Monday 16 June 2008

HP Lights-Out Authentication With Active Directory

OK, so its not exactly scripting, but I just spent a bunch of time getting this working in our lab environment before a production rollout. Hit a number of not very obvious gotchas so thought I would put the information out there to assist anyone else trying to get the same thing working.

If you're not familiar with it then the HP Lights-Out management processor is typically a built-in (it used to be a seperate PCI card) component in Proliant servers which enables remote management of the physical machine independent of the OS. For instance, you can effectively access the power button or the console of the machine on a server in a remote office which has become unresponsive. Full details here. The feature which usually impresses people the most is the ability to view the console as the machine is booting up - remember those times when you rebooted a remote server and it didn't come back up because it was waiting for an F1 key press which you couldn't press!

We are looking at deploying this to all of our AD DC's, which are typically the only server at branch offices and can involve long and costly trips for engineers should the server need maintenance. One requirement we have for the project is auditing and accountability, i.e. if an engineer has used the tool to power off a DC we may need to know who did it. Consequently we examined in the lab how to use the authentication that HP Lights-Out provides against Active Directory.

First of all here are the requirements for what you will need:

  • HP servers with iLo enabled management processors. For advanced features like Remote Control you need an advanced license which typically can be purchased for around £80 per machine.
  • LDAP directory, we're using Active Directory. You will need admin accounts which belong to a group which iLo can use.
  • ilo wants to authenticate over SSL so you will need to enable your Active Directory to respond to LDAP requests on SSL which it does not do by default. (detailed info to follow)
  • HP Directories Support management software - download from the Proilant driver page.
  • A brick wall to bash you head against when you try to figure out the (undocumented) format to specify the login name as.
iLo
-------

Get the latest Proliant support pack (currently 8.0) onto your server, there are some OS iLo updates in there. Update iLo itself to the latest firmware release. Patch the iLo card into your network, give it a DNS name and network settings - Tip: make sure the DNS server settings are correct (obvious, but I had it incorrect which led to some headscratching later on)

Active Directory
-------

Download and ingest the Integrating HP Proliant Lights-Out processors with Microsoft Active Directory guide. Note there is an option to extend your AD schema to get some extra features, this blog post is around the schema-free integration.

You will need to enable SSL over LDAP on your DC's. There's a KB which makes it look very simple and in the main it is. Two tips from the field:

  1. You may need to reboot a DC before it will pick up the certificate.
  2. Add the Domain Controllers group to the CERTSVC_DCOM_ACCESS group as detailed in this KB article.

HP Lights-Out Directories Migration Utility
--------

Run this tool as per the ilo AD guide - note: maybe it's just me, but it is not intuitve at all, you should be able to figure it out though. Essentially it will configure most of the settings you need, its just not obvious what to put in there sometimes.

A key gotcha later on is the naming context so make sure you populate the Directory User Context with the path to where you admin accounts and the 'ilo-admins' group which contains them lie.


Directory testing
-------

Login to iLo via the webpage at its configured IP address and the local iLo Administrator account (you may want to keep this as an emergency account if directory login is not working). Navigate to Administration, Security, Directory and you should see settings you specified during the migration utility. Check these settings are what you expect and then use the very useful Test Directory Settings link at the bottom.

Obviously, this will test all the settings you have input and tell you anything which is incorrect. The key point here is that you have to input a username and password to use for the testing, what it does not tell you is that it is expecting the username in the format of the DN, e.g. CN=test admin,OU=admin accounts,dc=testdomain,dc=com (of course this is not in the iLo AD guide!)

Once you have successfully passed all of the tests you can then logout and log back in with an AD admin account. If you have correctly populated your directory search context you can use either:

  • test admin (note the space) or
  • CN=test admin
otherwise you will have to specify the full path, i.e. CN=test admin,OU=admin accounts,dc=testdomain,dc=com .

Final note:

If you specify a search context of @testdomain.com some newgroup posts alledge that you can then login as test.admin, i.e. the accountname , but I couldn't get this to work.

1 comment:

Anonymous said...

HI, did you ever come across an issue where you populate the first page with iLO entries then hit next and they don't show up at all? What the heck? Sometimes I can get them to populate on the 2nd page (firmare update page) and most of the time they don't. I have no idea what I do when they do populate though!

thanks