Sunday, 25 January 2015

CloudSystem Enterprise LDAP Integration

CloudSystem Enterprise LDAP Integration


I had a chance to play around with Organizations in CloudSystem Enteprise 8.1 and found the help and default values rather misleading and unhelpful for Active Directory Environment. I eventually captured the right values I was happy with and thought I'd share them here for reference as I'm going to have do this again someday!!

LDAP Server Information
Hostname: lab.local
Port: 389
Connection Security: SSL box unchecked
Base DN: DC=lab,DC=local
User ID (Full DN): CN=cloudsystem_service,OU=Service Accounts,DC=lab,DC=local
Password: XXXX
ReType Password: XXXX

LDAP Attributes:
User Email: mail
Group Membership: member
Manager Identifier: manager
Manager Identifier Value: dn
User Avatar: avatar

User Login Information:
User Name Attribute: sAMAccountName
User Search Base: OU=Department X Users,OU=Cloud Users
User Search Filter: sAMAccountName={0}
Search Option: Search Subtree Selected
Save first, then select Look Up User and put in username such as “jsoap” to validate

Access Control:
Add AD Group to Service Consumer Role
Enter a name for the group or organizational unit DN: CloudSystem Admins
Enter a group or organizational unit DN: CN=CloudSystem Admins,OU=Department X Groups,OU=Cloud Groups
Click Add / Update

I've still to add the Domain Controller SSL certs to the Java keystore and trust them to enable secure LDAP but otherwise the steps above work fine. I've still to test the email integration. Just need to find a lab server with 8 cores!! Hope this helps out anyone struggling with this area.

Use Sysinternals AD Explorer to connect and show the exact DN attributes to help you out! Available here:
https://technet.microsoft.com/en-ie/sysinternals/bb963907.aspx

Friday, 9 January 2015

OneView and Active Directory integration

OneView Active Directory Integration


Hi, busy today. I've been bashing my head around trying to get AD integration with OneView 1.10 working for weeks now! I kept getting the same old error:

"Cannot authenticate the server with the given credentials, search context and certificate.
Verify that the server is active and the user credentials, search context and certificate are correct."

Failed Configuration:


I got time to lab this today and after checking a few guides I decided to try a slightly different value for the second field below and use CN for it, and it worked! As this was not reflective of the Production Environment I was working on I backtracked and created a similar structure and tested that too.

Working Configuration:

Now I needed to reference an OU two levels down, if I try and JUST reference my OU's it fails but I can combine a few here and I know CN=Users works. So I used this:

Working Final Configuration:


Now I can make the Active Directory the default login option and add any group under the Lab OU. I only have two levels but if I ALSO add the sub OU Groups, I can't see any of the groups inside it so choose an OU one level up (CN=Users+OU=Lab) instead of (CN=Users+OU=Lab,OU=Groups) for this to work as shown above. Now you can search for groups under that structure and add them in with appropriate permissions.

I wish I had this post weeks ago!


HP iLO 4 - LDAP and SSL Certificate Implementation

HP iLO 4 - LDAP and SSL Certificate Implementation

I had the opportunity to integrate a BL460c Gen8 Blade running iLO 4 firmware version 2.00 this week with Active Directory and replace the default SSL certificate it uses. The Blade is integrated with OneView 1.10 also to make things more interesting!! I've captured the steps more or less below and though I'd share them as it can be quite frustrating sometimes to get these things to work from product to product and version to version. I can also look back at it myself and recall it for future work!

Replacing the Default SSL iLO Certificate


Firstly you need to edit the network settings in the iLO Configuration page (https iLO administration page, not the POST iLO configuration!).

Open OneView and browse to the Server Hardware section.

Under Hardware click on the iLO IPv4 address to log into the Server’s iLO
Under Overview / Information the iLO Hostname is using a logical serial number, this must be changed to the iLO FQDN before generating the Certificate Signing Request.

Click Network on the left, then iLO Dedicated Network Port

Click the IPv4 Tab and unselect the Enable DHCPv4 option so it and the 6 sub options are ALL deselected. For the Primary, Secondary & Tertiary DNS Server fields enter is appropriate values.
Click Submit

Select the SNTP Tab next and select “Propagate NTP or OA Time to Host” and choose the Primary Time Server as 10.35.80.1 for Telehouse or 10.33.80.1 for Knock. Select the Time Zone “Europe/London (GMT)” and Click Submit
 
 
Go to the General Tab and enter the iLO Subsystem Name (Host Name) and Domain Name as the example below shows:

iLO Subsystem Name (Host Name)
mylovelyilo
Domain Name
lab.local

Click Submit
Information,Overview,iLO Hostname value should now display mylovelyilo.lab.local
Refresh the Blade in OneView to see the Hostname FQDN change to the new value (This didn't always work for me but should update after replacing the SSL cert later I hope!)
The SSL Certificate Process is more straightforward ONCE you've fixed the iLO Hostname. Otherwise after you import the certificate file and reset you'll find the iLO has regenerated the default HP self signed certificate and you've to start over!
In the iLO Click Administration, Security. Click the SSL Certificate Tab. Click Customize Certificate. Under the Certificate Signing Request Information enter the required information based on the following example:

Country (C)
IE
State (ST)
Leinster
City or Locality (L)
Craggy Island
Organization Name (O)
Father Ted
Organizational Unit (OU)
Parochial House
Common Name (CN)
mylovelyilo.lab.local*

* This field will be pre-populated with correct iLO Hostname and does not need to be changed.

Click Generate CSR, wait a few minutes and Click it again and copy the CSR text to Notepad and save using the filename <ilo hostname>.csr and send it to your Certificate Authority.
Once the Certificate is issued, open the CER file and copy the text contents, in the iLO screen Click Import Certificate, paste the details and Click Import and reset the iLO. You can open the certificate to check the iLO Hostname is reflected in the certificate CN.
Refresh the Host in OneView and you should be there.
 
Active Directory Integration
This is bit more straightforward as you've already got the networking setup. One item to get ready in advance is you're only allowed a single Domain Controller entry so HP recommends asking that a DNS round Robin entry be created. This means you get an alias such as mylovelydcs.lab.local which returns one of two or four IP Addresses each time it's queried preventing a loss of service if one should go down. You can still get it with a local iLO account and I'd recommend leaving this option enabled but the AD integration is handy for auditing and tracking purposes.
You'll need an Advanced iLO License to use this feature and I'm sticking with the Schema-free directory integration option here which is much simpler.
Now, create a new AD Group for this purpose and add any users you want to have iLO access into this group. You need to get the LDAP value and SID - I recommend AD Explorer from Sysinternals for this purpose. You point it at your AD with a valid AD user account, search for the new group and copy the LDAP OU structure and SID from the tool.
Now in the iLO administration screen once more go to Administration, Security and Click the Directory Tab. Check the following values:
LDAP Directory Authentication: Use Directory Default Schema
Directory Server Address: <ip of DC for Lab or DNS Alias for round robin DC IPs for Production>
Directory Server LDAP Port: 636 (assumes you've certificates on your DCs or use 389 if in a lab only)
Directory User Context 1: OU=Administrative Users,OU=Testing Lab,DC=Lab,DC=Local
This OU is where the user accounts are all located in my example. If you've a few locations enter each one in turn to capture all the user account locations.
Click Apply Settings, then Click Administer Groups
Edit the default authenticated users group as some point to remove all their privileges as if left ANY AD user can log into iLO, even if they can't make any changes that's unnerving when I encountered this! Add in the AD group (Click New) you plan on using and assign all iLO permissions to it. You'll need the CN of the Group and I recommend adding the SID also. Now log out and test.
CN=iLO User Group,OU=Administrative Groups,OU=Testing Lab,DC=Lab,DC=Local
The SID Value might be:
S-1-6-21-2703213456-12345678910-10987654321-132456
That's it! iLO Configured. I might reset the iLO one more time to check the settings are held and refresh the OneView Server Hardware page of the server to make sure but that's you done!