C H A P T E R 4 |
Managing User Accounts |
Oracle Integrated Lights Out Manager (ILOM) 3.0 Concepts Guide (820-6410) |
||
Oracle Integrated Lights Out Manager (ILOM) 3.0 Web Interface Procedures Guide. (820-6411) |
||
Oracle Integrated Lights Out Manager (ILOM) 3.0 Management Protocols Reference Guide (820-6413) |
||
The ILOM 3.0 Documentation Collection is available at: http://docs.sun.com/app/docs/prod/int.lights.mgr30#hic. |
Configure Single Sign On |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To enable or disable Single Sign On, type the following command:
--> set /SP/services/sso state=disabled|enabled
Add a User Account |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To add a local user account, type the following command:
--> create /SP/users/username password=password
Note - When adding a user account, it is unnecessary to provide a role or password property. The role will default to Read Only (o), and the CLI will prompt you to provide and confirm a password. |
Change a User Account Password |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To change a user account password, type the following command:
--> set /SP/users/user password
Assign Roles to a User Account |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To assign roles to a user account, type the following command:
--> set /SP/users/<username> password=<password> role=<administrator|operator|a|u|c|r|o|s>
-> set /SP/users/user5 role=aucSet ’role’ to ’auc’-> show /SP/users/user5/SP/users/user5 Targets:sshProperties:role = aucopassword = ********Commands:cdsetshow |
Delete a User Account |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To delete a local user account, type the following command:
--> delete /SP/users/username
-> delete /SP/users/user5
3. When queried, type y to delete, or n to cancel.
Are you sure you want to delete /SP/users/user5 (y/n)? y Deleted /SP/users/user5
View Individual User Accounts |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To display information about one specific user account, type the following command:
--> show /SP/users/username
-> show /SP/users/user1 /SP/users/user1 Targets: ssh Properties: role = aucros password = ***** Commands: cd set show |
View a List of User Accounts |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To display information about all local user accounts, type the following command:
--> show /SP/users
View a List of User Sessions |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To display information about all local user sessions, type the following command:
View an Individual User Session |
Note - To view an individual user’s role, you must be using ILOM 3.0.4 or a later version of ILOM. |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To display information about an individual user session, type the following command:
--> show /SP/sessions/session_number
-> show /SP/sessions/12 /SP/sessions/12 Targets: Properties: username = user4 role = aucro starttime = Mon Apr 13 06:25:19 2009 type = shell mode = normal Commands: cd show |
The SSH keys enable you to automate password authentication. Use the following procedures in this section to add and delete SSH keys.
Add an SSH Key |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To change to the directory location of a user’s SSH key, type:
-> cd /SP/users/user1/ssh/keys/1
3. To add a key to the user’s account, type:
-> set load_uri=transfer_method://username:password@ipaddress_or_hostname/directorypath/filename
-> set load_uri=scp://adminuser:userpswd@1.2.3.4/keys/sshkey_1.pub Set ’load_uri’ to ’scp://adminuser:userpswd@1.2.3.4/keys/sshkey_1.pub’ |
Delete an SSH Key |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To change to the directory location of a user’s SSH key, type:
-> cd /SP/users/user1/ssh/keys/1
3. To delete a key from the user’s account, type:
The following confirmation prompt appears:
Are you sure you want to clear /SP/users/user1/ssh/keys/1 (y/n)?
The SSH key is deleted and the following message appears to confirm the deletion.
Enable Active Directory strictcertmode |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Type the following path to access the Active Directory certificate settings:
->cd /SP/clients/activedirectory/cert
3. To load a certificate, type the following:
-> set load_uri=tftp://IP address/file-path/filename
4. To enable strictcertmode, type the following:
Note - Data is always protected, even if strictcertmode is disabled. |
Check Active Directory certstatus |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To check the status of the certificate, type the following:
-> show /SP/clients/activedirectory/cert
Remove an Active Directory Certificate |
Note - The Authentication Server Certificate can be removed only when strictcertmode is disabled. |
1. Log in to the ILOM SP CLI or the CMM CLI.
-> cd /SP/clients/activedirectory/cert
3. To remove a certificate, type one of the following commands:
-> reset /SP/clients/activedirectory/cert
4. Confirm whether you want to remove the certificate by typing y or n in response to the on-screen query.
The existing certificate file that had been uploaded will be removed.
View and Configure Active Directory Settings |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Use the show and set commands to view and modify the active directory properties:
-> show /SP/clients/activedirectory/admingroups/n
-> show /SP/clients/activedirectory/admingroups/1 /SP/clients/activedirectory/admingroups/1 Properties: name = CN=SpSuperAdmin,OU=Groups,DC=sales,
|
Then use the set command to modify properties.
-> set /SP/clients/activedirectory/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com' |
-> show /SP/clients/activedirectory/opergroups/1
-> show /SP/clients/activedirectory/opergroups/1 /SP/clients/activedirectory/opergroups/1 Properties: name = CN=SpSuperOper,OU=Groups,DC=sales,
|
Then use the set command to modify properties.
-> set /SP/clients/activedirectory/opergroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com' |
-> show /SP/clients/activedirectory/customgroups/1
-> show /SP/clients/activedirectory/customgroups/1 /SP/clients/activedirectory/customgroups/1 Targets: Properties: name = custom_group_1 roles = aucro |
Then use the set command to modify properties.
-> show /SP/clients/activedirectory/userdomains/1
-> show /SP/clients/activedirectory/userdomains/1 /SP/clients/activedirectory/userdomains/1 Targets: Properties: domain = <USERNAME>@sales.example.oracle.com |
Then use the set command to modify properties.
-> set /SP/clients/activedirectory/userdomains/1 domain=<USERNAME>@sales.example.oracle.com Set 'domain' to '<username>@sales.example.oracle.com' |
-> show /SP/clients/activedirectory/alternateservers/1
-> show /SP/clients/activedirectory/alternateservers/1 /SP/clients/activedirectory/alternateservers/1 Targets: cert Properties: address = 10.8.168.99 port = 0 |
Note - The address property can either be the IP address or DNS (host name). If using DNS, DNS must be enabled. For more information on enabling DNS, see View and Configure DNS Settings. |
Then use the set command to modify properties.
You can also use the show command to view the alternate server certificate information.
Type the following to copy a certificate for an alternate server:
-> cd /SP/clients/activedirectory/alternateservers/1
-> set load_uri=<tftp|ftp|scp>:[//<username:password>]@//<ipAddress|HostName>/<filepPath>/<fileName>
The following is an example of a certificate copied using tftp:
-> set load_uri=tftp://10.8.172.152/sales/cert.cert Set ’load_uri’ to ’tftp://10.8.172.152/sales/cert.cert’ |
Note - The TFTP transfer method does not require a user name and password. |
The following is an example of a certificate copied using ftp:
-> set load_uri=ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert Set ’load_uri’ to ’ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert’ |
The following is an example of a certificate copied using scp:
Type the following to remove a certificate for an alternate server:
-> cd /SP/clients/activedirectory/alternateservers/1
-> set clear_action=true Are you sure you want to clear /SP/clients/activedirectory/cert (y/n)? y Set ’clear_action’ to ’true’ |
-> show /SP/clients/activedirectory/dnslocatorqueries/1
-> show /SP/clients/activedirectory/dnslocatorqueries/1 /SP/clients/activedirectory/dnslocatorqueries/1 Targets: Properties: service = _ldap._tcp.gc._msdcs.<DOMAIN>.<PORT:3269> Commands: cd set show |
Note - DNS and DNS Locator Mode must be enabled for DNS Locator Queries to work. For information about enabling DNS, see View and Configure DNS Settings. |
The DNS Locator service query identifies the named DNS service. The port ID is generally part of the record, but it can be overridden by using the format <PORT:636>. Also, named services specific for the domain being authenticated can be specified by using the <DOMAIN> substitution marker.
Then use the set command to modify properties in the dnslocatorqueries target:
Note - To view and configure the expsearchmode property, you must be using ILOM 3.0.4 or a later. |
-> show /SP/clients/activedirectory
Then use the set command to enable or disable the property.
-> show /SP/clients/activedirectory
Then use the set command to enable or disable the property.
-> set /SP/clients/activedirectory strictcredentialerrormode=enabled Set 'strictcredentialerrormode' to 'enabled' |
Troubleshoot Active Directory Authentication and Authorization |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Type the following commands:
-> cd /SP/clients/activedirectory /SP/clients/activedirectory -> set logdetail=trace Set ’logdetail’ to ’trace’
3. Perform another authorization attempt by logging out, then logging back in to the ILOM CLI and typing the following command:
-> show /SP/logs/event/list Class==(ActDir) Type==(Log) Severity==(Trace)
For more information on configuring event log detail, see View and Clear the ILOM Event Log.
Configure the LDAP Server |
1. Ensure that all users authenticating to ILOM have passwords stored in "crypt" format or the GNU extension to crypt, commonly referred to as "MD5 crypt."
ILOM only supports LDAP authentication for passwords stored in these two variations of the crypt format.
For example:
userPassword: {CRYPT}ajCa2He4PJhNo
or
userPassword: {CRYPT}$1$pzKng1$du1Bf0NWBjh9t3FbUgf46.
2. Add object classes posixAccount and shadowAccount, and populate the required property values for this schema (RFC 2307).
3. Configure the LDAP server to enable LDAP server access to ILOM user accounts.
Either enable your LDAP server to accept anonymous binds, or create a proxy user on your LDAP server that has read-only access to all user accounts that will authenticate through ILOM.
See your LDAP server documentation for more details.
Configure ILOM for LDAP |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Enter the proxy user name and password. Type:
--> set /SP/clients/ldap binddn="cn=proxyuser, ou=people, ou=sales, dc=oracle, dc=com" bindpw=password
3. Enter the IP address of the LDAP server. Type:
--> set /SP/clients/ldap address=ldapipaddress |DNS name
Note - If using a DNS name, DNS must be configured and functioning. |
4. Assign the port used to communicate with the LDAP server; the default port is 389. Type:
--> set /SP/clients/ldap port=ldapport
5. Enter the Distinguished Name of the branch of your LDAP tree that contains users and groups. Type, for example:
--> set /SP/clients/ldap searchbase="ou=people, ou=sales, dc=oracle, dc=com"
This is the location in your LDAP tree that you want to search for user authentication.
6. Set the state of the LDAP service to enabled. Type:
--> set /SP/clients/ldap state=enabled
7. To verify that LDAP authentication works, log in to ILOM using an LDAP user name and password.
Note - ILOM searches local users before LDAP users. If an LDAP user name exists as a local user, ILOM uses the local account for authentication. |
Enable LDAP/SSL strictcertmode |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Type the following path to access the LDAP/SSL certificate settings:
-> cd /SP/clients/ldapssl/cert
3. To load a certificate, type the following:
-> set load_uri=tftp://IP address/file-path/filename
Note - You can use TFTP, FTP, or SCP to load a certificate. |
4. To enable strictcertmode, type the following:
Check LDAP/SSL certstatus |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. To check the status of the certificate, type the following:
-> show /SP/clients/ldapssl/cert
Remove an LDAP/SSL Certificate |
Note - The Authentication Server Certificate can only be removed when strictcertmode is disabled. |
1. Log in to the ILOM SP CLI or the CMM CLI.
-> cd /SP/clients/ldapssl/cert
3. To remove a certificate, type the following:
4. Confirm whether you want to remove the certificate by typing y (yes) or n (no) in response to the on-screen query.
The existing certificate file that had been uploaded will be removed.
View and Configure LDAP/SSL Settings |
Note - To view and configure the optionalUserMapping target, you must be using ILOM 3.0.4 or a later version of ILOM. |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Use the show and set commands to view and modify properties.
-> show /SP/clients/ldapssl/admingroups/n
-> show /SP/clients/ldapssl/admingroups/1 /SP/clients/ldapssl/admingroups/1 Properties: name = CN=SpSuperAdmin,OU=Groups,DC=sales,DC=east,DC=oracle,DC=com |
Then use the set command to modify properties.
-> set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com' |
-> show /SP/clients/ldapssl/opergroups/1
-> show /SP/clients/ldapssl/opergroups/1 /SP/clients/ldapssl/opergroups/1 Properties: name = CN=SpSuperOper,OU=Groups,DC=sales,DC=east,DC=oracle,DC=com |
Then use the set command to modify properties.
-> set /SP/clients/ldapssl/opergroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com' |
-> show /SP/clients/ldapssl/customgroups/1
/SP/clients/ldapssl/customgroups/1 Targets: Properties: name = <fully qualified distinguished name only> roles = (none) Commands: cd set show |
Then use the set command to modify properties.
-> show /SP/clients/ldapssl/userdomains/1
-> show /SP/clients/ldapssl/userdomains/1 Targets: Properties: domain = uid=<USERNAME>,ou=people,dc=oracle,dc=com Commands: cd set show |
Then use the set command to modify properties.
Note - In the example above, <USERNAME> will be replaced with the user’s login name during authentication. Names can take the form of Fully Qualified Distinguished Name (FQDN). |
-> show /SP/clients/ldapssl/alternateservers/1
-> show /SP/clients/ldapssl/alternateservers/1 /SP/clients/ldapssl/alternateservers/1 Targets: cert Properties: address = 10.8.168.99 port = 0 |
Note - In the example above, address can either be the IP address or DNS name. If using DNS, DNS must be enabled. For more information on enabling DNS, see View and Configure DNS Settings. |
Then use the set command to modify properties.
You can also use the show command to view the alternate server certificate information.
Type the following to copy a certificate for an alternate server:
-> set load_uri=<tftp|ftp|scp>:[<username:password>]@//<ipAddress|HostName>/<filepPath>/<fileName>
The following is an example of a certificate copied using tftp:
-> set load_uri=tftp://10.8.172.152/sales/cert.cert Set ’load_uri’ to ’tftp://10.8.172.152/sales/cert.cert’ |
Note - The TFTP transfer method does not require a user name and password. |
The following is an example of a certificate copied using tftp:
-> set load_uri=ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert Set ’load_uri’ to ’ftp://sales:XpasswordX@129.148.185.50/8275_put/cert.cert’ |
The following is an example of a certificate copied using scp:
Type the following to remove a certificate for an alternate server:
-> set clear_action=true Are you sure you want to clear /SP/clients/ldapssl/cert (y/n)? y Set ’clear_action’ to ’true’ |
-> show /SP/clients/ldapssl/optionalUserMapping
Then use the set command to modify properties.
Troubleshoot LDAP/SSL Authentication and Authorization |
1. Log in to the ILOM SP CLI or the CMM CLI.
2. Type the following commands:
-> cd /SP/clients/ldapssl /SP/clients/ldapssl -> set logdetail=trace Set ’logdetail’ to ’trace’
3. Perform another authorization attempt by logging out, then logging back in to the ILOM CLI and typing the following:
-> show /SP/logs/event/list Class==(ldapssl) Type==(Log) Severity==(Trace)
For more information about configuring event log detail, see View and Clear the ILOM Event Log.
Configure RADIUS |
Note - If you need to provide ILOM access beyond the 10 local user accounts, and after the RADIUS server has been properly configured, you can configure ILOM to use RADIUS authentication. |
1. Collect the appropriate information about your RADIUS environment.
2. Log in to the ILOM SP CLI or the CMM CLI and use the cd command to navigate to /SP/clients/radius.
3. Use the show command to view the radius properties.
-> show /SP/clients/radius /SP/clients/radius Targets: Properties: defaultrole = Operator address = 129.144.36.142 port = 1812 secret = (none) state = enabled Commands: cd set show |
4. Use the set command to configure the radius properties described in TABLE 4-1.
set /SP/clients/radius [defaultrole=[Administrator|Operator|a|u|c|r|s] address=radius_server_IPaddress port=port# secret=radius_secret state=[enabled|disabled]]
-> set /SP/clients/radius state=enabled address=10.8.145.77 Set 'state' to 'enabled' Set 'address' to '10.8.145.77 |
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.