Go to main content

Oracle® ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x

Exit Print View

Updated: April 2018
 
 

Configuring LDAP/SSL

System administrators can optionally configure Oracle ILOM to use the LDAP/SSL directory service to authenticate Oracle ILOM users, as well as define user authorization levels for using features within Oracle ILOM.

The property for the LDAP/SSL service state, in Oracle ILOM, is disabled by default. To enable the LDAP/SSL service state and configure Oracle ILOM as an LDAP/SSL client, see the following tables:

Table 25  Enabling LDAP/SSL Authentication
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldapssl/

  • Web: ILOM Administration > User Management > LDAP/SSL > Settings

  • User Role: User Management (u) (required for all property modifications)

  • Prerequisite: LDAP/SSL server must be configured with users or user groups prior to configuring Oracle ILOM.

Property
Default Value
Description
State
(state=)
Disabled
Disabled |Enabled
To configure Oracle ILOM to use the LDAP/SSL authentication and authorization directory service, set the State property to enabled.
When the State property is set to disabled, Oracle ILOM is disabled from using the LDAP/SSL service for user authentication and authorization levels.
When the State property is enabled, and the Strict Certificate Mode property is disabled, Oracle ILOM over a secure channel provides some validation of the LDAP/SSL service certificate at the time of user authentication.
When the State property is enabled, and the Strict Certificate Mode property is enabled, Oracle ILOM over a secure channel fully verifies the LDAP/SSL service certificate for digital signatures at the time of user authentication.
CLI State Syntax:
set /SP|CMM/clients/ldapssl/ state=disabled|enabled
Roles
(defaultrole=)
None (server authorization)
Administrator |Operator |Advanced |None (server authorization)
To define which features in Oracle ILOM are accessible to LDAP/SSL authenticated users, set the default Roles property to one of the four property values accepted: Administrator (a|u|c|r|o), Operator (c|r|o), Advanced (a|u|c|r|o|s), or None (server authorization).
When the default Roles property is set to an Oracle ILOM user role, authorization levels for using features within Oracle ILOM are dictated by the user privileges granted by the Oracle ILOM user role. For a description of privileges assigned, see the tables listed in the Related Information section below for user role and user profile.
When the default Roles property is set to None (server authorization) and Oracle ILOM is configured to use LDAP/SSL Groups, the authorization levels for using features within Oracle ILOM are dictated by the LDAP/SSL Group. For further LDAP/SSL configuration details, see the table that describes LDAP/SSL Groups listed in the Related Information section below.
CLI Roles Syntax:
set /SP|CMM/clients/ldapssl/ defaultrole=administrator|operator|a|u|c|r|o|s|none
Related Information:
Address
(address=)
0.0.0.0
IP address| DNS host name (Active Directory Server)
To configure the network address for the LDAP/SSL server, populate the Address property with the LDAP/SSL IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational.
CLI Address Syntax:
set /SP|CMM/clients/ldapssl/ address=LDAP/SSL_server ip_address|active_directory_server_dns_host_name
Related Information:
Port
(port=)
0 Auto-select
0 Auto-select | Non-standard TCP port
A standard TCP port is used by Oracle ILOM to communicate with the LDAP/SSL server.
When the Port Auto-select property is enabled, the Port number is set to 0 by default.
When the Port Auto-select property is disabled, the Port number property in the web interface becomes user-configurable.
A configurable Port property is provided in the unlikely event of Oracle ILOM needing to use a non-standard TCP port.
CLI Port Syntax:
set /SP|CMM/clients/ldapssl/ port=number
Timeout
(timeout=)
4 seconds
4 |user-specified
The Timeout property is set to 4 seconds by default. If necessary, adjust this property value to fine tune response time when the LDAP/SSL server is unreachable or not responding.
The Timeout property designates the number of seconds to wait for an individual transaction to complete. The value does not represent the total time for all transactions to complete since the number of transactions can differ depending on the configuration.
CLI Timeout Syntax:
set /SP|CMM/clients/ldapssl/ timeout=number_of_seconds
Strict Certificate Mode
(strictcert mode=)
Disabled
Disabled |Enabled
When enabled, Oracle ILOM fully verifies the LDAP/SSL certificate signatures at the time of authentication over a secure channel.
When disabled, Oracle ILOM provides limited validation of the server certificate at time of authentication over a secure channel.

Caution  - The LDAP/SSL server certificate must be uploaded to Oracle ILOM prior to enabling the Strict Certificate Mode property.

CLI Strict Certificate Mode Syntax:
set /SP|CMM/clients/ldapssl/ strictcertmode=disabled|enabled
Related Information:
Optional User Mapping
(/optionalUsermapping)
Disabled
Disabled | Enabled
The Optional User Mapping property is typically used when a uid was not used as part of the user domain login name. Set the Optional User Mapping property to enabled if there is a need to convert simple user login names to domain names for user authentication.
  • State – When enabled, alternative attributes are configurable for user credential authentication.

  • Attribute Information – Enter the attribute login information using the accepted input format (&(objectclass=person)(uid=<USERNAME>)). The Attribute Information enables the LDAP/SSL query to search user domain names based on the attribute login information provided.

  • Searchbase – Set the Searchbase property to the Distinguished Name of the search base object or to a branch in the LDAP tree where Oracle ILOM should look for LDAP user accounts. Input format: OU={organization},DC={company},DC={com}

  • Bind DN – Set the Bind DN property to the Distinguished Name (DN) of a read-only proxy user on the LDAP server. Oracle ILOM must have read-only access to your LDAP server to search and authenticate users. Input format: OU={organization},DC={company},DC={com}

  • Bind Password – Set the Bind Password property to a password for the read-only proxy user.

CLI Optional User Mapping Syntax:
set /SP|CMM/clients/ldapssl/optionalUsermapping/ attributeInfo=<string> searchbase=<string> binddn=cn=proxyuser, ou=organization _name, dc=company, dc=com bindpw=password
Log Detail
(logdetail=)
None
None | High | Medium | Low |Trace
To specify the type of diagnostic information recorded in the Oracle ILOM event log for LDAP/SSL events, set the Log Detail property to one of the five property values accepted (none, high, medium, low or trace).
CLI Log Detail Syntax:
set /SP|CMM/clients/ldapssl/ logdetail=none|high|medium|low|trace
Save
Web interface – To apply changes made to properties within the LDAP/SSL Settings page, you must click Save.
Table 26   Uploading or Removing an LDAP/SSL Certificate File
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldapssl/cert

  • Web: ILOM Administration > User Management > LDAP/SSL > Certificate Information

  • User Role: User Management (u) (required for all property modifications)

Property
Default Value
Description
Certificate File Status
(certstatus=)
Read-only
Certificate Present |Certificate Not Present
The Certificate File Status property indicates whether an LDAP/SSL certificate has been uploaded to Oracle ILOM.
CLI Certificate Status Syntax:
show /SP|CMM/clients/ldapssl/cert
File Transfer Method
Browser (web interface only)
Browser|TFTP|FTP|SCP|Paste
For a detailed description of each file transfer method, see Figure 14, Table 14, File Transfer Methods .
Load Certificate
(load_uri=)
Web interface – Click the Load Certificate button to upload the LDAP/SSL certificate file that is designated in the File Transfer Method property.
CLI Load Certificate Syntax:
load_uri=file_transfer_method://host_address/file_path/filename
Remove Certificate
(clear_action=true)
Web interface – Click the Remove Certificate button to remove the LDAP/SSL certificate file presently stored in Oracle ILOM. When prompted, click Yes to continue the action or No to cancel the action.
CLI Remove Certificate Syntax:
set /SP|CMM/clients/ldapssl/cert clear_action=true
-or-
reset /SP|CMM/clients/ldapssl/cert
When prompted, type y to continue the action or n to cancel the action.
Table 27  Optionally Configuring LDAP/SSL Groups
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldapssl

  • Web: ILOM Administration > User Management > LDAP/SSL> (Name) Groups

  • User Role: User Management (u) (required for all property modifications)

  • Prerequisite: Prior to setting up LDAP/SSL Groups in Oracle ILOM, the LDAP/SSL Groups must be present on the LDAP/SSL server and assigned members.

Property
Description
Admin Groups
(/admingroups/1|2|3|4|5)
A system administrator can optionally configure Admin Group properties instead of the Role properties in Oracle ILOM to provide user authorization.
Oracle ILOM supports the configuration of up to five Admin Groups. When Admin Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the admin table. If a match occurs, the user is granted Administrator-level access.
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.
CLI Admin Group Syntax:
set /SP|CMM/clients/ldapssl/admingroups/n name=string
Example Syntax:
set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'
Operator Groups
(/operatorgroups/1|2|3|4|5)
A system administrator can optionally configure Operator Group properties instead of the Role properties in Oracle ILOM to provide user authorization.
Oracle ILOM supports the configuration of up to five Operator Groups. When Operator Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the operator table. If a match occurs, the user is granted Operator-level access.
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.
CLI Operator Group Syntax:
set /SP|CMM/clients/ldapssl/operatorgroups/n name=string
Example Syntax:
set /SP/clients/ldapssl/operatorgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com''
Host Groups
LDAP/SSL Host Groups properties are specific to Oracle's multi-domain SPARC server systems.
For multi-domain SP server systems, Oracle ILOM enables system administrators to configure up to 10 host groups for LDAP/SSL user authentication.
CLI Configuration Syntax for Host Groups:
set /SP/clients/ldapssl/hostgroups/n/ name=string hosts=string roles=string
Where:
  • name= is a read and write property that represents the Active Directory group name for the specified host group.

  • hosts= is a read and write property that lists the PDomain for which this host group assigns roles.

  • roles= is a read/write property that specifies the domain-specific privilege levels for the host group. This property supports any of the individual host role ID combinations of a, c, and r (for example, acr) where a= admin, c=console, and r=reset.

For further details about configuring Host Group properties for multi-domain server SP systems, see the administration guide provided with the Oracle server.
Custom Groups
(/customgroups/1|2|3|4|5)
A system administrator can optionally configure up to five Custom Groups properties in Oracle ILOM to provide user authorization. Oracle ILOM uses the Custom Group properties to determine the appropriate user roles to assign when authenticating users who are members of a Custom Group
When enabling the use of Custom Groups in Oracle ILOM, both the Roles property and the Custom Groups property must be configured. For further information about the configuration properties for Roles, see the Roles property in Figure 25, Table 25, Enabling LDAP/SSL Authentication .
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.
CLI Custom Groups Syntax:
set /SP|CMM/clients/ldapssl/customgroups/n name=string roles=administrator|operator|a|u|c|r|o|s
Example Syntax:
set /SP/clients/ldapssl/customgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com roles=au
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com'' roles' to 'au'
Related Information:
Save
Web interface – To apply changes made to properties in the Admin, Operator, or Custom Group dialogs, you must click Save.
Table 28   Configuring LDAP/SSL User Domains
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldapssl/userdomains/n

  • Web: ILOM Administration > User Management > LDAP/SSL > User Domains

  • User Role: User Management (u) (required for all property modifications)

  • Prerequisite: Prior to setting up User Domains in Oracle ILOM, the User Domains must be present on the LDAP/SSL server and assigned members.

Property
Description
User Domains
(/1|2|3|4|5)
A system administrator can optionally configure up to five User Domains. When one or more User Domains are defined, Oracle ILOM uses these properties in sequence until it is able to authenticate the LDAP/SSL user.
Use the following possible values to populate the configuration properties for each User Domain in Oracle ILOM.
  • UID format: uid=<USERNAME>,ou=people,dc=company,dc=com

  • DN format: CN=<USERNAME>,CN=Users,DC=domain,DC=company,DC=com

Note - You can use <USERNAME> as a literal. When <USERNAME> is used as a literal Oracle ILOM replaces the <USERNAME> during user authentication with the current login name entered.

You can optonally specify a specific searchbase by appending the <BASE:string> property after the user domain configuration. For syntax details, see Example 3 below.
CLI User Domains Syntax:
set /SP|CMM/clients/ldapssl/userdomains/n domain=string
Example 1: domain=CN=<USERNAME>
set /SP/clients/ldapssl/userdomains/1 domain=CN=<USERNAME>,OU=Groups,DC=sales,DC-oracle,DC=com
Set 'domain' to 'CN=<USERNAME>,OU=Groups,DC=sales,DC=oracle,DC=com'
Example 2: domain=CN=spSuperAdmin
set /SP/clients/ldapssl/userdomains/1 domain=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'domain' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'
Example 3: Searchbase syntax using <BASE:string>
set /SP/clients/ldapssl/userdomains/1 domain=uid=<USERNAME>,ou=people,dc=oracle,dc=com<BASE:ou=doc,dc=oracle,dc=com>
Save
Web interface – To apply changes made to properties in the LDAP/SSL User Domain dialog, you must click Save.
Table 29   Optionally Configuring LDAP/SSL Alternate Servers
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldapssl/alternateservers/n

  • Web: ILOM Administration > User Management > LDAP/SSL > Alternate Servers

  • User Role: User Management (u) (required for all property modifications)

Property
Description
Alternate Servers
(/1|2|3|4|5)
Oracle ILOM enables you to configure up to five LDAP/SSL alternate servers.
Alternate servers provide authentication redundancy, as well as a choice of different LDAP/SSL servers to use when you need to isolate domains.
Each LDAP/SSL alternate server uses the same user authorization rules and requirements as the primary LDAP/SSL server. For example, Oracle ILOM will use the configured user roles in the Roles property to authenticate users. However, if the Roles property is not configured, Oracle ILOM will query the authentication server for the appropriate authorization roles.
Each alternate server has its own properties for network address, port, certificate status, and commands for uploading and removing a certificate. If an LDAP/SSL certificate is not supplied, but is required, Oracle ILOM will use the top-level primary LDAP/SSL server certificate.
CLI Alternate Servers Address and Port Syntax:
set /SP|CMM/clients/ldapssl/alternateservers/n address=sting port=string
CLI Alternate Server s Certificate Syntax:
show /SP|CMM/clients/ldapssl/alternateservers/n/cert
load_uri=file_transfer_method://host_address/file_path/filename
set /SP|CMM/clients/ldapssl/alternateservers/n/cert clear_action=true
Save
Web interface – To apply changes made to properties in the LDAP/SSL Alternate Servers dialog, you must click Save.
Table 30   Guidelines for Troubleshooting LDAP/SSL Authentication
Refer to the following guidelines when troubleshooting LDAP/SSL authentication and authorization attempts in Oracle ILOM.
  • To test LDAP/SSL authentication and set the Oracle ILOM event log to trace LDAP/SSL events, follow these steps:

    1: Set the LDAP/SSL Log Details property to trace.

    2: Attempt an authentication to Oracle ILOM to generate events.

    3: Review the Oracle ILOM event log file.

  • Ensure that the user groups and user domains configured on the LDAP/SSL server match the user groups and user domains configured in Oracle ILOM.

  • The Oracle ILOM LDAP/SSL Client does not manage clock settings. The clock settings in Oracle ILOM are configurable manually or through an NTP server.

    Note. When the clock setting in Oracle ILOM is configured using an NTP server, Oracle ILOM performs an ntpdate using the NTP server(s) before starting the NTP daemon.

Related Information: