Accepted Solutions
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
- Click Start, click Run, type mmc /a, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
|---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
|---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin
I was able to get login working using LDAP group authorization, without needing to modify the AD schema to add the CiscoAvPair attribute, and without having to use an alternate attribute.
This was done on a C220 M4 running CIMC Firmware Version 2.0(13f).
- Enable Ldap, enter a base DN and domain
- Select "Use DNS to Configure LDAP Servers" and ensure Source is set to "Extracted"
- Check "LDAP Group Authorization"
- Click on "Group Name" column next to Index 1 - enter a group name, domain, and role.
- Save changes
You can now log in using "username@my.domain.ca" - example screen shot attached:
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
- Click Start, click Run, type mmc /a, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
|---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
|---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin
