Go to main content

Oracle® ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x

Exit Print View

Updated: April 2018
 
 

Configuring LDAP

System administrators can configure Oracle ILOM to use the Lightweight Directory Access Protocol (LDAP) service to authenticate users. This service is based on a client-server query model that uses a read-only proxy user account to query the LDAP server for user authentication.

The property for the LDAP service state, in Oracle ILOM, is disabled by default. To enable the LDAP service state and configure properties for using the LDAP directory service for user authentication, see these tables:

Table 31   Requirements for Enabling Oracle ILOM as an LDAP Client
Prior to configuring Oracle ILOM as an LDAP client, the LDAP server must be properly configured. Refer to the following guidelines, and Related Information section, when configuring the LDAP server to recognize Oracle ILOM as an LDAP client.
  • Ensure that the LDAP server is set to use the default password {crypt} format. The passwords for all LDAP users authenticating to Oracle ILOM must be stored in one of the following two {crypt} formats:

    userPassword: {CRYPT}ajCa2He4PJhNo

    userPassword: {CRYPT}$1$pzKng1$du1Bf0NWBjh9t3FbUgf46

  • Refer to the Internet Engineering Task Force Schema (RFC 2307) for adding object classes for posixAccount and shadowAccount and then populate the required property values for:

    - uidnumber

    - gidnumber

    - uid (Oracle ILOM user name),

  • Enable the LDAP server to accept anonymous binds, or create a proxy user on the LDAP server to have read-only access for all user accounts authenticating to Oracle ILOM.

Related Information:
Table 32  Enabling Oracle ILOM to Use LDAP Authentication
User Interface Configurable Target:
  • CLI: /SP|CMM/clients/ldap

  • Web: ILOM Administration > User Management > LDAP Settings

  • User Role: User Management (u) (required for all property modifications)

Property
Default Value
Description
State
(state=)
Disabled
Disabled |Enabled
To enable Oracle ILOM to authenticate users using the LDAP directory service, set the State property to enabled.
When the State property is enabled, Oracle ILOM queries the LDAP server to authenticate LDAP users.
CLI State Syntax:
set /SP|CMM/clients/ldap/ state=disabled|enabled
Roles
(defaultrole=)
Operator
Administrator |Operator |Advanced
To define which features in Oracle ILOM are accessible to LDAP authenticated users, set the default Roles property to one of three Oracle ILOM user roles: Administrator (a|u|c|r|o), Operator (c|r|o), or Advanced (a|u|c|r|o|s)
Authorization levels for using features within Oracle ILOM are dictated by the user privileges granted by the configured Oracle ILOM user role. For a description of privileges assigned, see the user role and user profile topics listed in the Related Information section below.
CLI Roles Syntax:
set /SP|CMM/clients/ldap/ defaultrole=administrator|operator|a|u|c|r|o|s
Related Information:
Address
(address=)
0.0.0.0
IP address| DNS host name (LDAP Server)
To configure the LDAP server network address, populate the Address property with the LDAP server IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational.
CLI Address Syntax:
set /SP|CMM/clients/ldap/ address=ldap_server ip_address|ldap_server_dns_host_name
Related Information:
Port
(port=)
389
389 | User-specified TCP port
TCP port 389 is used by Oracle ILOM to communicate with the OpenLDAP server.
If necessary, configure Oracle ILOM to use another port by modifying the default Port number: 389
CLI Port Syntax:
set /SP|CMM/clients/ldap/ port=number
Searchbase
(searchbase=)
ou=organization_unit |dn=domain_name|dc=domain|
The Searchbase is the location in the LDAP tree where Oracle ILOM searches to validates user credentials.
Using the accepted input format, populate the Searchbase property with a Distinguished Name for the search base object, or with the LDAP tree branch for where Oracle ILOM should search for the LDAP user accounts.
For example, to search the IT container in the MyCompany.com domain, you would specify a search base of:
ou=IT, dc=mycompany, dc=.com
CLI Searchbase Syntax:
set /SP|CMM/clients/ldap/ searchbase= ou=organization_name, dn=domain_name, dc=domain
Bind DN
(binddn=)
ou=organization_unit |dn=domain_name|dc=domain|cn=common_name
To provide Oracle ILOM with read-only access to the LDAP server, populate the Bind DN property with a Distinguished Name (DN) for a read-only proxy user.
Note. Oracle ILOM must have read-only access to the LDAP server in order to search and authenticate LDAP users.
CLI Bind DN Syntax:
set /SP|CMM/clients/ldap/ binddn=cn=proxyuser, ou=organization _name, dc=domain
Bind Password
(bindpw=)
To provide Oracle ILOM with a password for the read-only proxy user, populate the Bind Password property with a password.
CLI Bind Password Syntax:
set /SP|CMM/clients/ldap/ bindpw=password
Save
Web interface – To apply changes made to properties within the LDAP Settings page, you must click Save.