03-31-2015 08:55 PM - edited 03-01-2019 12:06 PM
I'm trying to setup the CIMC so that all users who require access to the console of the server have to be authenticated by Active Directory. I have placed my authenticated users in an AD group called "APAC IT Administrators".
Here are the fields I have so far:
Enable LDAP: Checked
BaseDN: DC=mydomain,DC=com
Domain: mydomain.com
Enable Encryption: Checked
Time Out: 60s
Configure LDAP Servers: Checked
Server 1: 10.0.0.100
Port: 389
Server 1: 10.0.0.101
Port: 389
Binding paramters:
Method: Login Credentials
Search Parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
LDAP Group Auhtorisation: Checked
Index: 1
Group Name: APAC IT Administrators
Group Domain: mydomain.com
Role: Admin
I've read here (http://www.aaviso.com/tech/?p=94) something about having to create a new attribute for domain users then assigning the attribute to the specific users, which I have not done so far as I do not have permission to do this and needs to be done by a higher source, but would this be the reason I cannot get the CIMC logon to authenticate against AD? Is there a log I can check to see what the problem is?
When I try to log onto the CIMC using the format "mydomain\myusername", I get the error "Login failed. Verify that your username and password are correct."
CIMC is version 2.0(3e).
Thanks.
Solved! Go to Solution.
09-17-2015 06:39 AM
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin
08-17-2015 11:26 PM
So no one was able to integrate their CIMC into active directory? WoW!
08-18-2015 06:55 AM
Did you try without encryption, resp. encryption with port 636 ?
12-19-2016 09:39 AM
I was able to get login working using LDAP group authorization, without needing to modify the AD schema to add the CiscoAvPair attribute, and without having to use an alternate attribute.
This was done on a C220 M4 running CIMC Firmware Version 2.0(13f).
You can now log in using "username@my.domain.ca" - example screen shot attached:
09-17-2015 06:12 AM
Hi Julian,
I note that you are trying to log on to the CIMC with domain\username. This format doesn't appear to work for me.
If your LDAP settings are correct, you should be able to log on with username@domain.com and also even username on its own appears to work.
One thing that did catch us out was that we needed to set the Binding Parameters Method to "Login Credentials". Once this was changed we could log in with our domain accounts (I note that you already have this set in your config above).
However, I should iterate that we couldn't get it working until we modified our AD schema to add a the CiscoAVPair attribute as per your quoted link (also described in the UCS CLI config guide ).
Hope this helps.
09-17-2015 06:39 AM
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin
07-18-2016 04:22 AM
thanks for this tutorial,working 100%
07-02-2018 05:45 PM
Step 4 |
Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco IMC:
|
Hi love you document, I just don't know how to do Step4
Can you explain please.
Thank you
12-10-2015 04:59 AM
Julian, did you find a solution ?
I do not have access to schema to create the new attribute and I'm wondering if there is a way to authenticate users against AD without modifying the schema . Still searching...
12-31-2015 07:26 AM
@niki.ciurlea -You can use an existing attribute, just change the field from CiscoAVPair to some unused field like otherMailbox or otherPager. I don't recommend using fields that start with "ms". Depending on what field you pick, you may have to use the Attribute Editor field of the user object to set it.
I think you can also use group authentication without setting a field on the user account, I haven't tried that yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide