Go to main content

Oracle® ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x

Exit Print View

Updated: April 2018
 
 

Configuring Active Directory

System administrators can optionally configure Oracle ILOM to use the Microsoft Windows Active Directory service to authenticate Oracle ILOM users, as well as define user authorization levels for using the features within Oracle ILOM. This service is based on a client-server query model that uses the assigned user password to authenticate Active Directory users.

The property for the Active Directory service state, in Oracle ILOM, is disabled by default. To enable the Active Directory service state and configure Oracle ILOM as an Active Directory client, see the following tables:

Table 18  Enabling Active Directory Authentication
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory

  • Web: ILOM Administration > User Management > Active Directory > Settings

  • User Role: User Management (u) (required for all property modifications)

  • Prerequisite: The Active Directory server must be configured with users or user groups prior to configuring Oracle ILOM as an Active Directory client.

Property
Default Value
Description
State
(state=)
Disabled
Disabled |Enabled
To configure Oracle ILOM as an Active Directory client, set the State property to enabled.
When the State property is enabled, and the Strict Certificate Mode property is disabled, Oracle ILOM over a secure channel provides some validation of the Active Directory service certificate at the time of user authentication.
When the State property is enabled, and the Strict Certificate Mode property is enabled, Oracle ILOM over a secure channel fully verifies the Active Directory service certificate for digital signatures at the time of user authentication.
CLI State Syntax:
set /SP|CMM/clients/activedirectory/ state=disabled|enabled
Roles
(defaultrole=)
None (server authorization)
Administrator |Operator |Advanced |None (server authorization)
To define which features in Oracle ILOM are accessible to Active Directory authenticated users, set the default Role property to one of the four property values accepted: Administrator (a|u|c|r|o), Operator (c|r|o), Advanced (a|u|c|r|o|s), or None (server authorization).
When the Default Role property is set to an Oracle ILOM user role, authorization levels for using features within Oracle ILOM are dictated by the privileges granted by the configured Oracle ILOM user role. For a description of privileges assigned, see the user role and user profile topics listed in the Related Information section below.
When the Role property is set to None (server authorization), and Oracle ILOM is configured to use Active Directory Groups, the authorization levels for using features within Oracle ILOM are dictated by the Active Directory Group. For further configuration details, see the Active Directory Group topic listed in the Related Information section below.
CLI Roles Syntax:
set /SP|CMM/clients/activedirectory/ defaultrole=administrator|operator|a|u|c|r|o|s|none
Related Information:
Address
(address=)
0.0.0.0
IP address| DNS host name (Active Directory Server)
To configure the Active Directory server network address, populate the Address property with the Active Directory server IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational.
CLI Address Syntax:
set /SP|CMM/clients/activedirectory/ address=active_directory_server ip_address|active_directory_server_dns_host_name
Related Information:
Port
(port=)
0 (Auto-select)
0 Auto-select | Non-standard TCP port
A standard TCP port is used by Oracle ILOM to communicate with the Active Directory server.
When the Port Auto-select property is enabled, the Port number is set to 0 by default. When the Port Auto-select property is disabled, the Port number property in the web interface becomes user-configurable.
A configurable Port property is provided in the unlikely event of Oracle ILOM needing to use a non-standard TCP port.
CLI Port Syntax:
set /SP|CMM/clients/activedirectory/ port=number
Timeout
(timeout=)
4 seconds
4 |user-specified
The Timeout property designates the number of seconds to wait for an individual transaction to complete. The value does not represent the total time for all transactions to complete since the number of transactions can differ depending on the configuration.
The Timeout property is set to 4 seconds by default. If necessary, adjust this property value as needed to fine tune the response time for when the Active Directory server is unreachable or not responding.
CLI Timeout Syntax:
set /SP|CMM/clients/activedirectory/ timeout=number_of_seconds
Strict Certificate Mode
(strictcertmode=)
Disabled
Disabled |Enabled
When the Strict Certificate Mode property is enabled, Oracle ILOM fully verifies the digital signatures in the Active Directory certificate at the time of authentication.
When the Strict Certificate Mode property is disabled, Oracle ILOM provides limited validation of the server certificate at the time of authentication over a secure channel.

Caution  - The Active Directory server certificate must be loaded prior to enabling the Strict Certificate Mode property.

CLI Strict Certificate Mode Syntax:
set /SP|CMM/clients/activedirectory/ strictcertmode=disabled|enabled
Related Information:
DNS Locator Mode
(/dnslocatorqueries)
Disabled
Disabled | Enabled
To configure Oracle ILOM to use DNS Locator Queries to obtain a list of Active Directory servers, set the DNS Locator Mode property to enabled.
CLI DNS Locator Mode Syntax:
set /SP|CMM/clients/activedirectory/ dnslocatorqueries/1=disabled|enabled
Related Information:
Expanded Search Mode
(expsearchmode=)
Disabled
Disabled | Enabled
To configure Oracle ILOM to use additional search options for locating Active Directory user entries, set the Expanded Search Mode property to enabled.
When the Expanded Search Mode property is disabled, Oracle ILOM will use the userPrincipleName to search for user entries. In which case, the userPrincipleName must have a fully qualified domain name (FQDN) suffix.
CLI Expanded Search Mode Syntax:
set /SP|CMM/clients/activedirectory/ expsearchmode=disabled|enabled
Strict Credential Error Mode
(strictcredentialerrormode=)
Disabled
Disabled | Enabled
When the Strict Credential Error Mode property is enabled, and user credential errors are reported from any server, Oracle ILOM fails those user credentials.
When the Strict Credential Error Mode property is disabled, Oracle ILOM presents the user credential to other Active Directory servers for authentication (configured as alternate servers or found by DNS Locator Queries).
CLI Strict Credential Error Mode Syntax:
set /SP|CMM/clients/activedirectory/ strictcredentialerrormode=disabled|enabled
Related Information:
Log Detail
(logdetail=)
None
None | High | Medium | Low |Trace
To specify the amount of diagnostic information recorded in the Oracle ILOM event log for Active Directory events, set the Log Detail property to one of the accepted property values.
CLI Log Detail Configuration Syntax:
set /SP|CMM/clients/activedirectory/ logdetail=none|high|medium|low|trace
Save
Web interface – To apply changes made to properties within the Active Directory Settings page, you must click Save.
Table 19   Uploading or Removing an Active Directory Certificate File
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory/cert

  • Web: ILOM Administration > User Management > Active Directory > Certificate Information

  • User Role: (u) User Management (required for all property modifications)

Property
Default Value
Description
Certificate File Status
(certstatus=)
Read-only
Certificate present |Certificate not present
The Certificate File Status property indicates whether an Active Directory certificate has been uploaded to Oracle ILOM.

Caution  -  The Active Directory certificate file must be uploaded to Oracle ILOM prior to enabling the Strict Certificate Mode property.

CLI Certificate Show Syntax:
show /SP|CMM/clients/activedirectory/cert
File Transfer Method
Browser (web interface only)
Browser|TFTP|FTP|SCP|Paste
For a detailed description of each file transfer method, see Figure 14, Table 14, File Transfer Methods .
Load Certificate
(load_uri=)
Web interface – Click the Load Certificate button to upload the Active Directory Certificate file that is defined in the File Transfer Method properties.
CLI Certificate Load Syntax:
load_uri=file_transfer_method://host_address/file_path/filename
Remove Certificate
(clear_action=true)
Web interface – Click the Remove Certificate Button to remove the Active Directory Certificate file presently stored in Oracle ILOM. When prompted, type y (Yes) to delete or n (No) to cancel the action.
CLI Remove Certificate Syntax:
set /SP|CMM/clients/activedirectory/cert clear_action=true
-or-
reset /SP|CMM/clients/activedirectory/cert
When prompted, type y to delete or n to cancel the action.
Table 20  Optionally Configuring Active Directory Groups
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory

  • Web: ILOM Administration > User Management > Active Directory > (Name) Groups

  • User Role: (u) User Management (required for all property modifications)

  • Prerequisite: Prior to setting up Activity Directory Groups in Oracle ILOM, the Active Directory Groups must be present on the Active Directory server and assigned members.

Property
Description
Admin Groups
(/admingroups/1|2|3|4|5)
A system administrator can optionally configure Admin Group properties instead of the Role properties in Oracle ILOM to provide user authorization.
Oracle ILOM supports the configuration of up to five Admin Groups. When Admin Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the admin table. If a match occurs, the user is granted Administrator-level access.
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (Operator, Administrator, or Custom) found in each configured group table.
Use the following possible values to populate the configuration properties for each Active Directory Admin Group in Oracle ILOM:
  • DN format: CN=admingroup,OU=groups,DC=domain,DC=company,DC=com

  • NT Domain format: domain\admingroup

  • Full Domain format: DC=domain,DC=company,DC=com\admingroup

  • Simple Name format: admingroup

    (Up to 128 characters)

CLI Configuration Syntax for Admin Groups:
set /SP|CMM/clients/activedirectory/admingroups/n name=string
Example Syntax:
set /SP/clients/activedirectory/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'
Operator Groups
(/operatorgroups/1|2|3|4|5)
A system administrator can optionally configure Operator Group properties instead of the Role properties in Oracle ILOM to provide user authorization.
Oracle ILOM supports the configuration of up to five Operator Groups. When Operator Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the operator table. If a match occurs, the user is granted Operator-level access.
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (Operator, Administrator, or Custom) found in each configured group table.
Use the following possible values to populate the configuration properties for each Operator Group in Oracle ILOM:
  • DN format: CN=operatorgroup,OU=groups,DC=domain,DC=company,DC=com

  • NT Domain format: domain\operatorgroup

  • Full Domain format: DC=domain,DC=company,DC=com\operatorgroup

  • Simple Name format: operatorgroup

    (Up to 128 characters)

CLI Configuration Syntax for Operator Groups:
set /SP|CMM/clients/activedirectory/operatorgroups/n name=string
Example Syntax:
set /SP/clients/activedirectory/operatorgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com''
Host Groups
Active Directory Host Groups properties are specific to Oracle's multi-domain SPARC server systems.
For multi-domain SP server systems, Oracle ILOM enables system administrators to configure up to 10 host groups for Active Directory user authentication.
CLI Configuration Syntax for Host Groups:
set /SP/clients/activedirectory/hostgroups/n/ name=string hosts=string roles=string
Where:
  • name= is a read and write property that represents the Active Directory group name for the specified host group.

  • hosts= is a read and write property that lists the PDomain for which this host group assigns roles.

  • roles= is a read/write property that specifies the domain-specific privilege levels for the host group. This property supports any of the individual host role ID combinations of a, c, and r (for example, acr) where a= admin, c=console, and r=reset.

For further details about configuring Host Group properties for multi-domain server SP systems, see the administration guide available for the Oracle server.
Custom Groups
(/customgroups/1|2|3|4|5)
A system administrator can optionally configure up to five Custom Group properties in Oracle ILOM to provide user authorization. Oracle ILOM uses the Custom Group properties to determine the appropriate user roles to assign when authenticating users who are members of a Custom Group.
When enabling the use of Custom Groups in Oracle ILOM, both the Roles property and the Custom Groups property must be configured. For further information about the configuration properties for Roles, see the Roles property in Figure 18, Table 18, Enabling Active Directory Authentication .
Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (Operator, Administrator, or Custom) found in each configured group table.
Use the following possible values to populate the configuration properties for each Custom Group in Oracle ILOM:
  • User role: administrator |operator|advanced (a|u|c|r|o|s)

  • DN format: CN=customgroup,OU=groups,DC=domain,DC=company,DC=com

  • NT Domain format: domain\customgroup

  • Full Domain format: DC=domain,DC=company,DC=com\customgroup

  • Simple Name format: customgroup

    (Up to 128 characters)

CLI Configuration Syntax for Custom Groups:
set /SP|CMM/clients/activedirectory/customgroups/n name=string roles=administrator|operator|a|u|c|r|o|s
Example Syntax:
set /SP/clients/activedirectory/customgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com roles=au
Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com'' roles' to 'au'
Related Information:
Save
Web interface – To apply changes made to properties in the Admin, Operator, or Custom Group dialogs, you must click Save.
Table 21   Configuring Active Directory User Domains
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory/userdomains/n

  • Web: ILOM Administration > User Management > Active Directory > User Domains

  • User Role: User Management (u) (required for all property modifications)

  • Prerequisite: Prior to setting up Activity Directory User Domains in Oracle ILOM, the Active Directory User Domains must be present on the Active Directory server and assigned members.

Property
Description
User Domains
(1|2|3|4|5)
A system administrator can optionally configure up to five User Domains. When one or more user domains are defined, Oracle ILOM uses these properties in sequence until it is able to authenticate the Active Directory user.
Use the following possible values to populate configuration properties for each User Domain in Oracle ILOM:
  • UPN format: <USERNAME>@domain.company.com

  • DN format: CN=<USERNAME>,CN=Users,DC=domain,DC=company,DC=com

Note - You can use <USERNAME> as a literal. When <USERNAME> is used as a literal Oracle ILOM replaces the <USERNAME> during user authentication with the current login name entered.

CLI User Domains Syntax:
set /SP|CMM/clients/activedirectory/userdomains/n name=string
Example 1: name=CN=<USERNAME>
set /SP/clients/activedirectory/userdomains/1/name=CN<USERNAME>, OU=Groups, DC=sales, DC-Oracle, DC=com
Set 'name' to 'CN=<USERNAME>,OU=Groups,DC=sales,DC=oracle,DC=com'
Example 2: name=CN=spSuperAdmin
set /SP/clients/activedirectory/userdomains/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com
Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'
Save
Web interface – To apply changes made to properties in the Active Directory User Domains dialog, you must click Save.
Table 22   Optionally Configuring Active Directory Alternate Servers
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory/alternateservers/n

  • Web: ILOM Administration > User Management > Active Directory > Alternate Servers

  • User Role:User Management (u) (required for all property modifications)

Property
Description
Alternate Servers
(/1|2|3|4|5)
Oracle ILOM enables a system administrator to configure up to five Active Directory alternate servers.
Alternate servers provide authentication redundancy, as well as a choice of different Active Directory servers to use when you need to isolate domains.
Each Active Directory alternate server uses the same user authorization rules and requirements as the primary Active Directory server. For example, Oracle ILOM will use the configured user roles in the Roles property to authenticate users. However, if the Roles property is not configured, Oracle ILOM will query the authentication server for the appropriate authorization roles.
Each Active Directory alternate server has its own properties for network address, port, certificate status, and commands for uploading and removing a certificate. When an Active Directory certificate is not supplied, but is required, Oracle ILOM will use the top-level primary Active Directory server certificate.

Note - If the alternate servers are being used to provide authentication redundancy, the property for Strict Credential Error Mode can be optionally enabled. However, if the alternate servers are being used to span disjoint domains, then the property for Strict Credential Error Mode should be disabled. For configuration properties for Strict Credential Error Mode, see Figure 18, Table 18, Enabling Active Directory Authentication .

CLI Alternate Server Address and Port syntax:
set /SP|CMM/clients/activedirectory/alternateservers/n address=sting port=string
CLI Alternate Server Certificate Syntax:
show /SP|CMM/clients/activedirectory/alternateservers/n/cert
load_uri=file_transfer_method://host_address/file_path/filename
set /SP|CMM/clients/activedirectory/alternateservers/n/cert clear_action=true
Save
Web interface – To apply changes made to properties in the Active Directory Alternate Servers dialog, you must click Save.
Table 23   Optionally Editing DNS Locator Queries
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/activedirectory/dnslocatorqueries

  • Web: ILOM Administration > User Management > Active Directory > DNS Locator Queries

  • User Role: User Management (u) (required for all property modifications)

Property
Default Value
Description
DNS Locator Queries
(/1)
_ldap._tcp.gc._msdcs.<DOMAIN>.<PORT:3269>
Oracle ILOM enables you to configure up to five DNS Locator Queries.
A DNS locator query identifies the named DNS service and the port ID. The port ID is generally part of the record, but you can override it by using the format <PORT:636>. Additionally, you can override the named DNS service for a specific domain by using the <DOMAIN> substitution marker.
CLI Show and Edit DNS Locator Queries Syntax:
show /SP|CMM/clients/activedirectory/dnslocatorqueries/1
set /SP|CMM/clients/activedirectory/dnslocatorqueries/1 service = string
Example DNS Locator Queries Syntax for service= string :
service =_ldap._tcp.gc._msdcs.<DOMAIN>.<PORT:nnnn>
DNS Locator Queries
(/2)
_ldap._tcp.dc._msdcs.<DOMAIN>.<PORT:636>
Save
Web interface – To apply changes made to properties in the Active Directory DNS Locator Queries dialog, you must click Save.
Table 24   Guidelines for Troubleshooting Active Directory Authentication
Refer to the following guidelines when troubleshooting Active Directory authentication and authorization attempts in Oracle ILOM.
  • To test and diagnose Active Directory authentication, follow these steps:

    1: Set the Active Directory Log Details property to trace.

    2: Attempt an authentication to Oracle ILOM to generate events.

    3: Review the Oracle ILOM event log file.

  • Ensure that the user groups and user domains configured on the Active Directory server match the user groups and user domains configured in Oracle ILOM.

  • The Oracle ILOM Active Directory Client does not manage clock settings. The clock settings in Oracle ILOM are configurable manually or through an NTP server.

    Note. When the clock settings in Oracle ILOM are configured using an NTP server, Oracle ILOM performs an ntpdate using the NTP server(s) before starting the NTP daemon.

Related Information: