
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2015 08:55 PM - edited 03-01-2019 12:06 PM
I'm trying to setup the CIMC so that all users who require access to the console of the server have to be authenticated by Active Directory. I have placed my authenticated users in an AD group called "APAC IT Administrators".
Here are the fields I have so far:
Enable LDAP: Checked
BaseDN: DC=mydomain,DC=com
Domain: mydomain.com
Enable Encryption: Checked
Time Out: 60s
Configure LDAP Servers: Checked
Server 1: 10.0.0.100
Port: 389
Server 1: 10.0.0.101
Port: 389
Binding paramters:
Method: Login Credentials
Search Parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
LDAP Group Auhtorisation: Checked
Index: 1
Group Name: APAC IT Administrators
Group Domain: mydomain.com
Role: Admin
I've read here (http://www.aaviso.com/tech/?p=94) something about having to create a new attribute for domain users then assigning the attribute to the specific users, which I have not done so far as I do not have permission to do this and needs to be done by a higher source, but would this be the reason I cannot get the CIMC logon to authenticate against AD? Is there a log I can check to see what the problem is?
When I try to log onto the CIMC using the format "mydomain\myusername", I get the error "Login failed. Verify that your username and password are correct."
CIMC is version 2.0(3e).
Thanks.
Solved! Go to Solution.
- Labels:
-
Unified Computing System (UCS)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2015 06:39 AM
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
- Click Start, click Run, type mmc /a, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2015 11:26 PM
So no one was able to integrate their CIMC into active directory? WoW!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2015 06:55 AM
Did you try without encryption, resp. encryption with port 636 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2016 09:39 AM
I was able to get login working using LDAP group authorization, without needing to modify the AD schema to add the CiscoAvPair attribute, and without having to use an alternate attribute.
This was done on a C220 M4 running CIMC Firmware Version 2.0(13f).
- Enable Ldap, enter a base DN and domain
- Select "Use DNS to Configure LDAP Servers" and ensure Source is set to "Extracted"
- Check "LDAP Group Authorization"
- Click on "Group Name" column next to Index 1 - enter a group name, domain, and role.
- Save changes
You can now log in using "username@my.domain.ca" - example screen shot attached:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2015 06:12 AM
Hi Julian,
I note that you are trying to log on to the CIMC with domain\username. This format doesn't appear to work for me.
If your LDAP settings are correct, you should be able to log on with username@domain.com and also even username on its own appears to work.
One thing that did catch us out was that we needed to set the Binding Parameters Method to "Login Credentials". Once this was changed we could log in with our domain accounts (I note that you already have this set in your config above).
However, I should iterate that we couldn't get it working until we modified our AD schema to add a the CiscoAVPair attribute as per your quoted link (also described in the UCS CLI config guide ).
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2015 06:39 AM
Hello,
Here are the steps that need to be followed for LDAP authentication to work:
Step one: test network connectivity:
Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…
SSH to the CIMC IP address
# scope cimc
# scope network
# ping IP-ADDRESS-OF-SERVER
Step two: prepare the authentication domain
Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll
http://technet.microsoft.com/en-us/library/cc73211
Step 2: Run MMC and add the Active Directory Schema snap-in
- Click Start, click Run, type mmc /a, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles.
Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/
Properties | Value |
---|---|
Common Name | CiscoAVPair |
LDAP Display Name | CiscoAVPair |
Unique X500 Object ID | 1.3.6.1.4.1.9.287247.1 |
Description | CiscoAVPair |
Syntax | Case Sensitive String |
Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class
Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.
Start ADSI Edit and connect to the default context. Find the User you want to modify. Right click and select “properties” and add the text to the attribute.
Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...
Role | CiscoAVPair Attribute Value |
---|---|
admin | shell:roles="admin" |
user | shell:roles="user" |
read-only | shell:roles="read-only" |
And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.
Step three: configure the CIMC
While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...
LDAP Settings:
Enable LDAP: Check mark
Base DN: The domain name as it appears in Windows.
Example: mstizza.local would be entered as DC=mstizza,DC=local
Example: microsoft.com would be entered as DC=microsoft,DC=com
Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article.
LDAP Servers:
Enter the IP address and LDAP port of each server you are attempting to authenticate to.
Search parameters:
Filter Attribute: sAMAccountName
Group Attribute: memberOf
Attribute: CiscoAVPair
And that's it! The CIMC should now successfully authenticate to Microsoft AD.
Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.
Hope this helps,
Justin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2016 04:22 AM
thanks for this tutorial,working 100%
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2018 05:45 PM
Step 4 |
Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco IMC:
|
Hi love you document, I just don't know how to do Step4
Can you explain please.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2015 04:59 AM
Julian, did you find a solution ?
I do not have access to schema to create the new attribute and I'm wondering if there is a way to authenticate users against AD without modifying the schema . Still searching...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-31-2015 07:26 AM
@niki.ciurlea -You can use an existing attribute, just change the field from CiscoAVPair to some unused field like otherMailbox or otherPager. I don't recommend using fields that start with "ms". Depending on what field you pick, you may have to use the Attribute Editor field of the user object to set it.
I think you can also use group authentication without setting a field on the user account, I haven't tried that yet.
