LDAP/Active Directory

[NeilHanlon]

Any plans to support binding to/configuring LDAP/AD settings? This is the single most painful part about running iDRACs.

[jose-delarosa]

Neil,
Thanks for your question. This Ansible module does not fix/address this issue, it would only implement its automation if it's available in iDRAC. You do have a legitimate question, I'll ask around.

[jose-delarosa]

Using LDAP or AD to manage authentication is already available in iDRAC 7/8/9, though I have not used it myself so can't speak to ease of use. As far as I know the Redfish APIs to manage LDAP/AD iDRAC authentication are not yet available in iDRAC, I will have to check what Redfish schema contains them and when it will be implemented in iDRAC 7/8/9.

Will leave this item open until issue is addressed, so marking as feature request.

[NeilHanlon]

Nice! This would be an awesome feature. I'll see what I might be able to find out, too. Ldap is a pain to configure right now so I'd not be surprised if it's not supported by redfish yet.

…

On Dec 11, 2017 16:51, "Jose Delarosa" ***@***.***> wrote: Using LDAP or AD to manage authentication is already available in iDRAC 7/8/9, though I have not used it myself so can't speak to ease of use. As far as I know the Redfish APIs to manage LDAP/AD iDRAC authentication are not yet available in iDRAC, I will have to check what Redfish schema contains them and when it will be implemented in iDRAC 7/8/9. Will leave this item open until issue is addressed, so marking as feature request. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#44 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAphBiRdtMDehdXWO9bmPqS1rtnX3lYSks5s_aP5gaJpZM4Q6As_> .

[ma-husyk]

@jose-delarosa
Is there some update to the roadmap when we have the possibity to set LDAP/AD auth with redfish ?

https://redfish.dmtf.org/schemas/ExternalAccountProvider.v1_0_1.json

[jose-delarosa]

@ma-husyk You should be able to manage these through the iDRAC attributes. I did an iDRAC attribute dump, I see entries like these:

                    "ADGroup.1.Domain": "",
                    "ADGroup.1.Name": "",
                    "ADGroup.1.Privilege": 0,
                    "ADGroup.2.Domain": "",
                    "ADGroup.2.Name": "",
                    "ADGroup.2.Privilege": 0,
                    "ADGroup.3.Domain": "",
                    "ADGroup.3.Name": "",
                    "ADGroup.3.Privilege": 0,
                    "ADGroup.4.Domain": "",
                    "ADGroup.4.Name": "",
                    "ADGroup.4.Privilege": 0,
                    "ADGroup.5.Domain": "",
                    "ADGroup.5.Name": "",
                    "ADGroup.5.Privilege": 0,
                    "ASRConfig.1.Enable": "Enabled",
                    "ActiveDirectory.1.AuthTimeout": 120,
                    "ActiveDirectory.1.CertValidationEnable": "Disabled",
                    "ActiveDirectory.1.DCLookupByUserDomain": "Enabled",
                    "ActiveDirectory.1.DCLookupDomainName": "",
                    "ActiveDirectory.1.DCLookupEnable": "Disabled",
                    "ActiveDirectory.1.DomainController1": "",
                    "ActiveDirectory.1.DomainController2": "",
                    "ActiveDirectory.1.DomainController3": "",
                    "ActiveDirectory.1.Enable": "Disabled",
                    "ActiveDirectory.1.GCLookupEnable": "Disabled",
                    "ActiveDirectory.1.GCRootDomain": "",
                    "ActiveDirectory.1.GlobalCatalog1": "",
                    "ActiveDirectory.1.GlobalCatalog2": "",
                    "ActiveDirectory.1.GlobalCatalog3": "",
                    "ActiveDirectory.1.RacDomain": "",
                    "ActiveDirectory.1.RacName": "",
                    "ActiveDirectory.1.SSOEnable": "Disabled",
                    "ActiveDirectory.1.Schema": "Extended Schema",
...
                    "LDAP.1.BaseDN": "",
                    "LDAP.1.BindDN": "",
                    "LDAP.1.BindPassword": null,
                    "LDAP.1.CertValidationEnable": "Enabled",
                    "LDAP.1.Enable": "Disabled",
                    "LDAP.1.GroupAttribute": "",
                    "LDAP.1.GroupAttributeIsDN": "Enabled",
                    "LDAP.1.Port": 636,
                    "LDAP.1.SearchFilter": "",
                    "LDAP.1.Server": "",
                    "LDAP.1.UserAttribute": "",
                    "LDAPRoleGroup.1.DN": "",
                    "LDAPRoleGroup.1.Privilege": 0,
                    "LDAPRoleGroup.2.DN": "",
                    "LDAPRoleGroup.2.Privilege": 0,
                    "LDAPRoleGroup.3.DN": "",
                    "LDAPRoleGroup.3.Privilege": 0,
                    "LDAPRoleGroup.4.DN": "",
                    "LDAPRoleGroup.4.Privilege": 0,
                    "LDAPRoleGroup.5.DN": "",
                    "LDAPRoleGroup.5.Privilege": 0,

Unfortunately, I do not have exact implementation details, though assuming it should be straight-forward.

[slmingol]

@jose-delarosa can you shed any light on how one would go about using the above attributes? Specifically I'd like to be able to configure my iDRAC's so that they're using our IDM server's LDAP service to allow users to log into them.

I've done the work of manually configuring 1 of the Dell 720's iDRAC so that it'll allow users in IDM to login. I just want to figure out if it's possible to use Redfish to configure all our iDRAC's using Redfish via the REST API.

[phillipstr]

@slmingol Hey I know it's been over a year, but in case it's still needed you can use the Ansible idrac_redfish_config module to set the attributes. I just tested on an R440 w/ iDRAC9 and it worked to set the AD config.

name: Enable AD Auth
idrac_redfish_config:
category: Manager
command: SetManagerAttributes
manager_attribute_name: ActiveDirectory.1.Enable
manager_attribute_value: Enabled
baseuri: "{{ host_idrac }}"
username: "{{ idrac_user }}"
password: "{{ idrac_pass }}"

Then just change the values of manager_attribute_name and manager_attribute_value to whatever you need them to be. In this case you just have to know the exact name of the iDRAC attribute.