSH User Keys

Topics
Description	Links	Platform Feature Support
Configure SSH user key	Add an SSH Key Delete an SSH Key	x86 system server SP SPARC system server SP CMM

Before You Begin

To configure other users SSH keys, you need to have the User Management (u) role enabled. However, you can configure your own SSH key with Read-Only (o) role privileges.

The SSH keys enable you to automate password authentication. Use the following procedures in this section to add and delete SSH keys.

Add an SSH Key

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To change to the directory location of a user’s SSH key, type:

-> cd /SP/users/user1/ssh/keys/1

3. To add a key to the user’s account, type:

-> set load_uri=transfer_method://username:password@ipaddress_or_hostname/directorypath/filename

Where:

transfer_method can be tftp, ftp, sftp, scp, http, or https.

username is the name of the user account on the remote system. (username is required for scp, sftp, and ftp. username is not used for tftp, and is optional for http and https.)

password is the password for the user account on the remote system. (password is required for scp, sftp, and ftp. password is not used for tftp, and is optional for http and https.)

ipaddress_or_hostname is the IP address or the host name of the remote system.

directorypath is the location of the SSH key on the remote system.

filename is the name assigned to the SSH key file.

For example:

-> set load_uri=scp://adminuser:userpswd@1.2.3.4/keys/sshkey_1.pub
Set ’load_uri’ to ’scp://adminuser:userpswd@1.2.3.4/keys/sshkey_1.pub’

Delete an SSH Key

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To change to the directory location of a user’s SSH key, type:

-> cd /SP/users/user1/ssh/keys/1

3. To delete a key from the user’s account, type:

-> set clear_action=true

The following confirmation prompt appears:

Are you sure you want to clear /SP/users/user1/ssh/keys/1 (y/n)?

4. Type y.

The SSH key is deleted and the following message appears to confirm the deletion.

Set ’clear_action’ to ’true’

Configuring Active Directory

Topics
Description	Links	Platform Feature Support
Configure Active Directory settings	Enable Active Directory strictcertmode Check Active Directory certstatus Remove an Active Directory Certificate View and Configure Active Directory Settings Troubleshoot Active Directory Authentication and Authorization	x86 system server SP SPARC system server SP CMM

Before You Begin

To configure Active Directory settings, you need the User Management (u) role enabled.

Enable Active Directory `strictcertmode`

Note - By default, strictcertmode is disabled. When this variable is disabled, the channel is secure, but limited validation of the certificate is performed. If strictcertmode is enabled, then the server’s certificate must have already been uploaded to the server so that the certificate signatures can be validated when the server certificate is presented.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following path to access the Active Directory certificate settings:

->cd /SP/clients/activedirectory/cert

3. To load a certificate, type the following:

-> set load_uri=tftp://IP address/file-path/filename

Note - You can use TFTP, FTP, or SCP to load a certificate. Alternatively, you can load a SSL certificate for Active Directory using the load -source command from anywhere on the CLI. For example:
-> load -source URI_to_SSL_certificate target

4. To enable strictcertmode, type the following:

-> set strictcertmode=enabled

Note - Data is always protected, even if strictcertmode is disabled.

Check Active Directory `certstatus`

Note - certstatus is an operational variable that should reflect the current certificate state. Neither is required to exist if strictcertmode is disabled. However, for the strictcertmode to be enabled, a certificate must be loaded.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To check the status of the certificate, type the following:

-> show /SP/clients/activedirectory/cert

For example:

 -> show /SP/clients/activedirectory/cert
    Targets:
 
    Properties:
        certstatus = certificate present
        clear_action = (none)
        issuer = /DC=com/DC=oracle/DC=east/DC=sales/CN=CAforActiveDirectory
        load_uri = (none)
        serial_number = 08:f3:2e:c0:8c:12:cd:bb:4e:7e:82:23:c4:0d:22:60
        subject = /DC=com/DC=oracle/DC=east/DC=sales/CN=CAforActiveDirectory
        valid_from = Oct 25 22:18:26 2006 GMT
        valid_until = Oct 25 22:18:26 2011 GMT
        version = 3 (0x02)
 
    Commands:
        cd
        load
        reset
        set
        show

Remove an Active Directory Certificate

Note - The Authentication Server Certificate can be removed only when strictcertmode is disabled.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following:

-> cd /SP/clients/activedirectory/cert

3. To remove a certificate, type one of the following commands:

-> set clear_action=true

-> reset <target>

For example:

-> reset /SP/clients/activedirectory/cert

4. Confirm whether you want to remove the certificate by typing y or n in response to the on-screen query.

The existing certificate file that had been uploaded will be removed.

View and Configure Active Directory Settings

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Use the show and set commands to view and modify the active directory properties:

To view and modify information in the admingroups target:

-> show /SP/clients/activedirectory/admingroups/n

Where n can be 1 to 5.

For example:

-> show /SP/clients/activedirectory/admingroups/1

/SP/clients/activedirectory/admingroups/1

Targets:

Properties: name = CN=SpSuperAdmin,OU=Groups,DC=sales, DC=east,DC=oracle,DC=com

Then use the set command to modify properties.

For example:

-> set /SP/clients/activedirectory/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com'

To view and modify information in the opergroups target:

-> show /SP/clients/activedirectory/opergroups/1

For example:

-> show /SP/clients/activedirectory/opergroups/1

/SP/clients/activedirectory/opergroups/1

Targets:

Properties: name = CN=SpSuperOper,OU=Groups,DC=sales, DC=east,DC=oracle,DC=com

Then use the set command to modify properties.

For example:

-> set /SP/clients/activedirectory/opergroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com'

To view and modify information in the customgroups target:

-> show /SP/clients/activedirectory/customgroups/1

For example:

-> show /SP/clients/activedirectory/customgroups/1

/SP/clients/activedirectory/customgroups/1
    Targets:
 
    Properties:
        name = custom_group_1
        roles = aucro

Then use the set command to modify properties.

For example:

-> set /SP/clients/activedirectory/customgroups/1 name=CN=spSuperCust,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperCust,OU=Groups,DC=sales,DC=oracle,DC=com'
-> set /SP/clients/activedirectory/customgroups/1 roles=au
Set 'roles' to 'au'

To view and modify information in the userdomains target:

-> show /SP/clients/activedirectory/userdomains/1

For example:

-> show /SP/clients/activedirectory/userdomains/1
/SP/clients/activedirectory/userdomains/1
   Targets:
 
   Properties:
       domain = <USERNAME>@sales.example.oracle.com

Then use the set command to modify properties.

For example:

-> set /SP/clients/activedirectory/userdomains/1 domain=<USERNAME>@sales.example.oracle.com
Set 'domain' to '<username>@sales.example.oracle.com'

Note - In the example above, <USERNAME> will be replaced with the user’s login name. During authentication, the user’s login name replaces <USERNAME>. Names can take the form of Fully Qualified Distinguished Name (FQDN), domain\name (NT), or Simple Name.

To view and modify information in the alternateservers target:

-> show /SP/clients/activedirectory/alternateservers/1

For example:

-> show /SP/clients/activedirectory/alternateservers/1
/SP/clients/activedirectory/alternateservers/1
    Targets:
        cert
 
    Properties:
        address = 10.8.168.99
        port = 0

Note - The address property can either be the IP address or DNS (host name). If using DNS, DNS must be enabled. For more information on enabling DNS, see View and Configure DNS Settings.

Then use the set command to modify properties.

For example:

-> set /SP/clients/activedirectory/alternateservers/1 port=636

You can also use the show command to view the alternate server certificate information.

For example:

-> show /SP/clients/activedirectory/alternateservers/1/cert
 /SP/clients/activedirectory/alternateservers/1/cert
    Targets:
 
Properties:
        certstatus = certificate present
        clear_action = (none)
        issuer = /DC=com/DC=oracle/DC=east/DC=sales/CN CAforActiveDirectory
        load_uri = (none)
        serial_number = 08:f3:2e:c0:8c:12:cd:bb:4e:7e:82:23:c4:0d:22:60
        subject = /DC=com/DC=oracle/DC=east/DC=sales/CN=CAforActiveDirectory
        valid_from = Oct 25 22:18:26 2006 GMT
        valid_until = Oct 25 22:18:26 2011 GMT
        version = 3 (0x02)

Type the following to copy a certificate for an alternate server:

-> cd /SP/clients/activedirectory/alternateservers/1

-> set load_uri=<tftp|ftp|scp>:[//<username:password>]@//<ipAddress|HostName>/<filepPath>/<fileName>

The following is an example of a certificate copied using tftp:

-> set load_uri=tftp://10.8.172.152/sales/cert.cert
Set ’load_uri’ to ’tftp://10.8.172.152/sales/cert.cert’

Note - The TFTP transfer method does not require a user name and password.

The following is an example of a certificate copied using ftp:

-> set load_uri=ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert
Set ’load_uri’ to
’ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert’

The following is an example of a certificate copied using scp:

> set
load_uri=scp://sales:XpasswordX@129.148.185.50/home/dc150698/8275_put/cert.cert

Type the following to remove a certificate for an alternate server:

-> cd /SP/clients/activedirectory/alternateservers/1

-> set clear_action=true

For example:

-> set clear_action=true
Are you sure you want to clear /SP/clients/activedirectory/cert (y/n)? y
Set ’clear_action’ to ’true’

To view and modify information in the dnslocatorqueries target:

-> show /SP/clients/activedirectory/dnslocatorqueries/1

For example:

-> show /SP/clients/activedirectory/dnslocatorqueries/1

/SP/clients/activedirectory/dnslocatorqueries/1
    Targets:
 
    Properties:
        service = _ldap._tcp.gc._msdcs.<DOMAIN>.<PORT:3269>
 
    Commands:
        cd
        set
        show

Note - DNS and DNS Locator Mode must be enabled for DNS Locator Queries to work. For information about enabling DNS, see View and Configure DNS Settings.

The DNS Locator service query identifies the named DNS service. The port ID is generally part of the record, but it can be overridden by using the format <PORT:636>. Also, named services specific for the domain being authenticated can be specified by using the <DOMAIN> substitution marker.

Then use the set command to modify properties in the dnslocatorqueries target:

For example:

-> set /SP/clients/activedirectory/dnslocatorqueries/1 service=<string>

To view and modify the expsearchmode property:

Note - To view and configure the expsearchmode property, you must be using ILOM 3.0.4 or a later.

-> show /SP/clients/activedirectory

For example:

-> show /SP/clients/activedirectory
  
 /SP/clients/activedirectory
    Targets:
        admingroups
        alternateservers
        cert
        customgroups
        dnslocatorqueries
        opergroups
        userdomains
Properties:
        address = 0.0.0.0
        defaultrole = (none)
        dnslocatormode = disabled
        expsearchmode = disabled
        logdetail = none
        port = 0
        state = disabled
        strictcertmode = disabled
        strictcredentialerrormode = disabled
        timeout = 4
 Commands:
        cd
        set
        show

Then use the set command to enable or disable the property.

For example:

-> set /SP/clients/activedirectory expsearchmode=enabled
Set 'expsearchmode' to 'enabled'

To view and modify the strictcredentialerrormode property:

Note - As of ILOM 3.0.10, the strictcredentialalerrormode is available to control how user credential errors are processed. If this mode is enabled, a credential error reported from any server fails those user credentials. When the mode is disabled (default setting), the credentials can be presented to other servers for authentication.

-> show /SP/clients/activedirectory

For example:

-> show /SP/clients/activedirectory
  
 /SP/clients/activedirectory
    Targets:
        admingroups
        alternateservers
        cert
        customgroups
        dnslocatorqueries
        opergroups
        userdomains
 
Properties:
        address = 0.0.0.0
        defaultrole = (none)
        dnslocatormode = disabled
        expsearchmode = disabled
        logdetail = none
        port = 0
        state = disabled
        strictcertmode = disabled
        strictcredentialerrormode = disabled
        timeout = 4
Commands:
        cd
        set
        show

Then use the set command to enable or disable the property.

For example:

-> set /SP/clients/activedirectory strictcredentialerrormode=enabled
Set 'strictcredentialerrormode' to 'enabled'

Troubleshoot Active Directory Authentication and Authorization

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following commands:

-> cd /SP/clients/activedirectory
/SP/clients/activedirectory
-> set logdetail=trace
Set ’logdetail’ to ’trace’

3. Perform another authorization attempt by logging out, then logging back in to the ILOM CLI and typing the following command:

-> show /SP/logs/event/list Class==(ActDir) Type==(Log) Severity==(Trace)

For example:

-> show /SP/logs/event/list Class==(ActDir) Type==(Log)
 
ID     Date/Time                 Class     Type      Severity
-----  ------------------------  --------  --------  --------
26     Thu Jul 10 09:40:46 2008  ActDir    Log       minor
       (ActDir)  authentication status: auth-OK
25     Thu Jul 10 09:40:46 2008  ActDir    Log       minor
       (ActDir)  server-authenticate: auth-success idx 100/0 dns-server 10.8.143       .231
24     Thu Jul 10 09:40:46 2008  ActDir    Log       debug
       (ActDir)   custRoles
23     Thu Jul 10 09:40:46 2008  ActDir    Log       debug
       (ActDir)   role-name administrator

For more information on configuring event log detail, see View and Clear the ILOM Event Log.

Configuring Lightweight Directory Access Protocol

Topics
Description	Links	Platform Feature Support
Configure LDAP settings	Configure the LDAP Server Configure ILOM for LDAP	x86 system server SP SPARC system server SP CMM

Before You Begin

To configure LDAP settings, you need the User Management (u) role enabled.

Configure the LDAP Server

1. Ensure that all users authenticating to ILOM have passwords stored in "crypt" format or the GNU extension to crypt, commonly referred to as "MD5 crypt."

ILOM only supports LDAP authentication for passwords stored in these two variations of the crypt format.

For example:
userPassword: {CRYPT}ajCa2He4PJhNoor
userPassword: {CRYPT}$1$pzKng1$du1Bf0NWBjh9t3FbUgf46.

2. Add object classes posixAccount and shadowAccount, and populate the required property values for this schema (RFC 2307).

Required Property	Description
uid	User name for logging in to ILOM
uidNumber	Any unique number
gidNumber	Any unique number
userPassword	Password
homeDirectory	Any value (this property is ignored by ILOM)
loginShell	Any value (this property is ignored by ILOM)

3. Configure the LDAP server to enable LDAP server access to ILOM user accounts.

Either enable your LDAP server to accept anonymous binds, or create a proxy user on your LDAP server that has read-only access to all user accounts that will authenticate through ILOM.

See your LDAP server documentation for more details.

Configure ILOM for LDAP

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Enter the proxy user name and password. Type:

--> set /SP/clients/ldap binddn="cn=proxyuser, ou=people, ou=sales, dc=oracle, dc=com" bindpw=password

3. Enter the IP address of the LDAP server. Type:

--> set /SP/clients/ldap address=ldapipaddress |DNS name

Note - If using a DNS name, DNS must be configured and functioning.

4. Assign the port used to communicate with the LDAP server; the default port is 389. Type:

--> set /SP/clients/ldap port=ldapport

5. Enter the Distinguished Name of the branch of your LDAP tree that contains users and groups. Type, for example:

--> set /SP/clients/ldap searchbase="ou=people, ou=sales, dc=oracle, dc=com"

This is the location in your LDAP tree that you want to search for user authentication.

6. Set the state of the LDAP service to enabled. Type:

--> set /SP/clients/ldap state=enabled

7. To verify that LDAP authentication works, log in to ILOM using an LDAP user name and password.

Note - ILOM searches local users before LDAP users. If an LDAP user name exists as a local user, ILOM uses the local account for authentication.

Configuring LDAP/SSL

Topics
Description	Links	Platform Feature Support
Configure LDAP/SSL settings	Enable LDAP/SSL strictcertmode Check LDAP/SSL certstatus Remove an LDAP/SSL Certificate View and Configure LDAP/SSL Settings Troubleshoot LDAP/SSL Authentication and Authorization	x86 system server SP SPARC system server SP CMM

Before You Begin

To configure LDAP/SSL settings, you need the User Management (u) role enabled.

Enable LDAP/SSL `strictcertmode`

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following path to access the LDAP/SSL certificate settings:

-> cd /SP/clients/ldapssl/cert

3. To load a certificate, type the following:

-> set load_uri=tftp://IP address/file-path/filename

Note - You can use TFTP, FTP, or SCP to load a certificate.

4. To enable strictcertmode, type the following:

-> set strictcertmode=enabled

Check LDAP/SSL `certstatus`

Note - certstatus is an operational variable that should reflect the current certificate state of the certificate if strictcertmode is disabled. However, for the strictcertmode to be enabled, a certificate must be loaded.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. To check the status of the certificate, type the following:

-> show /SP/clients/ldapssl/cert

For example:

-> show /SP/clients/ldapssl/cert
 
Targets:
 
Properties:
        certstatus = certificate present
        clear_action = (none)
issuer = /C=US/O=Entrust PKI Demonstration Cerificates
        load_uri = (none)
        serial_number = 08:f23:2e:c0:8c:12:cd:bb:4e:7e:82:23:c4:0d:22:60
        subject = /C=US/O=Entrust PKI Demonstration Cerificates/OU=Entrust/Web Connector/OU=No Liability as per http://freecerts.entrust
        valid_from = Oct 25 22:18:26 2006 GMT
        valid_until = Oct 25 22:18:26 2011 GMT
        version = 3 (0x02)

Remove an LDAP/SSL Certificate

Note - The Authentication Server Certificate can only be removed when strictcertmode is disabled.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following:

-> cd /SP/clients/ldapssl/cert

3. To remove a certificate, type the following:

-> set clear_action=true

4. Confirm whether you want to remove the certificate by typing y (yes) or n (no) in response to the on-screen query.

The existing certificate file that had been uploaded will be removed.

View and Configure LDAP/SSL Settings

Note - To view and configure the optionalUserMapping target, you must be using ILOM 3.0.4 or a later version of ILOM.

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Use the show and set commands to view and modify properties.

To view and modify information in the admingroups target:

-> show /SP/clients/ldapssl/admingroups/n

Where n can be 1 to 5.

For example:

-> show /SP/clients/ldapssl/admingroups/1

/SP/clients/ldapssl/admingroups/1

Targets:

Properties: name = CN=SpSuperAdmin,OU=Groups,DC=sales,DC=east,DC=oracle,DC=com

Then use the set command to modify properties.

For example:

-> set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com'

To view and modify information in the opergroups target:

-> show /SP/clients/ldapssl/opergroups/1

For example:

-> show /SP/clients/ldapssl/opergroups/1

/SP/clients/ldapssl/opergroups/1

Targets:

Properties: name = CN=SpSuperOper,OU=Groups,DC=sales,DC=east,DC=oracle,DC=com

Then use the set command to modify properties.

For example:

-> set /SP/clients/ldapssl/opergroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com'

To view and modify information in the customgroups target:

-> show /SP/clients/ldapssl/customgroups/1

For example:

 /SP/clients/ldapssl/customgroups/1
    Targets:
 
    Properties:
        name = <fully qualified distinguished name only>
        roles = (none)
 
    Commands:
        cd
        set
        show

Then use the set command to modify properties.

For example:

-> set /SP/clients/ldapssl/customgroups/1 name=CN=spSuperCust,OU=Groups,DC=sales,DC=oracle,DC=com
 
Set 'name' to 'CN=spSuperCust,OU=Groups,DC=sales,DC=oracle,DC=com'
 
-> set /SP/clients/ldapssl/customgroups/1 roles=au
 
Set 'roles' to 'au'

To view and modify information in the userdomains target:

-> show /SP/clients/ldapssl/userdomains/1

For example:

 -> show /SP/clients/ldapssl/userdomains/1
    Targets:
 
    Properties:
        domain = uid=<USERNAME>,ou=people,dc=oracle,dc=com
 
    Commands:
        cd
        set
        show

Then use the set command to modify properties.

For example:

-> set SP/clients/ldapssl/userdomains1 domain=uid=<USERNAME>, ou=people,dc=oracle,dc=oracle

Note - In the example above, <USERNAME> will be replaced with the user’s login name during authentication. Names can take the form of Fully Qualified Distinguished Name (FQDN).

To view and modify information in the alternateservers target:

-> show /SP/clients/ldapssl/alternateservers/1

For example:

-> show /SP/clients/ldapssl/alternateservers/1
 
/SP/clients/ldapssl/alternateservers/1
    Targets:
        cert
 
    Properties:
        address = 10.8.168.99
        port = 0

Note - In the example above, address can either be the IP address or DNS name. If using DNS, DNS must be enabled. For more information on enabling DNS, see View and Configure DNS Settings.

Then use the set command to modify properties.

For example:

-> set /SP/clients/ldapssl/alternateservers/1 port=636

You can also use the show command to view the alternate server certificate information.

For example:

-> show /SP/clients/ldapssl/alternateservers/1/cert
 
 /SP/clients/ldapssl/alternateservers/1/cert
    Targets:
 
Properties:
        certstatus = certificate present
        clear_action = (none)
issuer = /C=US/O=Entrust PKI Demonstration Cerificates
        load_uri = (none)
        serial_number = 08:f23:2e:c0:8c:12:cd:bb:4e:7e:82:23:c4:0d:22:60
        subject = /C=US/O=Entrust PKI Demonstration Cerificates/OU=Entrust/Web Connector/OU=No Liability as per http://freecerts.entrust
        valid_from = Oct 25 22:18:26 2006 GMT
        valid_until = Oct 25 22:18:26 2011 GMT
        version = 3 (0x02)

Type the following to copy a certificate for an alternate server:

-> set load_uri=<tftp|ftp|scp>:[<username:password>]@//<ipAddress|HostName>/<filepPath>/<fileName>

The following is an example of a certificate copied using tftp:

-> set load_uri=tftp://10.8.172.152/sales/cert.cert
Set ’load_uri’ to ’tftp://10.8.172.152/sales/cert.cert’

Note - The TFTP transfer method does not require a user name and password.

The following is an example of a certificate copied using tftp:

-> set load_uri=ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert
Set ’load_uri’ to
’ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert’

The following is an example of a certificate copied using scp:

-> set
load_uri scp://sales:XpasswordX@129.148.185.50/home/dc150698/8275_put/cert.cert

Type the following to remove a certificate for an alternate server:

-> set clear_action=true

For example:

-> set clear_action=true
Are you sure you want to clear /SP/clients/ldapssl/cert (y/n)? y
Set ’clear_action’ to ’true’

To view and modify information in the optionalUserMapping target:

-> show /SP/clients/ldapssl/optionalUserMapping

For example:

-> show
 
 /SP/clients/ldapssl/optionalUserMapping
    Targets:
 
    Properties:
        attributeInfo = (&(objectclass=person)(uid=<USERNAME>))
        binddn = cn=Manager,dc=oracle,dc=com
        bindpw = (none)
        searchbase = ou=people,dc=oracle,dc=com
        state = disabled
 
    Commands:
        cd
        set
        show

Then use the set command to modify properties.

For example:

-> set state=enabled
Set ’state’ to ’enabled’

Troubleshoot LDAP/SSL Authentication and Authorization

1. Log in to the ILOM SP CLI or the CMM CLI.

2. Type the following commands:

-> cd /SP/clients/ldapssl
/SP/clients/ldapssl
-> set logdetail=trace
Set ’logdetail’ to ’trace’

3. Perform another authorization attempt by logging out, then logging back in to the ILOM CLI and typing the following:

-> show /SP/logs/event/list Class==(ldapssl) Type==(Log) Severity==(Trace)

For example:

-> show /SP/logs/event/list Class==(ldapssl) Type==(Log)
 
ID     Date/Time                 Class     Type      Severity
-----  ------------------------  --------  --------  --------
3155   Thu Nov 13 06:21:00 2008  LdapSsl   Log       critical
       (LdapSSL)  authentication status: auth-ERROR
3154   Thu Nov 13 06:21:00 2008  LdapSsl   Log       major
       (LdapSSL)  server-authenticate: auth-error idx 0 cfg-server 10.8.xxx.xxx
3153   Thu Nov 13 06:21:00 2008  LdapSsl   Log       major
       (LdapSSL)  ServerUserAuth - Error 0, error binding user to ActiveDirectory server

For more information about configuring event log detail, see View and Clear the ILOM Event Log.

Configuring RADIUS

Topics
Description	Links	Platform Feature Support
Configure RADIUS settings	Configure RADIUS	x86 system server SP SPARC system server SP CMM

Before You Begin

To configure RADIUS settings, you need the User Management (u) role enabled.

Configure RADIUS

Note - If you need to provide ILOM access beyond the 10 local user accounts, and after the RADIUS server has been properly configured, you can configure ILOM to use RADIUS authentication.

1. Collect the appropriate information about your RADIUS environment.

2. Log in to the ILOM SP CLI or the CMM CLI and use the cd command to navigate to /SP/clients/radius.

For example, type:

cd /SP/clients/radius

3. Use the show command to view the radius properties.

For example, type:

-> show /SP/clients/radius

 -> show /SP/clients/radius
 
   /SP/clients/radius
    Targets:
 
Properties:
        defaultrole = Operator
address = 129.144.36.142
        port = 1812
        secret = (none)
        state = enabled
Commands:
        cd
        set
        show

4. Use the set command to configure the radius properties described in TABLE 4-1.

Syntax:

set /SP/clients/radius [defaultrole=[Administrator|Operator|a|u|c|r|s] address=radius_server_IPaddress port=port# secret=radius_secret state=[enabled|disabled]]

Example:

 -> set /SP/clients/radius state=enabled address=10.8.145.77 
Set 'state' to 'enabled'
Set 'address' to '10.8.145.77

TABLE 4-1 Description of Radius Properties
Property (CLI)	Default	Description
`state`	Disabled	Enabled \| Disabled Specifies whether the RADIUS client is enabled or disabled.
`defaultrole` `a\|u\|c\|r\|s\|Administrator\|Operator`	Operator	Administrator \| Operator \| Advanced Roles Access role granted to all authenticated RADIUS users. This property supports the legacy roles of Administrator or Operator, or any of the individual role ID combinations of ’`a`’, ’`u`’, ’`c`’, ’`r`’, ’`o`’ and ’`s`’. For example, `aucros`, where `a`=Admin, `u`=User Management, `c`=Console, `r`=Reset and Host Control, and `s`=Service.
`ipaddress`	0.0.0.0	IP address or DNS name of the RADIUS server. If the DNS name is used, DNS must be configured and functional.
`port`	1812	Specifies the port number used to communicate with the RADIUS server. The default port is 1812.
`secret`	(none)	Specifies the shared secret that is used to protect sensitive data and to ensure that the client and server recognize each other.

Configuring User Accounts

Before You Begin

Configure Single Sign On

Add a User Account

Change a User Account Password

Assign Roles to a User Account

Delete a User Account

View Individual User Accounts

View a List of User Accounts

View a List of User Sessions

View an Individual User Session

Configuring SSH User Keys

Before You Begin

Add an SSH Key

Delete an SSH Key

Configuring Active Directory

Before You Begin

Enable Active Directory strictcertmode

Check Active Directory certstatus

Remove an Active Directory Certificate

View and Configure Active Directory Settings

Troubleshoot Active Directory Authentication and Authorization

Configuring Lightweight Directory Access Protocol

Before You Begin

Configure the LDAP Server

Configure ILOM for LDAP

Configuring LDAP/SSL

Before You Begin

Enable LDAP/SSL strictcertmode

Check LDAP/SSL certstatus

Remove an LDAP/SSL Certificate

View and Configure LDAP/SSL Settings

Troubleshoot LDAP/SSL Authentication and Authorization

Configuring RADIUS

Before You Begin

Configure RADIUS

Enable Active Directory `strictcertmode`

Check Active Directory `certstatus`

Enable LDAP/SSL `strictcertmode`

Check LDAP/SSL `certstatus`