Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working... (5011 Views)
Reply
Neighborhood Admin
chuckk281
Posts: 3,170
Registered: ‎01-09-2007
Message 1 of 13 (5,011 Views)

Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Christian had a customer question:

 

****************

 

Hi All,

 

Just wondering if anyone has some thoughts on this issue.

 

A couple days ago, the customer found they could no longer log into their OA’s with LDAP accounts (about 18 enclosures). However, they can still log in to Virtual Connect modules in the same enclosures using the LDAP accounts that don’t work on the OA’s… Any ideas?? OA’s are version 3.21. There have been no changes to anything as far as I’m aware.

 

If I run a test settings for an LDAP account I get ‘Unable to authenticate test user Domain\username [LDAP Server Connect Failed]’

 

***************

 

Monty engaged:

 

***************

 

The error message you provided below indicates the OA cannot connect to the configured LDAP server.

 

Check that the LDAP server configured on the OA has not changed.

 

*******************

 

Any other suggestions or comments for Christian?

 

Visitor
finlandrobert
Posts: 3
Registered: ‎11-04-2011
Message 2 of 13 (4,810 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Strange. This exact same issue just started happening on my site. Is there any answer for this? Nothing has changed on the server LDAP connects to. I would think that if it did, the change would also kill the Virtual Connect authentication as well. The same cert is used for the OA console and the Virtual Connect console. 

Occasional Advisor
Jürgen Büchs
Posts: 10
Registered: ‎02-18-2009
Message 3 of 13 (4,799 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

The same situation here. I can't logon to OAs (2 enclosures) using an LDAP account. Already updated all firmware and checked the configuration again and again. Exactly the same user, group and LDAP server is working with the iLOs.

Visitor
finlandrobert
Posts: 3
Registered: ‎11-04-2011
Message 4 of 13 (4,785 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

I think I have the answer! I noticed this little bit of information (that I didn't understand the consequences of before) on the folowing window of the blade... Enclosure Information, Users/Authentication,Directory Settings:

 

 "Use of single sign-on to ProLiant iLO 2 when logged into Onboard Administrator using a directory- based (LDAP) user account requires an iLO Select license. If you have not purchased an iLO Select license or the Insight Control Environment for BladeSystem, please contact HP or your HP partner sales representative for more information"

 

>Soooo.... it looks like we're going to have to use local authentication or give HP more money to use this. The only idea I have now is that there was some sort of "grace period" that allowed the LDAP to AD authentication to work for a couple months, then locked it down(?). I know I don't have the advanced iLO Select license.

 

There is another error in the blade system log, found through: Enclosure Information, Active Onboard Administrator, System Log:

 

"OA: Authentication failure for user (username) from (ip address), requesting web service"

 

It looks like HP is controlling the access through the web services functions that the iLO select advanced license permits.

 

To find out what license you have, in the blade enclosure, navigate to Enclosure Information, Device Bays, any server, iLO. There, select "Web Administration" and it will open a new web page for that server ,and under Licensing, it will give you the information. There is also this link:

 

You may learn more about iLO licensing at www.hp.com/go/ilo, including downloading a free trial license key.

 

BR,

Robert

Honored Contributor
Sebastian.Koehler
Posts: 1,157
Registered: ‎02-27-2007
Message 5 of 13 (4,707 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Can you please confirm the exact error you're receiving? For exmaple our enclosures running with current (3.32) and less current firmware (3.12) and the test procedure also fails. We see the following kind of error message during test authentification on Onboard Administrator and Virtual Connect modules while ILO1, ILO2 and ILO3 is working as expected.

Initiating Directory Settings diagnostic for server dc.domain.com
Directory Server address dc.domain.com resolved to 192.168.100.200
Accepting Directory Server certificate for /CN=dc.domain.comsigned by /DC=com/DC=domain/CN=dc-DC-CA
Accepting Directory Server certificate for /CN=dc.domain.comsigned by /DC=com/DC=domain/CN=dc-DC-CA
Successful SSL connection (TLSv1/SSLv3, AES128-SHA, 128 bits)
Unable to authenticate test user DOMAIN\ldapuser [LDAP Server Connect Failed]
Some diagnostics FAILED for server dc.domain.com
Tests complete.

 

You're right, some features need ILO Select or Advanced, but not the basic LDAP authentification to the Onboard Administrator itself! We're currently working with HP to resolve this issue, any detailed feedback is welcome.

 

Regards,

Sebastian

---
Assign a kudo to this post, if you find it useful.
Visitor
Omega786
Posts: 2
Registered: ‎07-03-2011
Message 6 of 13 (4,669 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

[ Edited ]

Hi !

I have a similar problem, all of a sudden AD logon's to OA stopped working. Under Test settings I get  [LDAP Server Connect Failed]
The workaround which works for me is I have specified another LDAP server, and instead of IP addresses I provided FQDN.

However I am still looking to find why it stopped working in the first place and I would like to know why I can't use the same LDAP server. The LDAP server is question is providing other services which seems to be working fine.

Any info would be useful!

Thanks

 

 

Assign a kudo to this post, if you find it useful.

29th Feb 2012.

This has stopped working again on alternate DC's so don't know what's going on!!

Honored Contributor
Sebastian.Koehler
Posts: 1,157
Registered: ‎02-27-2007
Message 7 of 13 (4,645 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Can you please verify if the certificate of the root CA or the one used for on the DC for LDAPS has expired in the meantime? We've seen indications that the verification of OA/VCM is more strict than other components.

 

Regards,

Sebastian

---
Assign a kudo to this post, if you find it useful.
Visitor
Omega786
Posts: 2
Registered: ‎07-03-2011
Message 8 of 13 (4,639 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Hi!

The certificate had expired in Jan, and a new one was issued. The problem started happening mid Feb, and as per the logs OA integration was working.

I did however rebooted my domain controllers, and this started working, so for now if's fixed but don't know what would be the exact reason for this!

 

Thanks

Honored Contributor
Sebastian.Koehler
Posts: 1,157
Registered: ‎02-27-2007
Message 9 of 13 (4,625 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

[ Edited ]

If you have a Windows 2003 DC, this can be the issue. We see this on Windows 2008 SP2 and the new certificate is not accepted. Seems that the OBA/VCM does are more strict certificate check than ILO for example.

http://support.microsoft.com/kb/932834

http://support.microsoft.com/kb/839514

Regards,
Sebastian

---
Assign a kudo to this post, if you find it useful.
Collector
Seyfeddine
Posts: 2
Registered: ‎07-04-2011
Message 10 of 13 (4,522 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

We have a similar issue here, the AD integration with the OA and it’s working fine.

 

The test for the AD integration returns the following:

 

  1. When inserting the right credentials: Couldn't find user DN (search context issue, likely)
  2. When inserting the wrong credentials (on pourpose): Not able to connect with LDAP server - authentification faillure (likely)at an adress that is accessible from VC

 As you may see, the VC is contacting the LDAP server. Otherwise the VC couldn’t know that the credentials are wrong.

 

The error that we get when inserting the right credentials is the same as the HP Customer Advisory c01677143 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01677143&jumpi...), although we are already running a higher firmware version.

 

This error occurs in all enclosures we have, and they are having the same firmware levels. The versions are:

  • OA Firmware: 3.21
  • VC ETH Firmware: 3.17
  • VC FC 8GB Firmware: 1.04
  • VC FC 4GB Firmware: 1.41

 

Please note that we are not using a Microsoft LDAP Server, but a Novell one.

Honored Contributor
Sebastian.Koehler
Posts: 1,157
Registered: ‎02-27-2007
Message 11 of 13 (4,307 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

There have been several changes regarding LDAP authentication and certificate handling in Onboard Administrator version 3.51 and later. It now finally supports certificates with much longer encryption keys. The new release fixed the issue for us.

Regards,
Sebastian
---
Assign a kudo to this post, if you find it useful.
Occasional Contributor
stuarty1874
Posts: 10
Registered: ‎05-31-2010
Message 12 of 13 (3,753 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Did anyone find root cuase for this issue?

 

We have mutiple chassis using Ldpa authentication for the OA.  All work execept one.

 

We are getting this message...

 

Aug 13 15:33:44  OA: LDAP authentication failed: Invalid validity dates for Directory Server certificate

 

Not sure if this is related.

Occasional Visitor
Mr_Trouble
Posts: 1
Registered: ‎01-22-2014
Message 13 of 13 (1,392 Views)

Re: Lightweight Directory Access Protocol (LDAP) logon to Onboard Administrator stopped working...

Hi Guys

 

It's very easy, watch for the right time on the Bladecenter, I had the same problem.

The Time differences between DC and Bladecenter were huge more than a half year.

Maximum allowed kess than 5 minutes.

 

Regards

 

Mr_Trouble

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.