Manuals

Manuals
Using iDRAC6 Directory Service: Integrated Dell Remote Access Controller 6 (iDRAC6) Enterprise for Blade Servers Version 2.2 User Guide

Back to Contents Page

Using iDRAC6 Directory Service

Integrated Dell™ Remote Access Controller 6 (iDRAC6) Enterprise for Blade Servers Version 2.2 User Guide

  Using iDRAC6 With Microsoft Active Directory

  Prerequisites for Enabling Active Directory Authentication for iDRAC6

  Supported Active Directory Authentication Mechanisms

  Extended Schema Active Directory Overview

  Standard Schema Active Directory Overview

  Testing Your Configurations

  Enabling SSL on a Domain Controller

  Using Active Directory to Log In to iDRAC6

  Using Active Directory Single Sign-On

  Using iDRAC6 with LDAP Directory Service

  Frequently Asked Questions


A directory service maintains a common database for storing information about users, computers, printers, etc. on a network. If your company uses either the Microsoft® Active Directory® or the LDAP Directory Service software, you can configure the software to provide access to iDRAC6, allowing you to add and control iDRAC6 user privileges to your existing users in your directory service.

Using iDRAC6 With Microsoft Active Directory

NOTE: Using Active Directory to recognize iDRAC6 users is supported on the Microsoft Windows 2000, Windows Server® 2003, and Windows Server 2008 operating systems.

Table 6-1 shows iDRAC6 Active Directory user privileges.

Table 6-1. iDRAC6 User Privileges 

Privilege

Description

Login to iDRAC6

Enables the user to log in to iDRAC6

Configure iDRAC6

Enables the user to configure iDRAC6

Configure Users

Enables the user to allow specific users to access the system

Clear Logs

Enables the user to clear iDRAC6 logs

Execute Server Control Commands

Enables the user to execute RACADM commands

Access Console Redirection

Enables the user to run Console Redirection

Access Virtual Media

Enables the user to run and use Virtual Media

Test Alerts

Enables the user to send test alerts (e-mail and PET) to a specific user

Execute Diagnostic Commands

Enables the user to run diagnostic commands

Prerequisites for Enabling Active Directory Authentication for iDRAC6

To use the Active Directory authentication feature of iDRAC6, you must have already deployed an Active Directory infrastructure. See the Microsoft website for information on how to set up an Active Directory infrastructure, if you don't already have one.

iDRAC6 uses the standard Public Key Infrastructure (PKI) mechanism to authenticate securely into the Active Directory; therefore, you would also require an integrated PKI into the Active Directory infrastructure.

See the Microsoft website for more information on the PKI setup.

To correctly authenticate to all the domain controllers, you also need to enable the Secure Socket Layer (SSL) on all domain controllers that iDRAC6 connects to. See "Enabling SSL on a Domain Controller" for more specific information.

Supported Active Directory Authentication Mechanisms

You can use Active Directory to define user access on iDRAC6 through two methods: you can use the extended schema solution, which Dell has customized to add Dell-defined Active Directory objects. Or, you can use the standard schema solution, which uses Active Directory group objects only. See the sections that follow for more information about these solutions.

When using Active Directory to configure access to iDRAC6, you must choose either the extended schema or the standard schema solution.

The advantages of using the extended schema solution are:

  • All of the access control objects are maintained in Active Directory.

  • Maximum flexibility is provided in configuring user access on different iDRAC6 cards with varying privilege levels.

The advantage of using the standard schema solution is that no schema extension is required because all of the necessary object classes are provided by Microsoft's default configuration of the Active Directory schema.

Extended Schema Active Directory Overview

Using the extended schema solution requires the Active Directory schema extension, as described in the following section.

Extending the Active Directory Schema

Important: The schema extension for this product is different from the previous generations of Dell Remote Management products. You must extend the new schema and install the new Active Directory Users and Computers Microsoft Management Console (MMC) Snap-in on your directory. The old schema does not work with this product.

NOTE: Extending the new schema or installing the new extension to Active Directory User and Computer Snap-in has no impact on previous versions of the product.

The schema extender and Active Directory Users and Computers MMC Snap-in extension are available on the Dell Systems Management Tools and Documentation DVD. For more information, see "Extending the Active Directory Schema" and "Installing the Dell Extension to the Active Directory Users and Computers Snap-In." For further details on extending the schema for iDRAC6 and installing the Active Directory Users and Computers MMC Snap-in, see the Dell OpenManage Installation and Security User's Guide available on support.dell.com/manuals.

NOTE: When you create iDRAC6 Association Objects or iDRAC6 Device Objects, select Dell Remote Management Object Advanced.

Active Directory Schema Extensions

The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization.

Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service.

  • Dell extension is: dell

  • Dell base OID is: 1.2.840.113556.1.8000.1280

  • RAC LinkID range is: 12070 to 12079

Overview of iDRAC6 Schema Extensions

To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more iDRAC6 devices. This model provides an Administrator maximum flexibility over the different combinations of users, iDRAC6 privileges, and iDRAC6 devices on the network without adding too much complexity.

Active Directory Object Overview

For each physical iDRAC6 device on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one iDRAC6 Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or iDRAC6 Device Objects as required. The users and iDRAC6 user groups can be members of any domain in the enterprise.

However, each Association Object can be linked (or, may link users, groups of users, or iDRAC6 Device Objects) to only one Privilege Object. This example allows an Administrator to control each user's privileges on specific iDRAC6 devices.

iDRAC6 Device object is the link to iDRAC6 firmware for querying Active Directory for authentication and authorization. When iDRAC6 is added to the network, the Administrator must configure iDRAC6 and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add iDRAC6 to at least one Association Object in order for users to authenticate.

Figure 6-1 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.

Figure 6-1. Typical Setup for Active Directory Objects

You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one iDRAC6 Device Object for each iDRAC6 device on the network that you want to integrate with Active Directory for Authentication and Authorization with iDRAC6.

The Association Object allows for as many or as few users and/or groups as well as iDRAC6 Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the Users who have Privileges on iDRAC6 devices.

The Dell extension to the ADUC MMC Snap-in only allows associating the Privilege Object and iDRAC6 Objects from the same domain with the Association Object. The Dell extension does not allow a group or an iDRAC6 object from other domains to be added as a product member of the Association Object.

When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains.

Users, user groups, or nested user groups from any domain can be added into the Association Object. Extended Schema solutions support any user group type and any user group nesting across multiple domains allowed by Microsoft Active Directory.

Accumulating Privileges Using Extended Schema

The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects associated with the same user through different Association Objects. In other words, Extended Schema Authentication accumulates privileges to allow the user the super set of all assigned privileges corresponding to the different privilege objects associated with the same user.

Figure 6-2 provides an example of accumulating privileges using Extended Schema.

Figure 6-2. Privilege Accumulation for a User

The figure shows two Association Objects—A01 and A02. User1 is associated to iDRAC2 through both association objects. Therefore, User1 has accumulated privileges that are the result of combining the privileges set for objects Priv1 and Priv2 on iDRAC2.

For example, Priv1 has these privileges: Login, Virtual Media, and Clear Logs and Priv2 has these privileges: Login to iDRAC, Configure iDRAC, and Test Alerts. As a result, User1 now has the privilege set: Login to iDRAC, Virtual Media, Clear Logs, Configure iDRAC, and Test Alerts, which is the combined privilege set of Priv1 and Priv2.

Extended Schema Authentication accumulates privileges to allow the user the maximum set of privileges possible considering the assigned privileges of the different privilege objects associated to the same user.

In this configuration, User1 has both Priv1 and Priv2 privileges on iDRAC2. User1 has Priv1 privileges on iDRAC1 only. User2 has Priv1 privileges on both iDRAC1 and iDRAC2. In addition, this figure shows that User1 can be in a different domain and can be a member of a group.

Configuring Extended Schema Active Directory to Access iDRAC6

Before using Active Directory to access iDRAC6, configure the Active Directory software and iDRAC6 by performing the following steps in order:

  1. Extend the Active Directory schema (see "Extending the Active Directory Schema").

  2. Extend the Active Directory Users and Computers Snap-in (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").

  3. Add iDRAC6 users and their privileges to Active Directory (see "Adding iDRAC6 Users and Privileges to Active Directory").

  4. Enable SSL on each of your domain controllers (see "Enabling SSL on a Domain Controller").

  5. Configure iDRAC6 Active Directory properties using either iDRAC6 Web interface or the RACADM (see "Configuring Microsoft Active Directory With Extended Schema Using iDRAC6 Web Interface" or "Configuring Active Directory With Extended Schema Using RACADM").

Extending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, ensure that you have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.

You can extend your schema using one of the following methods:

  • Dell Schema Extender utility

  • LDIF script file

If you use the LDIF script file, the Dell organizational unit will not be added to the schema.

The LDIF files and Dell Schema Extender are located on your Dell Systems Management Tools and Documentation DVD in the following respective directories:

  • DVD drive:\SYSMGMT\ManagementStation\support\OMActiveDirectory_Tools\Remote_Management_Advanced\LDIF_Files

  • <DVD drive>:\SYSMGMT\ManagementStation\support\OMActiveDirectory_Tools\Remote_Management_Advanced\Schema Extender

To use the LDIF files, see the instructions in the readme included in the LDIF_Files directory. To use the Dell Schema Extender to extend the Active Directory Schema, see "Using the Dell Schema Extender."

You can copy and run the Schema Extender or LDIF files from any location.

Using the Dell Schema Extender

CAUTION: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file.
  1. In the Welcome screen, click Next.

  2. Read and understand the warning and click Next.

  3. Select Use Current Log In Credentials or enter a user name and password with schema administrator rights.

  4. Click Next to run the Dell Schema Extender.

  5. Click Finish.

The schema is extended. To verify the schema extension, use the MMC and the Active Directory Schema Snap-in to verify that the following exist:

See your Microsoft documentation for details about using the MMC and the Active Directory Schema Snap-in.

Table 6-2. Class Definitions for Classes Added to the Active Directory Schema 

Class Name

Assigned Object Identification Number (OID)

delliDRACDevice

1.2.840.113556.1.8000.1280.1.7.1.1

delliDRACAssociation

1.2.840.113556.1.8000.1280.1.7.1.2

dellRAC4Privileges

1.2.840.113556.1.8000.1280.1.1.1.3

dellPrivileges

1.2.840.113556.1.8000.1280.1.1.1.4

dellProduct

1.2.840.113556.1.8000.1280.1.1.1.5

Table 6-3. dellRacDevice Class 

OID

1.2.840.113556.1.8000.1280.1.7.1.1

Description

Represents the Dell iDRAC6 device. iDRAC6 must be configured as delliDRACDevice in Active Directory. This configuration enables iDRAC6 to send Lightweight Directory Access Protocol (LDAP) queries to Active Directory.

Class Type

Structural Class

SuperClasses

dellProduct

Attributes

dellSchemaVersion

dellRacType

Table 6-4. delliDRACAssociationObject Class 

OID

1.2.840.113556.1.8000.1280.1.7.1.2

Description

Represents the Dell Association Object. The Association Object provides the connection between the users and the devices.

Class Type

Structural Class

SuperClasses

Group

Attributes

dellProductMembers

dellPrivilegeMember

Table 6-5. dellRAC4Privileges Class 

OID

1.2.840.113556.1.8000.1280.1.1.1.3

Description

Defines the privileges (Authorization Rights) for iDRAC6

Class Type

Auxiliary Class

SuperClasses

None

Attributes

dellIsLoginUser

dellIsCardConfigAdmin

dellIsUserConfigAdmin

dellIsLogClearAdmin

dellIsServerResetUser

dellIsConsoleRedirectUser

dellIsVirtualMediaUser

dellIsTestAlertUser

dellIsDebugCommandAdmin

Table 6-6. dellPrivileges Class 

OID

1.2.840.113556.1.8000.1280.1.1.1.4

Description

Used as a container Class for the Dell Privileges (Authorization Rights).

Class Type

Structural Class

SuperClasses

User

Attributes

dellRAC4Privileges

Table 6-7. dellProduct Class 

OID

1.2.840.113556.1.8000.1280.1.1.1.5

Description

The main class from which all Dell products are derived.

Class Type

Structural Class

SuperClasses

Computer

Attributes

dellAssociationMembers

Table 6-8. List of Attributes Added to the Active Directory Schema 

Attribute Name/Description

Assigned OID/Syntax Object Identifier

Single Valued

dellPrivilegeMember

List of dellPrivilege Objects that belong to this Attribute.

1.2.840.113556.1.8000.1280.1.1.2.1

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

dellProductMembers

List of dellRacDevice and DelliDRACDevice Objects that belong to this role. This attribute is the forward link to the dellAssociationMembers backward link.

Link ID: 12070

1.2.840.113556.1.8000.1280.1.1.2.2

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

dellIsLoginUser

TRUE if the user has Login rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.3

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsCardConfigAdmin

TRUE if the user has Card Configuration rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.4

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsUserConfigAdmin

TRUE if the user has User Configuration rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.5

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

delIsLogClearAdmin

TRUE if the user has Log Clearing rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.6

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsServerResetUser

TRUE if the user has Server Reset rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.7

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsConsoleRedirectUser

TRUE if the user has Console Redirection rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.8

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsVirtualMediaUser

TRUE if the user has Virtual Media rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.9

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsTestAlertUser

TRUE if the user has Test Alert User rights on the device.

1.2.840.113556.1.8000.1280.1.1.2.10

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellIsDebugCommandAdmin

TRUE if the user has Debug Command Admin rights on the vdevice.

1.2.840.113556.1.8000.1280.1.1.2.11

Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)

TRUE

dellSchemaVersion

The Current Schema Version is used to update the schema.

1.2.840.113556.1.8000.1280.1.1.2.12

Case Ignore String
(LDAPTYPE_CASEIGNORESTRING
1.2.840.113556.1.4.905)

TRUE

dellRacType

This attribute is the Current RAC Type for the delliDRACDevice object and the backward link to the dellAssociationObjectMembers forward link.

1.2.840.113556.1.8000.1280.1.1.2.13

Case Ignore String
(LDAPTYPE_CASEIGNORESTRING
1.2.840.113556.1.4.905)

TRUE

dellAssociationMembers

List of dellAssociationObjectMembers that belong to this Product. This attribute is the backward link to the dellProductMembers linked attribute.

Link ID: 12071

1.2.840.113556.1.8000.1280.1.1.2.14

Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)

FALSE

Installing the Dell Extension to the Active Directory Users and Computers Snap-In

When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers Snap-in so the administrator can manage iDRAC6 devices, Users and User Groups, iDRAC6 Associations, and iDRAC6 Privileges.

When you install your systems management software using the Dell Systems Management Tools and Documentation DVD, you can extend the Snap-in by selecting the Active Directory Users and Computers Snap-in option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software. For 64-bit Windows Operating Systems, the Snap-in installer is located under:

<DVD drive>:\SYSMGMT\ManagementStation\support\OMActiveDirectory_SnapIn64

For more information about the Active Directory Users and Computers Snap-in, see your Microsoft documentation.

Installing the Administrator Pack

You must install the Administrator Pack on each system that is managing the Active Directory iDRAC6 Objects. If you do not install the Administrator Pack, you cannot view the Dell iDRAC6 Object in the container.

See "Opening the Active Directory Users and Computers Snap-In" for more information.

Opening the Active Directory Users and Computers Snap-In

To open the Active Directory Users and Computers Snap-in:

  1. If you are logged in to the domain controller, click Start Admin Tools® Active Directory Users and Computers.

If you are not logged in to the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start® Run, enter MMC, and press Enter.

The MMC appears.

  1. In the Console 1 window, click File (or Console on systems running Windows 2000).

  2. Click Add/Remove Snap-in.

  3. Select the Active Directory Users and Computers Snap-in and click Add.

  4. Click Close and click OK.

Adding iDRAC6 Users and Privileges to Active Directory

Using the Dell-extended Active Directory Users and Computers Snap-in, you can add iDRAC6 users and privileges by creating iDRAC6, Association, and Privilege objects. To add each object type, perform the following procedures:

  • Create an iDRAC6 device Object

  • Create a Privilege Object

  • Create an Association Object

  • Add objects to an Association Object

Creating an iDRAC6 Device Object

  1. In the MMC Console Root window, right-click a container.

  2. Select New® Dell Remote Management Object Advanced.

The New Object window appears.

  1. Enter a name for the new object. The name must be identical to iDRAC6 name that you will enter in Step A of "Configuring Microsoft Active Directory With Extended Schema Using iDRAC6 Web Interface."

  2. Select iDRAC Device Object.

  3. Click OK.

Creating a Privilege Object

NOTE: A Privilege Object must be created in the same domain as the related Association Object.
  1. In the Console Root (MMC) window, right-click a container.

  2. Select New® Dell Remote Management Object Advanced.

The New Object window appears.

  1. Enter a name for the new object.

  2. Select Privilege Object.

  3. Click OK.

  4. Right-click the privilege object that you created, and select Properties.

  5. Click the Remote Management Privileges tab and select the privileges that you want the user or group to have (see Table 5-14).

Creating an Association Object

NOTE: iDRAC6 Association Object is derived from Group and its scope is set to Domain Local.
  1. In the Console Root (MMC) window, right-click a container.

  2. Select New® Dell Remote Management Object Advanced.

This opens the New Object window.

  1. Enter a name for the new object.

  2. Select Association Object.

  3. Select the scope for the Association Object.

  4. Click OK.

Adding Objects to an Association Object

Using the Association Object Properties window, you can associate users or user groups, privilege objects, and iDRAC6 devices or iDRAC6 device groups.

You can add groups of Users and iDRAC6 devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical.

Adding Users or User Groups

  1. Right-click the Association Object and select Properties.

  2. Select the Users tab and click Add.

  3. Enter the user or User Group name and click OK.

Adding Privileges

  1. Select the Privileges Object tab and click Add.

  2. Enter the Privilege Object name and click OK.

Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to an iDRAC6 device. Only one privilege object can be added to an Association Object.

Adding iDRAC6 Devices or iDRAC6 Device Groups

To add iDRAC6 devices or iDRAC6 device groups:

  1. Select the Products tab and click Add.

  2. Enter iDRAC6 devices or iDRAC6 device group name and click OK.

  3. In the Properties window, click Apply and click OK.

Click the Products tab to add one iDRAC6 device connected to the network that is available for the defined users or user groups. You can add multiple iDRAC6 devices to an Association Object.

Configuring Microsoft Active Directory With Extended Schema Using iDRAC6 Web Interface

  1. Open a supported Web browser window.

  2. Log in to iDRAC6 Web interface.

  3. In the system tree, select System® Remote Access® iDRAC6® Network/Security tab® Directory Service® Microsoft Active Directory.

The Active Directory summary screen is displayed.

  1. Scroll to the bottom of the screen and click Configure Active Directory.

The Step 1 of 4 Active Directory screen is displayed.

  1. To validate the SSL certificate of your Active Directory servers, select the Certificate Validation Enabled check box under Certificate Settings.

If you do not want to validate the SSL certificate of your Active Directory servers, skip to step 7.

  1. Under Upload Active Directory CA Certificate, enter the file path of the certificate or browse to find the certificate file, and then click Upload.

NOTE: You must enter the absolute file path which includes the full path, complete file name, and file extension.

The certificate information for the Active Directory CA certificate that you uploaded appears in the Current Active Directory CA Certificate section.

  1. Click Next.

The Step 2 of 4 Active Directory Configuration and Management screen is displayed.

  1. Select the Active Directory Enabled check box.

NOTE: In this release, the Smart Card based Two Factor Authentication (TFA) and the single sign-on (SSO) features are not supported if the Active directory is configured for Extended Schema.
  1. Click Add to enter the User Domain Name. Enter the domain name in the text field, and then click OK. Note that this step is optional. If you configure a list of user domains, the list will be available in the Web interface login screen. You can choose from the list, and then you only need to enter the user name.

  2. In the Timeout field, enter the number of seconds you want iDRAC6 to wait for Active Directory responses.

  3. Select the Look Up Domain Controllers with DNS option to obtain the Active Directory domain controllers from a DNS lookup. If already configured, the Domain Controller Server Addresses 1-3 are ignored. Select User Domain from Login to perform the DNS lookup with the domain name of the login user. Otherwise, select Specify a Domain and enter the domain name to use for the DNS lookup. iDRAC6 attempts to connect to each of the addresses (first 4 addresses returned by the DNS look up) one by one until it makes a successful connection. If Extended Schema is selected, the domain controllers are where iDRAC6 device object and the Association objects are located. If Standard Schema is selected, the domain controllers are where the user accounts and the role groups are located.

NOTE: iDRAC6 does not failover to the specified domain controllers when DNS lookup fails, or none of the servers returned by the DNS lookup works.
  1. Select the Specify Domain Controller Addresses option to allow iDRAC6 to use the Active Directory Domain Controller server addresses that are specified. DNS lookup is not performed. Specify the IP address or the FQDN of the domain controllers. When the Specify Domain Controller Addresses option is selected, at least one of the three addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one by one until it makes a successful connection. If Extended Schema is selected, these are the addresses of the domain controllers where iDRAC6 device object and the Association objects are located.

NOTE: The FQDN or IP address that you specify in this field should match the Subject or Subject Alternative Name field of your domain controller certificate if you have certificate validation enabled.
  1. Click Next.

The Step 3 of 4 Active Directory Configuration and Management screen is displayed.

  1. Under Schema Selection, select the Extended Schema Selection check box.

  2. Click Next.

The Step 4 of 4 Active Directory screen is displayed.

  1. Under Extended Schema Settings, enter iDRAC6 Name and iDRAC6 Domain Name to configure iDRAC6 device object and its location in Active Directory.

  2. Click Finish to save your changes, and then Done.

The main Active Directory Configuration and Management summary page appears. Next, test the Active Directory settings you just configured.

  1. Scroll to the bottom of the screen and click Test Settings.

The Test Active Directory Settings screen is displayed.

  1. Enter your iDRAC6 user name and password, and then click Start Test.

The test results and the test log displays. For additional information, see "Testing Your Configurations."

NOTE: You must have a DNS server configured properly on iDRAC6 to support Active Directory log in. Navigate to the Network screen (click System® Remote Access® iDRAC6, and then click the Network/Security® Network tab) to configure DNS server(s) manually or use DHCP to get DNS server(s).

You have completed the Active Directory configuration with Extended Schema.

Configuring Active Directory With Extended Schema Using RACADM

Use the following commands to configure iDRAC6 Active Directory feature with Extended Schema using the RACADM command line interface (CLI) tool instead of the Web interface.

  1. Open a command prompt and enter the following RACADM commands:

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 1

racadm config -g cfgActiveDirectory -o
cfgADRacName <RAC common name>

racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>

racadm config -g cfgActiveDirectory -o cfgADDomainController1 <fully qualified domain name or IP Address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgADDomainController2 <fully qualified domain name or IP Address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgADDomainController3 <fully qualified domain name or IP Address of the domain controller>

NOTE: You must configure at least one of the three addresses. iDRAC6 attempts to connect to each of the configured addresses one-by-one until it makes a successful connection. With Extended Schema, these are the FQDN or IP addresses of the domain controllers where this iDRAC6 device is located. Global catalog servers are not used in extended schema mode at all.

If you want to disable the certificate validation during SSL handshake, enter the following RACADM command:

racadm config -g cfgActiveDirectory -o cfgADCertValidationEnable 0

In this case, you do not have to upload a CA certificate.

If you want to enforce the certificate validation during SSL handshake, enter the following RACADM command:

racadm config -g cfgActiveDirectory -o cfgADCertValidationEnable 1

In this case, you must upload a CA certificate using the following RACADM command:

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

Using the following RACADM command may be optional. See "Importing iDRAC6 Firmware SSL Certificate" for additional information.

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

  1. If DHCP is enabled on iDRAC6 and you want to use the DNS provided by the DHCP server, enter the following RACADM command:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

  1. If DHCP is disabled in iDRAC6 or you want to manually input your DNS IP address, enter the following RACADM commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

  1. If you want to configure a list of user domains so that you only need to enter the user name during log in to iDRAC6 Web interface, enter the following command:

racadm config -g cfgUserDomain -o cfgUserDomainName <fully qualified domain name or IP Address of the domain controller> -i <index>

You can configure up to 40 user domains with index numbers between 1 and 40.

See "Using Active Directory to Log In to iDRAC6" for details about user domains.

  1. Press Enter to complete the Active Directory configuration with Extended Schema.

Standard Schema Active Directory Overview

As shown in Figure 6-3, using standard schema for Active Directory integration requires configuration on both Active Directory and iDRAC6.

Figure 6-3. Configuration of iDRAC6 with Microsoft Active Directory and Standard Schema

On the Active Directory side, a standard group object is used as a role group. A user who has iDRAC6 access will be a member of the role group. To give this user access to a specific iDRAC6 card, the role group name and its domain name need to be configured on the specific iDRAC6 card. Unlike the extended schema solution, the role and the privilege level is defined on each iDRAC6 card, not in the Active Directory. Up to five role groups can be configured and defined in each iDRAC6. Table 6-9 shows the default role group privileges.

Table 6-9. Default Role Group Privileges 

Role Groups

Default Privilege Level

Permissions Granted

Bit Mask

Role Group 1

None

Login to iDRAC, Configure iDRAC, Configure Users, Clear Logs, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Test Alerts, Execute Diagnostic Commands

0x000001ff

Role Group 2

None

Login to iDRAC, Configure iDRAC, Execute Server Control Commands, Access Console Redirection, Access Virtual Media, Test Alerts, Execute Diagnostic Commands

0x000000f9

Role Group 3

None

Login to iDRAC

0x00000001

Role Group 4

None

No assigned permissions

0x00000000

Role Group 5

None

No assigned permissions

0x00000000

NOTE: The Bit Mask values are used only when setting Standard Schema with the RACADM.

Single Domain Versus Multiple Domain Scenarios

If all of the login users and role groups, as well as the nested groups, are in the same domain, then only the domain controllers' addresses must be configured on iDRAC6. In this single domain scenario, any group type is supported.

If all of the login users and role groups, or any of the nested groups, are from multiple domains, then Global Catalog server addresses are required to be configured on iDRAC6. In this multiple domain scenario, all of the role groups and nested groups, if any, must be Universal Group type.

Configuring Standard Schema Active Directory to Access iDRAC6

You must perform the following steps to configure Active Directory before an Active Directory user can access iDRAC6:

  1. On an Active Directory server (domain controller), open the Active Directory Users and Computers Snap-in.

  2. Create a group or select an existing group. The name of the group and the name of this domain must be configured on iDRAC6 by using either the Web interface or RACADM (see "Configuring Active Directory With Standard Schema Using iDRAC6 Web Interface" or "Configuring Active Directory With Standard Schema Using RACADM").

  3. Add the Active Directory user as a member of the Active Directory group to access iDRAC6.

Configuring Active Directory With Standard Schema Using iDRAC6 Web Interface

  1. Open a supported Web browser window.

  2. Log in to iDRAC6 Web interface.

  3. In the system tree, select System® Remote Access® iDRAC6® Network/Security tab® Directory Service® Microsoft Active Directory.

The Active Directory summary page is displayed.

  1. Scroll to the bottom of the screen and click Configure Active Directory.

The Step 1 of 4 Active Directory screen is displayed.

  1. Under Certificate Settings, select Certificate Validation Enabled.

  2. Under Upload Active Directory CA Certificate, enter the file path of the certificate or browse to find the certificate file, and then click Upload.

NOTE: You must enter the absolute file path, which includes the full path and the complete file name and file extension.

The certificate information for the Active Directory CA certificate that you uploaded appears in the Current Active Directory CA Certificate section.

  1. Click Next.

The Step 2 of 4 Active Directory Configuration and Management screen is displayed.

  1. Select the Active Directory Enabled check box.

  2. Select Enable smart card Login to enable Smart–Card login. You are prompted for a Smart–Card logon during any subsequent logon attempts using the GUI.

  3. Select Enable Single Sign-on if you want to log into iDRAC6 without entering your domain user authentication credentials, such as user name and password.

  4. Click Add to enter the User Domain Name. Enter the domain name in the text field, and then click OK. Note that this step is optional. If you configure a list of user domains, the list will be available in the Web interface login screen. You can choose from the list, and then you only need to enter the user name.

  5. In the Timeout field, enter the number of seconds you want iDRAC6 to wait for Active Directory responses.

  6. Select the Look Up Domain Controllers with DNS option to obtain the Active Directory domain controllers from a DNS lookup. If already configured, the Domain Controller Server Addresses 1-3 are ignored. Select User Domain from Login to perform the DNS lookup with the domain name of the login user. Otherwise, select Specify a Domain and enter the domain name to use for the DNS lookup. iDRAC6 attempts to connect to each of the addresses (first 4 addresses returned by the DNS look up) one by one until it makes a successful connection. If Standard Schema is selected, the domain controllers are where the user accounts and the role groups are located.

  7. Select the Specify Domain Controller Addresses option to allow iDRAC6 to use the Active Directory Domain Controller server addresses that are specified. DNS lookup is not performed. Specify the IP address or the FQDN of the domain controllers. When the Specify Domain Controller Addresses option is selected, at least one of the three addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one by one until it makes a successful connection. If Standard Schema is selected, these are the addresses of the domain controllers where the user accounts and the role groups are located.

NOTE: iDRAC6 does not failover to the specified domain controllers when DNS lookup fails, or none of the servers returned by the DNS lookup works.
  1. Click Next.

The Step 3 of 4 Active Directory Configuration and Management screen is displayed.

  1. Under Schema Selection, select the Standard Schema Selection check box.

  2. Click Next.

The Step 4a of 4 Active Directory screen is displayed.

  1. Under Standard Schema Settings, select the Look Up Global Catalog Servers with DNS option and enter the Root Domain Name to use on a DNS lookup to obtain the Active Directory Global Catalog Servers. If already configured, the Global Catalog Server Addresses 1-3 are ignored. iDRAC6 attempts to connect to each of the addresses (first 4 addresses returned by the DNS lookup) one by one until it makes a successful connection. A Global Catalog server is required only for Standard Schema in the case that the user accounts and the role groups are in different domains.

NOTE: iDRAC6 does not failover to the specified Global Catalog servers when DNS lookup fails, or none of the servers returned by the DNS lookup work.
  1. Select the Specify Global Catalog Server Addresses option and enter the IP address or the Fully Qualified Domain Name (FQDN) of the Global Catalog server(s). DNS lookup is not performed. At least one of the three addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one by one until it makes a successful connection.

NOTE: The Global Catalog server is required only for Standard Schema when the user accounts and role groups are in different domains. And, in this multiple domain case, only the Universal Group can be used. If you use iDRAC6 Web GUI to configure Active Directory, you need to enter a Global Address even though the user and group are in the same domain.
  1. Click a Role Group button to add a role group.

The Step 4b of 4 Configure Role Group screen appears.

  1. Enter the Group Name. The group name identifies the role group in the Active Directory associated with iDRAC6.

  2. Enter the Group Domain. The Group Domain is the fully qualified root domain name for the forest.

  3. In the Role Group Privileges section, set the group privileges. See Table 5-14 for information on role group privileges.

NOTE: If you modify any of the permissions, the existing role group privilege (Administrator, Power User, or Guest User) will change to either the Custom Group or the appropriate role group privilege based on the permissions you modified.
  1. Click OK to save the role group settings.

An alert dialog appears, indicating that your settings are changed. Click OK to return to the Step 4a of 4 Active Directory Configuration and Management screen.

  1. To add an additional role group, repeat step 20 through step 24.

  2. Click Finish, and the click Done.

The main Active Directory Configuration and Management summary screen appears. Test the Active Directory settings you just configured.

  1. Scroll to the bottom of the screen and click Test Settings.

The Test Active Directory Settings screen appears.

  1. Enter your iDRAC6 user name and password, and then click Start Test.

The test results and the test log displays. For additional information, see "Testing Your Configurations."

NOTE: You must have a DNS server configured properly on iDRAC6 to support Active Directory log in. Navigate to the Network screen (click System® Remote Access® iDRAC6, and then click the Network/Security® Network tab) to configure DNS server(s) manually or use DHCP to get DNS server(s).

You have completed the Active Directory configuration with Standard Schema.

Configuring Active Directory With Standard Schema Using RACADM

Use the following commands to configure iDRAC6 Active Directory Feature with Standard Schema using the RACADM CLI instead of the Web-based interface.

  1. Open a command prompt and enter the following RACADM commands:

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 2

racadm config -g cfgStandardSchema -i <index> -o
cfgSSADRoleGroupName <common name of the role group>

racadm config -g cfgStandardSchema -i <index> -o
cfgSSADRoleGroupDomain <fully qualified domain name>

racadm config -g cfgStandardSchema -i <index> -o
cfgSSADRoleGroupPrivilege <Bit Mask Value for
specific RoleGroup permissions>

NOTE: For Bit Mask values for specific Role Group permissions, see Table 6-9.

racadm config -g cfgActiveDirectory -o cfgADDomainController1 <fully qualified domain name or IP address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgADDomainController2 <fully qualified domain name or IP address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgADDomainController3 <fully qualified domain name or IP address of the domain controller>

NOTE: Enter the FQDN of the domain controller, not the FQDN of the domain. For example, enter servername.dell.com instead of dell.com.
NOTE: At least one of the 3 addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one-by-one until it makes a successful connection. With Standard Schema, these are the addresses of the domain controllers where the user accounts and the role groups are located.

racadm config -g cfgActiveDirectory -o cfgGlobal Catalog1 <fully qualified domain name or IP address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgGlobal Catalog2 <fully qualified domain name or IP address of the domain controller>

racadm config -g cfgActiveDirectory -o cfgGlobal Catalog3 <fully qualified domain name or IP address of the domain controller>

NOTE: The Global Catalog server is only required for standard schema when the user accounts and role groups are in different domains. And, in this multiple domain case, only the Universal Group can be used.
NOTE: The FQDN or IP address that you specify in this field should match the Subject or Subject Alternative Name field of your domain controller certificate if you have certificate validation enabled.

If you want to disable the certificate validation during SSL handshake, enter the following RACADM command:

racadm config -g cfgActiveDirectory -o cfgADCertValidationEnable 0

In this case, no Certificate Authority (CA) certificate needs to be uploaded.

If you want to enforce the certificate validation during SSL handshake, enter the following RACADM command:

racadm config -g cfgActiveDirectory -o cfgADCertValidationEnable 1

In this case, you must also upload the CA certificate using the following RACADM command:

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

Using the following RACADM command may be optional. See "Importing iDRAC6 Firmware SSL Certificate" for additional information.

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

  1. If DHCP is enabled on iDRAC6 and you want to use the DNS provided by the DHCP server, enter the following RACADM commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

  1. If DHCP is disabled on iDRAC6 or you want manually to input your DNS IP address, enter the following RACADM commands:

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

  1. If you want to configure a list of user domains so that you only need to enter the user name when logging in to the Web interface, enter the following command:

racadm config -g cfgUserDomain -o cfgUserDomainName <fully qualified domain name or IP Address of the domain controller> -i <index>

Up to 40 user domains can be configured with index numbers between 1 and 40.

See "Using Active Directory to Log In to iDRAC6" for details about user domains.

Testing Your Configurations

If you want to verify whether your configuration works, or if you need to diagnose the problem with your failed Active Directory log in, you can test your settings from iDRAC6 Web interface.

After you finish configuring settings in iDRAC6 Web interface, click Test Settings at the bottom of the screen. You will be required to enter a test user's name (for example, username@domain.com) and password to run the test. Depending on your configuration, it may take some time for all of the test steps to complete and display the results of each step. A detailed test log will display at the bottom of the results screen.

If there is a failure in any step, examine the details in the test log to identify the problem and a possible solution. For most common errors, see "Frequently Asked Questions."

If you need to make changes to your settings, click the Active Directory tab and change the configuration step-by-step.

Enabling SSL on a Domain Controller

When iDRAC6 authenticates users against an Active Directory domain controller, it starts an SSL session with the domain controller. At this time, the domain controller should publish a certificate signed by the Certificate Authority (CA)—the root certificate of which is also uploaded into iDRAC6. In other words, for iDRAC6 to authenticate to any domain controller—whether it is the root or the child domain controller—that domain controller should have an SSL-enabled certificate signed by the domain's CA.

If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller:

  1. Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.

    1. Click Start® Administrative Tools® Domain Security Policy.

    1. Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.

    2. In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.

    3. Click Next and click Finish.

Exporting the Domain Controller Root CA Certificate to iDRAC6

NOTE: If your system is running Windows 2000, the following steps may vary.
NOTE: If you are using a standalone CA, the following steps may vary.
  1. Locate the domain controller that is running the Microsoft Enterprise CA service.

  2. Click Start® Run.

  3. In the Run field, enter mmc and click OK.

  4. In the Console 1 (MMC) window, click File (or Console on Windows 2000 systems) and select Add/Remove Snap-in.

  5. In the Add/Remove Snap-In window, click Add.

  6. In the Standalone Snap-In window, select Certificates and click Add.

  7. Select Computer account and click Next.

  8. Select Local Computer and click Finish.

  9. Click OK.

  10. In the Console 1 window, expand the Certificates folder, expand the Personal folder, and click the Certificates folder.

  11. Locate and right-click the root CA certificate, select All Tasks, and click Export...

  12. In the Certificate Export Wizard, click Next, and select No do not export the private key.

  13. Click Next and select Base-64 encoded X.509 (.cer) as the format.

  14. Click Next and save the certificate to a directory on your system.

  15. Upload the certificate you saved in step 14 to iDRAC6.

To upload the certificate using RACADM, see "Configuring Active Directory With Standard Schema Using RACADM."

To upload the certificate using the Web interface, see "Configuring Active Directory With Standard Schema Using iDRAC6 Web Interface."

Importing iDRAC6 Firmware SSL Certificate

NOTE: If the Active Directory Server is set to authenticate the client during an SSL session initialization phase, you need to upload iDRAC6 Server certificate to the Active Directory Domain controller as well. This additional step is not required if the Active Directory does not perform a client authentication during an SSL session's initialization phase.

Use the following procedure to import iDRAC6 firmware SSL certificate to all domain controller trusted certificate lists.

NOTE: If your system is running Windows 2000, the following steps may vary.
NOTE: If iDRAC6 firmware SSL certificate is signed by a well-known CA and the certificate of that CA is already in the domain controller's Trusted Root Certificate Authority list, you are not required to perform the steps in this section.

iDRAC6 SSL certificate is the identical certificate used for iDRAC6 Web server. All iDRAC6 controllers are shipped with a default self-signed certificate.

To download iDRAC6 SSL certificate, run the following RACADM command:

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

  1. On the domain controller, open an MMC Console window and select Certificates® Trusted Root Certification Authorities.

  2. Right-click Certificates, select All Tasks and click Import.

  3. Click Next and browse to the SSL certificate file.

  4. Install iDRAC6 SSL Certificate in each domain controller's Trusted Root Certification Authority.

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your domain controllers.

  1. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.

  2. Click Finish and click OK.

Using Active Directory to Log In to iDRAC6

You can use Active Directory to log in to iDRAC6 using one of the following methods:

  • Web interface

  • Local RACADM

  • SSH or Telnet console for SM-CLP CLI

The login syntax is the same for all three methods:

<username@domain>

or

<domain>\<username> or <domain>/<username>

where username is an ASCII string of 1–256 bytes.

White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name.

NOTE: You cannot specify NetBIOS domain names, such as Americas, because these names cannot be resolved.

If you log in from the Web interface and you have configured user domains, the Web interface log in screen will list all the user domains in the pull-down menu for your to choose. If you select a user domain from the pull-down menu, you should only enter the user name. If you select This iDRAC, you can still log in as an Active Directory user if you use the login syntax described above in "Using Active Directory to Log In to iDRAC6."

Using Active Directory Single Sign-On

You can enable iDRAC6 to use Kerberos—a network authentication protocol—to enable single sign-on. For more information on setting up iDRAC6 to use the Active Directory single sign-on feature, see "Enabling Kerberos Authentication."

Configuring iDRAC6 to Use Single Sign-On

  1. Open a supported Web browser window.

  2. Log in to iDRAC6 Web interface.

  3. In the system tree, select System® Remote Access® iDRAC6® Network/Security tab® Network. In the Network page, verify whether the DNS iDRAC6 Name is correct and matches with the name used for iDRAC6 fully qualified domain name.

  4. In the system tree, select System® Remote Access® iDRAC6® Network/Security tab® Directory Service® Microsoft Active Directory.

The Active Directory summary screen is displayed.

  1. Scroll to the bottom of the screen and click Configure Active Directory.

The Step 1 of 4 Active Directory screen is displayed.

  1. To validate the SSL certificate of your Active Directory servers, select the Certificate Validation Enabled check box under Certificate Settings.

If you don't want to validate the SSL certificate of your Active Directory servers, take no action, and skip to step 7.

  1. Under Upload Active Directory CA Certificate, enter the file path of the certificate or browse to find the certificate file, and then click Upload.

NOTE: You must enter the absolute file path, which includes the full path and the complete file name and file extension.

The certificate information for the Active Directory CA certificate that you uploaded appears in the Current Active Directory CA Certificate section.

  1. Click Next.

The Step 2 of 4 Active Directory Configuration and Management screen is displayed.

  1. Select the Active Directory Enabled check box.

  2. Select Enable Single Sign-on if you want to log into iDRAC6 directly after logging into your workstation without entering your domain user authentication credentials, such as user name and password.

To log into iDRAC6 using this feature, you should have already logged into your system using a valid Active Directory user account. Also you should have already configured the user account to log into iDRAC6 using the Active Directory credentials. iDRAC6 uses the cached Active Directory credentials to log you in.

To enable single sign–on using the CLI, run the RACADM command:

racadm -g cfgActiveDirectory -o cfgADSSOEnable 1

  1. Add User Domain Name, and enter the IP address of the Domain Controller Server Address. Select either the Look Up Domain Controllers with DNS or Specify Domain Controller Addresses. Select Next.

  2. Select Standard Schema Settings on Step 3 of 4 Active Directory Configuration and Management page. Select Next.

  3. On 4a of 4 Active Directory page, enter the IP Address of the Global Catalog Server or select the Look Up Global Catalog Servers with DNS option and enter the Root Domain Name to use for a DNS lookup to obtain the Active Directory Global Catalog Servers. Add the Role Group information that your valid Active Directory user is a member of by selecting one of the Role Groups (Step 4B of 4). Enter the Role Group name, the Group Domain, and the Role Group Privileges level. Select OK and then Finish. Select Done to display the Active Directory summary page.

Logging Into iDRAC6 Using Single Sign-On

  1. Log into your management station using your valid Active Directory network account.

  2. Log into iDRAC6 Web page using iDRAC6 fully qualified domain name:

http://idracname.domain.com.

iDRAC6 logs you in, using your credentials that were cached in the operating system when you logged in using your valid Active Directory network account.

Using iDRAC6 with LDAP Directory Service

iDRAC6 provides a generic solution to support Lightweight Directory Access Protocol (LDAP)-based authentication. This feature does not require any schema extension on your directory services.

To make iDRAC6 LDAP implementation generic, the commonality between different directory services is utilized to group users and then map the user-group relationship. The directory service specific action is the schema. For example, they may have different attribute names for the group, user, and the link between the user and the group. These actions can be configured in iDRAC6.

Login Syntax (Directory User versus Local User)

Unlike Active Directory, special characters ("@", "\", and "/") are not used to differentiate an LDAP user from a local user. The login user must enter the user name, excluding the domain name. iDRAC6 takes the user name as is and does not break it down to the user name and user domain. When generic LDAP is enabled, iDRAC6 first tries to login the user as a directory user. If it fails, local user lookup is enabled.

NOTE: There is no behavior change on the Active Directory login syntax. When generic LDAP is enabled, the GUI login page displays only This iDRAC in the drop-down menu.
NOTE: In this release, only openLDAP and openDS based directory services are supported. "<" and ">" characters are not allowed in the user name for openLDAP and OpenDS.

Configuring Generic LDAP Directory Service Using iDRAC6 Web-Based Interface

  1. Open a supported Web browser window.

  2. Log in to iDRAC6 Web-based interface.

  3. Expand the System tree and click Remote Access® iDRAC6® Network/Security tab® Directory Service® Generic LDAP Directory Service.

  4. The Generic LDAP Configuration and Management page displays the current iDRAC6 generic LDAP settings. Scroll to the bottom of the Generic LDAP Configuration and Management page, and click Configure Generic LDAP.

NOTE: In this release, only Standard Schema Active Directory (SSAD) without extensions is supported.

The Step 1 of 3 Generic LDAP Configuration and Management page is displayed. Use this page to configure the digital certificate used during initiation of SSL connections when communicating with a generic LDAP server. These communications use LDAP over SSL (LDAPS). If you enable certificate validation, upload the certificate of the Certificate Authority (CA) that issued the certificate used by the LDAP server during initiation of SSL connections. The CA's certificate is used to validate the authenticity of the certificate provided by the LDAP server during SSL initiation.

NOTE: In this release, non-SSL port based LDAP bind is not supported. Only LDAP over SSL is supported.
  1. Under Certificate Settings, check Enable Certificate Validation to enable certificate validation. If enabled, iDRAC6 uses the CA certificate to validate the LDAP server certificate during Secure Socket Layer (SSL) handshake; if disabled, iDRAC6 skips the certificate validation step of the SSL handshake. You can disable certificate validation during testing or if your system administrator chooses to trust the domain controllers in the security boundary without validating their SSL certificates.

CAUTION: Ensure that CN = open LDAP FQDN is set (for example, CN= openldap.lab) in the subject field of the LDAP server certificate during certificate generation. The CN field in the server certificate should be set to match the LDAP server address field in iDRAC6 for certificate validation to work.
  1. Under Upload Directory Service CA Certificate, type the file path of the certificate or browse to find the certificate file.

NOTE: You must type the absolute file path, which includes the full path and the complete file name and file extension.
  1. Click Upload.

The certificate of the root CA that signs all the domain controllers' Security Socket Layer (SSL) server certificates will be uploaded.

  1. Click Next to go to the Step 2 of 3 Generic LDAP Configuration and Management page. Use this page to configure location information about generic LDAP servers and user accounts.

NOTE: In this release, the Smart Card based Two Factor Authentication (TFA) and the single sign-on (SSO) features are not supported for Generic LDAP Directory Service.
  1. Select Enable Generic LDAP.

NOTE: In this release, nested group is not supported. The firmware searches for the direct member of the group to match the user DN. Also, only single domain is supported. Cross domain is not supported.
  1. Select the Use Distinguished Name to Search Group Membership option to use the Distinguished Name (DN) as group members. iDRAC6 compares the User DN retrieved from the directory to compare with the members of the group. If unchecked, user name provided by the login user is used to compare with the members of the group.

  2. In the LDAP Server Address field, enter the FQDN or the IP address of the LDAP server. To specify multiple redundant LDAP servers that serve the same domain, provide the list of all servers separated by commas. iDRAC6 tries to connect to each server in turn, until it makes a successful connection.

  3. Enter the port used for LDAP over SSL in the LDAP Server Port field. The default is 636.

  4. In the Bind DN field, enter the DN of a user used to bind to the server when searching for the login user's DN. If not specified, an anonymous bind is used.

  5. Enter the Bind Password to use in conjunction with the Bind DN. This is required if anonymous bind is not allowed.

  6. In the Base DN to Search field, enter the DN of the branch of the directory where all searches should start.

  7. In the Attribute of User Login field, enter the user attribute to search for. Default is UID. It is recommended that this be unique within the chosen Base DN, else a search filter must be configured to ensure the uniqueness of the login user. If the user DN cannot be uniquely identified by the search combination of attribute and search filter, the login will fail.

  8. In the Attribute of Group Membership field, specify which LDAP attribute should be used to check for group membership. This should be an attribute of the group class. If not specified, iDRAC6 uses the member and uniquemember attributes.

  9. In the Search Filter field, enter a valid LDAP search filter. Use the filter if the user attribute cannot uniquely identify the login user within the chosen Base DN. If not specified, the value defaults to objectClass=*, which searches for all objects in the tree. This additional search filter configured by the user applies only to userDN search and not the group membership search.

  10. Click Next to go to the Step 3a of 3 Generic LDAP Configuration and Management page. Use this page to configure the privilege groups used to authorize users. When generic LDAP is enabled, Role Group(s) are used to specify authorization policy for iDRAC6 users.

  11. Under Role Groups, click a Role Group.

The Step 3b of 3 Generic LDAP Configuration and Management page is displayed. Use this page to configure each Role Group used to control authorization policy for users.

  1. Enter the Group Distinguished Name (DN) that identifies the role group in the generic LDAP Directory Service associated with iDRAC6.

  2. In the Role Group Privileges section, specify the privileges associated with the group by selecting the Role Group Privilege Level. For example, if you select Administrator, all of the privileges are selected for that level of permission.

  3. Click Apply to save Role Group settings.

iDRAC6 Web server automatically returns you to the Step 3a of 3 Generic LDAP Configuration and Management page where your Role Group settings are displayed.

  1. Configure additional Role Groups if required.

  2. Click Finish to return to the Generic LDAP Configuration and Management summary page.

  3. Click Test Settings to check the generic LDAP settings.

  4. Enter the user name and password of a directory user that is chosen to test the LDAP settings. The format depends on what Attribute of User Login is used and the user name entered must match the value of the chosen attribute.

NOTE: When testing LDAP settings with "Enable Certificate Validation" checked, iDRAC6 requires that the LDAP server be identified by the FQDN and not an IP address. If the LDAP server is identified by an IP address, certificate validation fails because iDRAC6 is not able to communicate with the LDAP server.

The test results and the test log are displayed. You have completed the Generic LDAP Directory Service configuration.

Frequently Asked Questions

Active Directory Log In Issues

It takes nearly 4 minutes to log into iDRAC6 using Active Directory Single Sign–On.

The normal Active Directory Single Sign–On login usually takes less than 10 seconds but it may take nearly 4 minutes to log into iDRAC6 using Active Directory Single Sign–On if you have specified the Preferred DNS Server and the Alternate DNS Server in iDRAC6 Network page, and the preferred DNS server has failed. DNS timeouts are expected when a DNS server is down. iDRAC6 logs you in using the alternate DNS server.

I have configured Active Directory for a domain present in Windows Server 2008 Active Directory and have made these configurations. A child or sub domain is present for the domain, the User and Group is present in the same child domain, and the User is a member of that Group. Now if I try to log in to iDRAC6 using the User present in the child domain, Active Directory Single Sign-On login fails.

This may be because of the wrong Group type. There are two kinds of Group types in the Active Directory server:

  • Security—Security groups allow you to manage user and computer access to shared resources and to filter Group Policy settings

  • Distribution—Distribution groups are intended to be used only as e–mail distribution lists.

Always ensure that the Group Type is Security. You cannot use distribution groups to assign permission on any objects and use them to filter Group Policy settings.

My Active Directory log in failed. What do I do?

iDRAC6 provides a diagnostic tool in the Web interface.

  1. Log in as a local user with administrator privilege from the Web interface.

  2. In the system tree, select System® Remote Access® iDRAC6® Network/Security tab® Directory Service® Microsoft Active Directory.

The Active Directory summary screen is displayed.

  1. Scroll to the bottom of the screen and click Test Settings.

The Test Active Directory Settings screen is displayed.

  1. Enter a test user name and password, and then click Start Test.

iDRAC6 runs the tests step-by-step and displays the result for each step. iDRAC6 also logs a detailed test result to help you resolve any problems.

If problems persist, configure your Active Directory settings, change your user configuration, and run the test again until the test user passes the authorization step.

I enabled certificate validation but my Active Directory log in failed. I ran the diagnostics from the GUI and the test results show the following error message. What could the problem be and how do I fix it?

ERROR: Can't contact LDAP server, error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed: Please check the correct Certificate Authority (CA) certificate has been uploaded to iDRAC. Please also check if the iDRAC date is within the valid period of the certificates and if the Domain Controller Address configured in iDRAC matches the subject of the Directory Server Certificate.

If certificate validation is enabled, iDRAC6 uses the uploaded CA certificate to verify the directory server certificate when iDRAC6 establishes the SSL connection with the directory server. The most common reasons for failing certification validation are:

  • iDRAC6 date is not within the valid period of the server certificate or CA certificate. Check iDRAC6 time and the valid period of your certificate.

  • The Domain Controller Addresses configured in iDRAC6 do not match the Subject or Subject Alternative Name of the directory server certificate.

    • If you are using an IP address, see "I am using an IP address for a Domain Controller Address, and I failed certificate validation. What is the problem?".

    • If you are using FQDN, ensure you are using the FQDN of the domain controller, and not the domain itself. For example, use servername.example.com and not example.com.

What should I check if I cannot log in to iDRAC6 using Active Directory?

First, diagnose the problem using the Test Settings feature. For directions, see "My Active Directory log in failed. What do I do?"

Then, fix the specific problem indicated by the test results. For additional information, see "Testing Your Configurations."

Most common issues are explained in this section. However, in general, you should check the following:

  1. Ensure that you use the correct user domain name during a log in and not the NetBIOS name.

  2. If you have a local iDRAC6 user account, log in to iDRAC6 using your local credentials.

    1. Ensure that the Active Directory Enabled check box is selected in the Step 2 of 4 Active Directory Configuration and Management page.

    1. If you have enabled certificate validation, ensure that you have uploaded the correct Active Directory root CA certificate to iDRAC6. The certificate appears in the Current Active Directory CA Certificate area. Ensure that iDRAC6 time is within the valid period of the CA certificate.

    2. If you are using the Extended Schema, ensure that iDRAC6 Name and iDRAC6 Domain Name match your Active Directory environment configuration.

If you are using the Standard Schema, ensure that the Group Name and Group Domain match your Active Directory configuration.

    1. Navigate to the Network screen. Select System® Remote Access® iDRAC6® Network/Security® Network.
      Ensure that the DNS settings are correct.

    2. Check the Domain Controller SSL certificates to ensure that iDRAC6 time is within the valid period of the certificate.

Active Directory Certificate Validation

I am using an IP address for a Domain Controller Address, and I failed certificate validation. What is the problem?

Check the Subject or Subject Alternative Name field of your domain controller certificate. Usually Active Directory uses the hostname, not the IP address, of the domain controller in the Subject or Subject Alternative Name field of the domain controller certificate. You can fix the problem by taking any of the following actions:

  • Configure the hostname (FQDN) of the domain controller as the domain controller address(es) on iDRAC6 to match the Subject or Subject Alternative Name of the server certificate.

  • Re-issue the server certificate to use an IP address in the Subject or Subject Alternative Name field so it matches the IP address configured in iDRAC6.

  • Disable certificate validation if you choose to trust this domain controller without certificate validation during the SSL handshake.

Why does iDRAC6 enable certificate validation by default?

iDRAC6 enforces strong security to ensure the identity of the domain controller that iDRAC6 connects to. Without certificate validation, a hacker could spoof a domain controller and hijack the SSL connection. If you choose to trust all the domain controllers in your security boundary without certificate validation, you can disable it through the GUI or the CLI.

Extended and Standard Schema

I'm using extended schema in a multiple domain environment. How do I configure the domain controller address(es)?

Use the host name (FQDN) or the IP address of the domain controller(s) that serves the domain in which iDRAC6 object resides.

Do I need to configure Global Catalog Address(es)?

If you are using extended schema, you cannot configure global catalog addresses, because they are not used with extended schema.

If you are using standard schema, and users and role groups are from different domains, you must configure global catalog address(es). In this case, you can use only Universal Group.

If you are using standard schema, and all the users and all the role groups are in the same domain, you are not required to configure global catalog address(es).

How does standard schema query work?

iDRAC6 connects to the configured domain controller address(es) first. If the user and role groups reside in that domain, the privileges are saved.

If global controller address(es) is configured, iDRAC6 continues to query the Global Catalog. If additional privileges are retrieved from the Global Catalog, these privileges are accumulated.

Miscellaneous

Does iDRAC6 always use LDAP over SSL?

Yes. All the transportation is over secure port 636 and/or 3269.

During test settings, iDRAC6 does a LDAP CONNECT only to help isolate the problem, but it does not do an LDAP BIND on an insecure connection.

Does iDRAC6 support the NetBIOS name?

Not in this release.

Back to Contents Page

 

Shop
Solutions
Services
Systems
Software & Peripherals
Support
Home Users
Small Businesses
Enterprise IT
Community
Join the Discussion
Share Your Ideas
Read our Blog
Ratings & Reviews
Community Home
Company Information
About Dell
Corporate Responsibility
Careers
Investors
Newsroom
My Account
Sign-in / Register
Order Status

Laptops | Desktops | Business Laptops | Business Desktops | Workstations | Servers | Storage | Services | Monitors | Printers | LCD TVs | Electronics
© 2012 Dell | About Dell | Terms & Conditions | Unresolved Issues | Privacy Statement | Ads and Emails | Dell Recycling | Contact | Site Map | Feedback
AT | AU | BE | BR | CA | CH | CL | CN | CO | DE | DK | ES | FR | HK | IE | IN | IT | JP | KR | ME | MX | MY | NL | NO | PA | PR | RU | SE | SG | UK | VE | ALL

Large Text
snEB14