Configuring LDAP/SSL

Table 3-19 Enabling LDAP/SSL Authentication

User Interface Configurable Target: CLI: `/`SP`/clients/ldapssl/` Web: ILOM Administration > User Management > LDAP/SSL > Settings User Role: User Management (`u`) (required for all property modifications) Prerequisite: LDAP/SSL server must be configured with users or user groups prior to configuring Oracle ILOM.
State (`state=`)	Disabled	Disabled \|Enabled To configure Oracle ILOM to use the LDAP/SSL authentication and authorization directory service, set the State property to enabled. When the State property is set to `disabled`, Oracle ILOM is disabled from using the LDAP/SSL service for user authentication and authorization levels. When the State property is enabled, and the Strict Certificate Mode property is disabled, Oracle ILOM over a secure channel provides some validation of the LDAP/SSL service certificate at the time of user authentication. When the State property is enabled, and the Strict Certificate Mode property is enabled, Oracle ILOM over a secure channel fully verifies the LDAP/SSL service certificate for digital signatures at the time of user authentication. CLI State Syntax: `set /SP/clients/ldapssl/ state=disabled\|enabled`
Roles (`defaultrole=`)	None (server authorization)	Administrator \|Operator \|Advanced \|None (server authorization) To define which features in Oracle ILOM are accessible to LDAP/SSL authenticated users, set the default Roles property to one of the four property values accepted: Administrator (a\|u\|c\|r\|o), Operator (c\|r\|o), Advanced (a\|u\|c\|r\|o\|s), or None (server authorization). When the default Roles property is set to an Oracle ILOM user role, authorization levels for using features within Oracle ILOM are dictated by the user privileges granted by the Oracle ILOM user role. For a description of privileges assigned, see the tables listed in the Related Information section below for user role and user profile. When the default Roles property is set to `None` `(server authorization)` and Oracle ILOM is configured to use LDAP/SSL Groups, the authorization levels for using features within Oracle ILOM are dictated by the LDAP/SSL Group. For further LDAP/SSL configuration details, see the table that describes LDAP/SSL Groups listed in the Related Information section below. CLI Roles Syntax: `set /SP/clients/ldapssl/ defaultrole=administrator\|operator\|a\|u\|c\|r\|o\|s\|none` Related Information: Privileges Granted by a User Profile Privileges Granted by Individual User Roles Table 3-21
Address (`address=`)	0.0.0.0	IP address\| DNS host name (Active Directory Server) To configure the network address for the LDAP/SSL server, populate the Address property with the LDAP/SSL IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational. CLI Address Syntax: `set /SP/clients/ldapssl/ address=LDAP/SSL_server ip_address\|active_directory_server_dns_host_name` Related Information: DNS Configuration Properties
Port (`port=`)	0 Auto-select	0 Auto-select \| Non-standard TCP port A standard TCP port is used by Oracle ILOM to communicate with the LDAP/SSL server. When the Port Auto-select property is enabled, the Port number is set to 0 by default. When the Port Auto-select property is disabled, the Port number property in the web interface becomes user-configurable. A configurable Port property is provided in the unlikely event of Oracle ILOM needing to use a non-standard TCP port. CLI Port Syntax: `set /SP/clients/ldapssl/ port=number`
Timeout (`timeout=`)	4 seconds	4 \|user-specified The Timeout property is set to 4 seconds by default. If necessary, adjust this property value to fine tune response time when the LDAP/SSL server is unreachable or not responding. The Timeout property designates the number of seconds to wait for an individual transaction to complete. The value does not represent the total time for all transactions to complete since the number of transactions can differ depending on the configuration. CLI Timeout Syntax: `set /SP/clients/ldapssl/ timeout=number_of_seconds`
Strict Certificate Mode (`strictcert mode=`)	Disabled	Disabled \|Enabled When enabled, Oracle ILOM fully verifies the LDAP/SSL certificate signatures at the time of authentication over a secure channel. When disabled, Oracle ILOM provides limited validation of the server certificate at time of authentication over a secure channel. Caution: The LDAP/SSL server certificate must be uploaded to Oracle ILOM prior to enabling the Strict Certificate Mode property. CLI Strict Certificate Mode Syntax: `set /SP/clients/ldapssl/ strictcertmode=disabled\|enabled` Related Information: Table 3-20
Optional User Mapping (`/optionalUsermapping`)	Disabled	Disabled \| Enabled The Optional User Mapping property is typically used when a `uid` was not used as part of the user domain login name. Set the Optional User Mapping property to enabled if there is a need to convert simple user login names to domain names for user authentication. State – When enabled, alternative attributes are configurable for user credential authentication. Attribute Information – Enter the attribute login information using the accepted input format (&(objectclass=person)(uid=<USERNAME>)). The Attribute Information enables the LDAP/SSL query to search user domain names based on the attribute login information provided. Searchbase – Set the Searchbase property to the Distinguished Name of the search base object or to a branch in the LDAP tree where Oracle ILOM should look for LDAP user accounts. Input format: `OU={organization},DC={company},DC={com}` Bind DN – Set the Bind DN property to the Distinguished Name (DN) of a read-only proxy user on the LDAP server. Oracle ILOM must have read-only access to your LDAP server to search and authenticate users. Input format: `OU={organization},DC={company},DC={com}` Bind Password – Set the Bind Password property to a password for the read-only proxy user. CLI Optional User Mapping Syntax: `set /SP/clients/ldapssl/optionalUsermapping/ attributeInfo=<string> searchbase=<string> binddn=cn=proxyuser, ou=organization _name, dc=company, dc=com bindpw=password`
Log Detail (`logdetail=`)	None	None \| High \| Medium \| Low \|Trace To specify the type of diagnostic information recorded in the Oracle ILOM event log for LDAP/SSL events, set the Log Detail property to one of the five property values accepted (none, high, medium, low or trace). CLI Log Detail Syntax: `set /SP/clients/ldapssl/ logdetail=none\|high\|medium\|low\|trace`
Save	N/A	Web interface – To apply changes made to properties within the LDAP/SSL Settings page, you must click Save.

User Interface Configurable Target:

CLI: /SP/clients/ldapssl/
Web: ILOM Administration > User Management > LDAP/SSL > Settings
User Role: User Management (u) (required for all property modifications)
Prerequisite: LDAP/SSL server must be configured with users or user groups prior to configuring Oracle ILOM.

Property Default Value Description

State

(state=)

Disabled

Disabled |Enabled

To configure Oracle ILOM to use the LDAP/SSL authentication and authorization directory service, set the State property to enabled.

When the State property is set to disabled, Oracle ILOM is disabled from using the LDAP/SSL service for user authentication and authorization levels.

When the State property is enabled, and the Strict Certificate Mode property is disabled, Oracle ILOM over a secure channel provides some validation of the LDAP/SSL service certificate at the time of user authentication.

When the State property is enabled, and the Strict Certificate Mode property is enabled, Oracle ILOM over a secure channel fully verifies the LDAP/SSL service certificate for digital signatures at the time of user authentication.

CLI State Syntax:

set /SP/clients/ldapssl/ state=disabled|enabled

Roles

(defaultrole=)

None (server authorization)

Administrator |Operator |Advanced |None (server authorization)

To define which features in Oracle ILOM are accessible to LDAP/SSL authenticated users, set the default Roles property to one of the four property values accepted: Administrator (a|u|c|r|o), Operator (c|r|o), Advanced (a|u|c|r|o|s), or None (server authorization).

When the default Roles property is set to an Oracle ILOM user role, authorization levels for using features within Oracle ILOM are dictated by the user privileges granted by the Oracle ILOM user role. For a description of privileges assigned, see the tables listed in the Related Information section below for user role and user profile.

When the default Roles property is set to None (server authorization) and Oracle ILOM is configured to use LDAP/SSL Groups, the authorization levels for using features within Oracle ILOM are dictated by the LDAP/SSL Group. For further LDAP/SSL configuration details, see the table that describes LDAP/SSL Groups listed in the Related Information section below.

CLI Roles Syntax:

set /SP/clients/ldapssl/ defaultrole=administrator|operator|a|u|c|r|o|s|none

Related Information:

Address

(address=)

0.0.0.0

IP address| DNS host name (Active Directory Server)

To configure the network address for the LDAP/SSL server, populate the Address property with the LDAP/SSL IP address or DNS host name. If a DNS host name is used, then the DNS configuration properties in Oracle ILOM must be properly configured and operational.

CLI Address Syntax:

set /SP/clients/ldapssl/ address=LDAP/SSL_server ip_address|active_directory_server_dns_host_name

Related Information:

DNS Configuration Properties

Port

(port=)

0 Auto-select

0 Auto-select | Non-standard TCP port

A standard TCP port is used by Oracle ILOM to communicate with the LDAP/SSL server.

When the Port Auto-select property is enabled, the Port number is set to 0 by default.

When the Port Auto-select property is disabled, the Port number property in the web interface becomes user-configurable.

A configurable Port property is provided in the unlikely event of Oracle ILOM needing to use a non-standard TCP port.

CLI Port Syntax:

set /SP/clients/ldapssl/ port=number

Timeout

(timeout=)

4 seconds

4 |user-specified

The Timeout property is set to 4 seconds by default. If necessary, adjust this property value to fine tune response time when the LDAP/SSL server is unreachable or not responding.

The Timeout property designates the number of seconds to wait for an individual transaction to complete. The value does not represent the total time for all transactions to complete since the number of transactions can differ depending on the configuration.

CLI Timeout Syntax:

set /SP/clients/ldapssl/ timeout=number_of_seconds

Strict Certificate Mode

(strictcert mode=)

Disabled

Disabled |Enabled

When enabled, Oracle ILOM fully verifies the LDAP/SSL certificate signatures at the time of authentication over a secure channel.

When disabled, Oracle ILOM provides limited validation of the server certificate at time of authentication over a secure channel.

Caution: The LDAP/SSL server certificate must be uploaded to Oracle ILOM prior to enabling the Strict Certificate Mode property.

CLI Strict Certificate Mode Syntax:

set /SP/clients/ldapssl/ strictcertmode=disabled|enabled

Related Information:

Table 3-20

Optional User Mapping

(/optionalUsermapping)

Disabled

Disabled | Enabled

The Optional User Mapping property is typically used when a uid was not used as part of the user domain login name. Set the Optional User Mapping property to enabled if there is a need to convert simple user login names to domain names for user authentication.

State – When enabled, alternative attributes are configurable for user credential authentication.
Attribute Information – Enter the attribute login information using the accepted input format (&(objectclass=person)(uid=<USERNAME>)). The Attribute Information enables the LDAP/SSL query to search user domain names based on the attribute login information provided.
Searchbase – Set the Searchbase property to the Distinguished Name of the search base object or to a branch in the LDAP tree where Oracle ILOM should look for LDAP user accounts. Input format: OU={organization},DC={company},DC={com}
Bind DN – Set the Bind DN property to the Distinguished Name (DN) of a read-only proxy user on the LDAP server. Oracle ILOM must have read-only access to your LDAP server to search and authenticate users. Input format: OU={organization},DC={company},DC={com}
Bind Password – Set the Bind Password property to a password for the read-only proxy user.

CLI Optional User Mapping Syntax:

set /SP/clients/ldapssl/optionalUsermapping/ attributeInfo=<string> searchbase=<string> binddn=cn=proxyuser, ou=organization _name, dc=company, dc=com bindpw=password

Log Detail

(logdetail=)

None

None | High | Medium | Low |Trace

To specify the type of diagnostic information recorded in the Oracle ILOM event log for LDAP/SSL events, set the Log Detail property to one of the five property values accepted (none, high, medium, low or trace).

CLI Log Detail Syntax:

set /SP/clients/ldapssl/ logdetail=none|high|medium|low|trace

Save

N/A

Web interface – To apply changes made to properties within the LDAP/SSL Settings page, you must click Save.

Table 3-20 Uploading or Removing an LDAP/SSL Certificate File

User Interface Configurable Target: CLI: `/`SP`/clients/ldapssl/cert` Web: ILOM Administration > User Management > LDAP/SSL > Certificate Information User Role: User Management (`u`) (required for all property modifications)
Property	Default Value	Description
Certificate File Status (`certstatus=`)	Read-only	Certificate Present \|Certificate Not Present The Certificate File Status property indicates whether an LDAP/SSL certificate has been uploaded to Oracle ILOM. CLI Certificate Status Syntax: `show /SP/clients/ldapssl/cert`
File Transfer Method	Browser (web interface only)	Browser\|TFTP\|FTP\|SCP\|Paste For a detailed description of each file transfer method, see File Transfer Methods .
Load Certificate `(load_uri=)`	N/A	Web interface – Click the Load Certificate button to upload the LDAP/SSL certificate file that is designated in the File Transfer Method property. CLI Load Certificate Syntax: `load_uri=file_transfer_method://host_address/file_path/filename`
Remove Certificate (`clear_action=true`)	N/A	Web interface – Click the Remove Certificate button to remove the LDAP/SSL certificate file presently stored in Oracle ILOM. When prompted, click Yes to continue the action or No to cancel the action. CLI Remove Certificate Syntax: `set /SP/clients/ldapssl/cert clear_action=true` -or- `reset /SP/clients/ldapssl/cert` When prompted, type `y` to continue the action or `n` to cancel the action.

Table 3-21 Optionally Configuring LDAP/SSL Groups

User Interface Configurable Target: CLI: `/`SP`/clients/ldapssl` Web: ILOM Administration > User Management > LDAP/SSL> (Name) Groups User Role: User Management (`u`) (required for all property modifications) Prerequisite: Prior to setting up LDAP/SSL Groups in Oracle ILOM, the LDAP/SSL Groups must be present on the LDAP/SSL server and assigned members.
Admin Groups (`/admingroups/` 1\|2\|3\|4\|5)	A system administrator can optionally configure Admin Group properties instead of the Role properties in Oracle ILOM to provide user authorization. Oracle ILOM supports the configuration of up to five Admin Groups. When Admin Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the admin table. If a match occurs, the user is granted Administrator-level access. Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table. CLI Admin Group Syntax: `set /SP/clients/ldapssl/admingroups/n name=string` `set /SP/clients/ldapssl/admingroups/n name=[string]` Example Syntax: `set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com` `Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'`
Operator Groups (`/operatorgroups/` 1\|2\|3\|4\|5)	A system administrator can optionally configure Operator Group properties instead of the Role properties in Oracle ILOM to provide user authorization. Oracle ILOM supports the configuration of up to five Operator Groups. When Operator Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the operator table. If a match occurs, the user is granted Operator-level access. Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table. CLI Operator Group Syntax: `set /SP/clients/ldapssl/operatorgroups/n name=string` Example Syntax: `set /SP/clients/ldapssl/operatorgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com` `Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com''`
Host Groups	LDAP/SSL Host Groups properties are specific to Oracle's multi-domain SPARC server systems. For multi-domain SP server systems, Oracle ILOM enables system administrators to configure up to 10 host groups for LDAP/SSL user authentication. CLI Configuration Syntax for Host Groups: `set /SP/clients/ldapssl/hostgroups/n/ name=string hosts=string roles=string` Where: name= is a read and write property that represents the Active Directory group name for the specified host group. hosts= is a read and write property that lists the PDomain for which this host group assigns roles. roles= is a read/write property that specifies the domain-specific privilege levels for the host group. This property supports any of the individual host role ID combinations of a, c, and r (for example, acr) where a= admin, c=console, and r=reset. For further details about configuring Host Group properties for multi-domain server SP systems, see the administration guide provided with the Oracle server.
Custom Groups (`/customgroups/` 1\|2\|3\|4\|5)	A system administrator can optionally configure up to five Custom Groups properties in Oracle ILOM to provide user authorization. Oracle ILOM uses the Custom Group properties to determine the appropriate user roles to assign when authenticating users who are members of a Custom Group When enabling the use of Custom Groups in Oracle ILOM, both the Roles property and the Custom Groups property must be configured. For further information about the configuration properties for Roles, see the Roles property in Table 3-19. Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table. CLI Custom Groups Syntax: `set /SP/clients/ldapssl/customgroups/n name=string roles=administrator\|operator\|a\|u\|c\|r\|o\|s` Example Syntax: `set /SP/clients/ldapssl/customgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com roles=au` `Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com'' roles' to 'au'` Related Information: Assignable Oracle ILOM User Roles
Save	Web interface – To apply changes made to properties in the Admin, Operator, or Custom Group dialogs, you must click Save.

User Interface Configurable Target:

CLI: /SP/clients/ldapssl
Web: ILOM Administration > User Management > LDAP/SSL> (Name) Groups
User Role: User Management (u) (required for all property modifications)
Prerequisite: Prior to setting up LDAP/SSL Groups in Oracle ILOM, the LDAP/SSL Groups must be present on the LDAP/SSL server and assigned members.

Property Description

Admin Groups

(/admingroups/ 1|2|3|4|5)

A system administrator can optionally configure Admin Group properties instead of the Role properties in Oracle ILOM to provide user authorization.

Oracle ILOM supports the configuration of up to five Admin Groups. When Admin Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the admin table. If a match occurs, the user is granted Administrator-level access.

Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.

CLI Admin Group Syntax:

set /SP/clients/ldapssl/admingroups/n name=string

set /SP/clients/ldapssl/admingroups/n name=[string]

Example Syntax:

set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com

Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'

Operator Groups

(/operatorgroups/ 1|2|3|4|5)

A system administrator can optionally configure Operator Group properties instead of the Role properties in Oracle ILOM to provide user authorization.

Oracle ILOM supports the configuration of up to five Operator Groups. When Operator Group properties are enabled in Oracle ILOM, a user's group membership is checked for any matching groups defined in the operator table. If a match occurs, the user is granted Operator-level access.

Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.

CLI Operator Group Syntax:

set /SP/clients/ldapssl/operatorgroups/n name=string

Example Syntax:

set /SP/clients/ldapssl/operatorgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com

Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com''

Host Groups

LDAP/SSL Host Groups properties are specific to Oracle's multi-domain SPARC server systems.

For multi-domain SP server systems, Oracle ILOM enables system administrators to configure up to 10 host groups for LDAP/SSL user authentication.

CLI Configuration Syntax for Host Groups:

set /SP/clients/ldapssl/hostgroups/n/ name=string hosts=string roles=string

Where:

name= is a read and write property that represents the Active Directory group name for the specified host group.
hosts= is a read and write property that lists the PDomain for which this host group assigns roles.
roles= is a read/write property that specifies the domain-specific privilege levels for the host group. This property supports any of the individual host role ID combinations of a, c, and r (for example, acr) where a= admin, c=console, and r=reset.

For further details about configuring Host Group properties for multi-domain server SP systems, see the administration guide provided with the Oracle server.

Custom Groups

(/customgroups/ 1|2|3|4|5)

A system administrator can optionally configure up to five Custom Groups properties in Oracle ILOM to provide user authorization. Oracle ILOM uses the Custom Group properties to determine the appropriate user roles to assign when authenticating users who are members of a Custom Group

When enabling the use of Custom Groups in Oracle ILOM, both the Roles property and the Custom Groups property must be configured. For further information about the configuration properties for Roles, see the Roles property in Table 3-19.

Note – Oracle ILOM grants a group member one or more authorization levels based on the matching groups (operator, administrator, or custom) found in each configured group table.

CLI Custom Groups Syntax:

set /SP/clients/ldapssl/customgroups/n name=string roles=administrator|operator|a|u|c|r|o|s

Example Syntax:

set /SP/clients/ldapssl/customgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com roles=au

Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com'' roles' to 'au'

Related Information:

Assignable Oracle ILOM User Roles

Save

Web interface – To apply changes made to properties in the Admin, Operator, or Custom Group dialogs, you must click Save.

Table 3-22 Configuring LDAP/SSL User Domains

User Interface Configurable Target: CLI: `/`SP`/clients/ldapssl`/userdomains/n Web: ILOM Administration > User Management > LDAP/SSL > User Domains User Role: User Management (`u`) (required for all property modifications) Prerequisite: Prior to setting up User Domains in Oracle ILOM, the User Domains must be present on the LDAP/SSL server and assigned members.
User Domains (/1\|2\|3\|4\|5)	A system administrator can optionally configure up to five User Domains. When one or more User Domains are defined, Oracle ILOM uses these properties in sequence until it is able to authenticate the LDAP/SSL user. Use the following possible values to populate the configuration properties for each User Domain in Oracle ILOM. UID format: uid=<USERNAME>,ou=people,dc=company,dc=com DN format: CN=<USERNAME>,CN=Users,DC=domain,DC=company,DC=com Note: You can use <USERNAME> as a literal. When <USERNAME> is used as a literal Oracle ILOM replaces the <USERNAME> during user authentication with the current login name entered. You can optionally specify a specific searchbase by appending the `<BASE:string>` property after the user domain configuration. For syntax details, see Example 3 below. CLI User Domains Syntax: `set /SP/clients/ldapssl/userdomains/n domain=string` Example 1: `domain=CN=<USERNAME>` `set /SP/clients/ldapssl/userdomains/1 domain=CN=<USERNAME>,OU=Groups,DC=sales,DC-oracle,DC=com` Set 'domain' to 'CN=<USERNAME>,OU=Groups,DC=sales,DC=oracle,DC=com' Example 2: domain=CN=spSuperAdmin `set /SP/clients/ldapssl/userdomains/1 domain=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com` `Set 'domain' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'` Example 3: Searchbase syntax using `<BASE:string>` `set /SP/clients/ldapssl/userdomains/1 domain=uid=<USERNAME>,ou=people,dc=oracle,dc=com<BASE:ou=doc,dc=oracle,dc=com>`
Save	Web interface – To apply changes made to properties in the LDAP/SSL User Domain dialog, you must click Save.

User Interface Configurable Target:

CLI: /SP/clients/ldapssl/userdomains/n
Web: ILOM Administration > User Management > LDAP/SSL > User Domains
User Role: User Management (u) (required for all property modifications)
Prerequisite: Prior to setting up User Domains in Oracle ILOM, the User Domains must be present on the LDAP/SSL server and assigned members.

Property Description

User Domains

(/1|2|3|4|5)

A system administrator can optionally configure up to five User Domains. When one or more User Domains are defined, Oracle ILOM uses these properties in sequence until it is able to authenticate the LDAP/SSL user.

Use the following possible values to populate the configuration properties for each User Domain in Oracle ILOM.

UID format: uid=<USERNAME>,ou=people,dc=company,dc=com
DN format: CN=<USERNAME>,CN=Users,DC=domain,DC=company,DC=com

Note: You can use <USERNAME> as a literal. When <USERNAME> is used as a literal Oracle ILOM replaces the <USERNAME> during user authentication with the current login name entered.

You can optionally specify a specific searchbase by appending the <BASE:string> property after the user domain configuration. For syntax details, see Example 3 below.

CLI User Domains Syntax:

set /SP/clients/ldapssl/userdomains/n domain=string

Example 1: domain=CN=<USERNAME>

set /SP/clients/ldapssl/userdomains/1 domain=CN=<USERNAME>,OU=Groups,DC=sales,DC-oracle,DC=com

Set 'domain' to 'CN=<USERNAME>,OU=Groups,DC=sales,DC=oracle,DC=com'

Example 2: domain=CN=spSuperAdmin

set /SP/clients/ldapssl/userdomains/1 domain=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com

Set 'domain' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com'

Example 3: Searchbase syntax using <BASE:string>

set /SP/clients/ldapssl/userdomains/1 domain=uid=<USERNAME>,ou=people,dc=oracle,dc=com<BASE:ou=doc,dc=oracle,dc=com>

Save

Web interface – To apply changes made to properties in the LDAP/SSL User Domain dialog, you must click Save.

Table 3-23 Optionally Configuring LDAP/SSL Alternate Servers

User Interface Configurable Target: CLI: `/`SP`/clients/ldapssl/alternateservers/` n Web: ILOM Administration > User Management > LDAP/SSL > Alternate Servers User Role: User Management (`u`) (required for all property modifications)
Alternate Servers (`/1\|2\|3\|4\|5`)	Oracle ILOM enables you to configure up to five LDAP/SSL alternate servers. Alternate servers provide authentication redundancy, as well as a choice of different LDAP/SSL servers to use when you need to isolate domains. Each LDAP/SSL alternate server uses the same user authorization rules and requirements as the primary LDAP/SSL server. For example, Oracle ILOM will use the configured user roles in the Roles property to authenticate users. However, if the Roles property is not configured, Oracle ILOM will query the authentication server for the appropriate authorization roles. Each alternate server has its own properties for network address, port, certificate status, and commands for uploading and removing a certificate. If an LDAP/SSL certificate is not supplied, but is required, Oracle ILOM will use the top-level primary LDAP/SSL server certificate. CLI Alternate Servers Address and Port Syntax: `set /SP/clients/ldapssl/alternateservers/n address=sting port=string` CLI Alternate Server s Certificate Syntax: `show /`SP`clients/ldapssl/alternateservers/` n `/cert` `load_uri=file_transfer_method://host_address/file_path/filename` `set /SP/clients/ldapssl/alternateservers/n/cert clear_action=true`
Save	Web interface – To apply changes made to properties in the LDAP/SSL Alternate Servers dialog, you must click Save.

User Interface Configurable Target:

CLI: /SP/clients/ldapssl/alternateservers/ n
Web: ILOM Administration > User Management > LDAP/SSL > Alternate Servers
User Role: User Management (u) (required for all property modifications)

Property Description

Alternate Servers

(/1|2|3|4|5)

Oracle ILOM enables you to configure up to five LDAP/SSL alternate servers.

Alternate servers provide authentication redundancy, as well as a choice of different LDAP/SSL servers to use when you need to isolate domains.

Each LDAP/SSL alternate server uses the same user authorization rules and requirements as the primary LDAP/SSL server. For example, Oracle ILOM will use the configured user roles in the Roles property to authenticate users. However, if the Roles property is not configured, Oracle ILOM will query the authentication server for the appropriate authorization roles.

Each alternate server has its own properties for network address, port, certificate status, and commands for uploading and removing a certificate. If an LDAP/SSL certificate is not supplied, but is required, Oracle ILOM will use the top-level primary LDAP/SSL server certificate.

CLI Alternate Servers Address and Port Syntax:

set /SP/clients/ldapssl/alternateservers/n address=sting port=string

CLI Alternate Server s Certificate Syntax:

show /SPclients/ldapssl/alternateservers/ n /cert

load_uri=file_transfer_method://host_address/file_path/filename

set /SP/clients/ldapssl/alternateservers/n/cert clear_action=true

Save

Web interface – To apply changes made to properties in the LDAP/SSL Alternate Servers dialog, you must click Save.

Table 3-24 Guidelines for Troubleshooting LDAP/SSL Authentication

Refer to the following guidelines when troubleshooting LDAP/SSL authentication and authorization attempts in Oracle ILOM.

To test LDAP/SSL authentication and set the Oracle ILOM event log to trace LDAP/SSL events, follow these steps:
1: Set the LDAP/SSL Log Details property to trace.

2: Attempt an authentication to Oracle ILOM to generate events.

3: Review the Oracle ILOM event log file.
Ensure that the user groups and user domains configured on the LDAP/SSL server match the user groups and user domains configured in Oracle ILOM.
The Oracle ILOM LDAP/SSL Client does not manage clock settings. The clock settings in Oracle ILOM are configurable manually or through an NTP server.
Note. When the clock setting in Oracle ILOM is configured using an NTP server, Oracle ILOM performs an ntpdate using the NTP server(s) before starting the NTP daemon.

Related Information: