Configuring
LDAP
System administrators can configure Oracle ILOM to use the
Lightweight Directory Access Protocol (LDAP) service to authenticate
users. This service is based on a client-server query model that
uses a read-only proxy user account to query the LDAP server for
user authentication.
The property for the LDAP service state, in Oracle ILOM, is
disabled by default. To enable the LDAP service state and configure
properties for using the LDAP directory service for user authentication,
see these tables:
Table 31 Requirements for Enabling Oracle ILOM as an LDAP Client
Prior to configuring Oracle
ILOM as an LDAP client, the LDAP server must be properly configured.
Refer to the following guidelines, and Related Information section,
when configuring the LDAP server to recognize Oracle ILOM as an
LDAP client.
Ensure that the LDAP server is set
to use the default password {crypt} format. The passwords for all
LDAP users authenticating to Oracle ILOM must be stored in one of
the following two {crypt} formats:
userPassword: {CRYPT}ajCa2He4PJhNo
userPassword: {CRYPT}$1$pzKng1$du1Bf0NWBjh9t3FbUgf46
Refer to the Internet Engineering Task Force Schema
(RFC 2307) for adding object classes for posixAccount and shadowAccount and
then populate the required property values for:
- uidnumber
- gidnumber
- uid (Oracle
ILOM user name),
Enable the LDAP server to accept anonymous binds,
or create a proxy user on the LDAP server to have read-only access
for all user accounts authenticating to Oracle ILOM.
|
Related Information:
|
|
Table 32 Enabling Oracle ILOM to Use LDAP Authentication
|
|
|
|
State
(state=) |
Disabled |
Disabled |Enabled
To enable Oracle ILOM to authenticate users using the LDAP
directory service, set the State property to enabled.
When the State property is enabled, Oracle ILOM queries the
LDAP server to authenticate LDAP users.
CLI State Syntax:
set /SP|CMM/clients/ldap/ state=disabled|enabled |
Roles
(defaultrole=) |
Operator |
Administrator |Operator |Advanced
To define which features in Oracle ILOM are accessible to
LDAP authenticated users, set the default Roles property to one
of three Oracle ILOM user roles: Administrator (a|u|c|r|o), Operator
(c|r|o), or Advanced (a|u|c|r|o|s)
Authorization levels for using features within Oracle ILOM
are dictated by the user privileges granted by the configured Oracle
ILOM user role. For a description of privileges assigned, see the
user role and user profile topics listed in the Related Information
section below.
CLI Roles Syntax:
set /SP|CMM/clients/ldap/ defaultrole=administrator|operator|a|u|c|r|o|s
Related Information:
|
Address
(address=) |
0.0.0.0 |
IP address| DNS
host name (LDAP Server)
To configure the LDAP server network address, populate the
Address property with the LDAP server IP address or DNS host name.
If a DNS host name is used, then the DNS configuration properties
in Oracle ILOM must be properly configured and operational.
CLI Address Syntax:
set /SP|CMM/clients/ldap/ address=ldap_server ip_address|ldap_server_dns_host_name
Related Information:
|
Port
(port=) |
389 |
389 | User-specified
TCP port
TCP port 389 is used by Oracle ILOM to communicate with the
OpenLDAP server.
If necessary, configure Oracle ILOM to use another port by
modifying the default Port number: 389
CLI Port Syntax:
set /SP|CMM/clients/ldap/ port=number |
Searchbase
(searchbase=) |
|
ou=organization_unit |dn=domain_name|dc=domain|
The Searchbase is the location in the LDAP tree where Oracle
ILOM searches to validates user credentials.
Using the accepted input format, populate the Searchbase property
with a Distinguished Name for the search base object, or with the
LDAP tree branch for where Oracle ILOM should search for the LDAP
user accounts.
For example, to search the IT container in the MyCompany.com
domain, you would specify a search base of:
ou=IT, dc=mycompany, dc=.com
CLI Searchbase Syntax:
set /SP|CMM/clients/ldap/ searchbase= ou=organization_name, dn=domain_name, dc=domain |
Bind DN
(binddn=) |
|
ou=organization_unit |dn=domain_name|dc=domain|cn=common_name
To provide Oracle ILOM with read-only access to the LDAP server,
populate the Bind DN property with a Distinguished Name (DN) for
a read-only proxy user.
Note. Oracle ILOM must
have read-only access to the LDAP server in order to search and
authenticate LDAP users.
CLI Bind DN Syntax:
set /SP|CMM/clients/ldap/ binddn=cn=proxyuser, ou=organization _name, dc=domain |
Bind Password
(bindpw=) |
|
To provide Oracle ILOM with
a password for the read-only proxy user, populate the Bind Password
property with a password.
CLI Bind Password Syntax:
set /SP|CMM/clients/ldap/ bindpw=password |
Save |
|
Web interface – To
apply changes made to properties within the LDAP Settings page,
you must click Save. |
|