HP Onboard Administrator LDAP Authentication

This is a bit out side of what I normally write about, but it still deals with IT and to be honest I used quite some time figuring out how this work, as the documentation is extremely poor in this regard. But once you have figured out, what the developer thought was a smart way to implement this, it is actually quite simple – Not brilliant, but it works and for most cases very well.

 

Getting started with HP OA LDAP Authentication

Default HP OA comes with a default Administrator account (yes its case sensitive), and that might be fine in smaller environments, where you don’t have rules and regulations you have to apply by. But as soon as you have more than just one or two engineers working with the enclosures, there is a need for better audit trail and as soon as you start scaling out with more and more enclosures LDAP audit trail becomes a necessity – But by that time, you have probably run it to our friends “rules and regulation”, which tells you that you must have per user audit trail, and why wouldn’t you want that.

 

I’m going to guide you through how to setup LDAP(AD) integration for the enclosures. Mainly I’m doing this blog post because I haven’t found others out there, but largely because HP documentation on this is close to non existing or so vague that they might as well have saved there money for something better. I hope this will guide more people to use this feature.

 

Prerequisite

If you will be using DNS/FQDN for the domain you need to make sure that there is DNS servers configured (and you should be).

This can be done under “Enclosure Settings”->”Enclosure TCP/IP Settings” and then set preferably multiple DNS servers for (both) OA module(s)

Next up is time and day. As LDAP verifies that time and date are not too much out of sync, this needs to be correct as well. If you have it, use internal NTP servers else set the correct “date”, “time” and “time zone” manually.

 

We are going to use AD groups to define who gets access, so you might as well make one in advance or at least know which one you are going to use.

Lastly you will also need a certificate for the domain that you are trying to validate against. There are at least two ways to do this, one requires windows client and the other fiddling with a browser in the example Firefox, but the same setting can be found in Chrome and changed accordingly. As the windows way is the simplest (and doesn’t require you to change security settings) this is the one I would recommend – It’s a requirement that the windows client is a client of the domain you want to authenticate against.

 

Get domain certificate

There are two ways to get the certificate needed, the windows way through Certificates manager or via a browser (in this case Firefox) I’m going to show both.

 

Windows Certificates Manager

Start by opening Certificates manager, type “certmgr.msc” in the start menu or run (Windows key + r). Now click on “Action” and “Find Certificates…”. Change “Look in field” to “Issued to” and in “Contains” field type your domain name or part of it, and hit “Find Now”. You should be a short list hopefully only one, right click on it and choose “Export…”. Go through the wizard selecting “Base-64 encoded x.509 (.CER)” and saving it to an location where you can find it again.

Now open the exported certificate with your favorite text editor and copy the content of the file.

 

Firefox

First you need to change firefoxes security settings (The same is true for google Chrome). Type in firefoxes url bar “about:config” and hit enter. In the search field type “network.security.ports.banned.override”, if it doesn’t exist, create it by right clicking and clicking on “New”->”String”, type in the search string and click on “OK” as string value type “636” or what the SSL port of your AD might be, hit “OK” again. Now Type in the url bar of firefox “https://[Your.domain.fqdn]:port” fx. https://ad.microsoft.com:636. You should get prompted to confirm you want to continue and add an exception, click “View…” and on the certificateviwer click on “Export…” and before you save the file, choose filtype “X.509-certificate with chain (PEM) (*.crt;*.pem)”. Now open the saved certificate in your favorite text editor. The Certificate contains both the certificate of the domain controller from which you got the certificate and  the chain, you need to copy the last part which should be the chain. You get to verify that in a bit.

 

Enable HP Onboard Administrator LDAP Authentication

Under “Directory Settings:”, click on “Directory Settings”

Start by check marking “Enable LDAP Authentication”, then add a domain controller FQDN or the domain FQDN to the “Directory Server Address”, set “Directory Server SSL Port” to “636” (Or the port number you changed it to), add a “Search Context x” string – This is the “Distinguished name” of the OU where the USER is that you want to authenticate. Lastly check mark the “Enable Use NT Account Name Mapping (Domain\username)” – If you want to use the old skool domain\username way of logging instead of username@domain_fqdn

Tip: If you are not a domain admin, use can still browse the Active Directory so that you can find the correct “Distinguished name” – I use AD explorer for that as it free and easy to use, but there are others out there if you prefer something else.
http://technet.microsoft.com/da-dk/sysinternals/bb963907.aspx

 

Setting up LDAP integration

Now that we got IP settings sorted and a certificate is time to setup the LDAP integration.

 

Certificate

Go to the OA page again and click on “Certificate Upload”, paste in the certificate and click on “upload”. On the “Certificate Information” tab verify that the certificate information is correct. Note the “Valid until” date you might need to change certificates at some point, better be prepared.

 

Permissions

Adding permissions
Click on the ”directory groups” menu. To create a new permission group, click on “New”

 

The “Group Name” has to be the same as the security group in AD
Choose “Privilege Level”
And under “Group Permissions” – Choose what to have access to.
And click “Add Group”

 

 

 

Testing HP Onboard Administrator LDAP Authentication

Click on the ”Test Settings” tab, now fill out the “User Name” and “Password” and hit “Test Settings”, in order to see if your setup works. Hopefully it should say “Passed” in all relevant fields

 

If you get the above screenshot, congratulations you made it 🙂

 

Final word

If you didn’t catch it, there are two important things to know. First one is that the “Search Context x:” is the distinguished name of the OU where this users you want to have access to OA is located, if they are not all in one OU. You will need to define more search contexts. Also note it is not enough that a user is in the OU, that also need to be member for at group in AD which gets permissions assigned in OA. This where the second catch come into play, the directory group you created or had created, needs to have the correct users in it, the users have to be in an OU which is defined in a “Search Context” and the name of the directory group have to be the same as the Active Directory security group.

 

– So search context points to users OU

– Users have to be in an Active Directory security group

– The name of the directory group HAVE to be the same as the Active Directory security group

 

If you need extra help or want to read HP documentation here are some links:

”How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cClass Onboard Administrator” (Warning PDF)

Good HP resource on troubleshooting – No LDAP groups associated with user were discovered