Configuring the DRAC 5 Import to Use the Microsoft … · the Active Directory server associated...
Transcript of Configuring the DRAC 5 Import to Use the Microsoft … · the Active Directory server associated...
The Dell Remote Access Controller 5 (DRAC 5) supports
Microsoft Active Directory authentication, allowing
administrators to use Active Directory to manage
DRAC users and access privileges. In the past, this support
required administrators to irreversibly extend their existing
Active Directory schema. To help maximize flexibility for dif-
ferent environments, including those where extending the
Active Directory schema may be too complex or otherwise
undesirable, DRAC 5 firmware version 1.20 allows administra-
tors to use the standard Active Directory schema rather than
the extension while still providing the same functionality.
The standard-schema approach uses Active Directory
objects for configuration rather than the Dell objects in the
extended schema. Administrators can create DRAC users and
groups in Active Directory just like other standard objects and
use them when configuring Active Directory (see Figure 1). They
can carry out this configuration using any of the supported
DRAC interfaces, including the Web browser–based DRAC out-
of-band graphical user interface (GUI), the local and remote
racadm command-line interface (CLI), or serial, Telnet, or
Secure Shell (SSH) interfaces.
Configuring objects on the Active Directory server On the Active Directory server, administrators create stan-
dard user and group objects for each role (see Figure 2). Each
user should be a direct or indirect member of a group. An
indirect member is a member of a group nested in another
group—for example, if a user is a member of Group1, and
Group1 is a member of Group2, then that user is an indirect
member of Group2. DRAC 5 firmware version 1.20 supports
up to 20 nesting levels.
Configuring the DRAC 5Before configuring the DRAC 5 to use the Active Directory
standard schema, administrators should enable Active
Directory using any of the supported interfaces and then
perform the following preliminary steps:
1. ProvidetheActiveDirectoryconfigurationsettings: In the
DRAC GUI, select Configuration > Active Directory, then enter
the Active Directory root domain name in the Common
Settings section and select the Use Standard Schema
option button in the Active Directory Schema Selection sec-
tion (see Figure 3). The Active Directory root domain name
must consist of a valid domain name and valid domain type
(such as .com, .org, and so on) separated by a period.
2. UploadtheActiveDirectoryCertificateAuthority(CA)cer-
tificate: Upload the base-64 encoded X.509 (.cer) certificate
created in the Active Directory environment to the DRAC.
This certificate helps the DRAC communicate securely with
the Domain Name System (DNS) server to authenticate
DRAC users in the Active Directory database.
Related Categories:
Dell PowerEdge servers
Dell Remote Access Controller (DRAC)
Microsoft Active Directory
Remote access controllers (RACs)
Remote management
Visit www.dell.com/powersolutions
for the complete category index.
Dell™ Remote Access Controller 5 (DRAC 5) firmware version 1.20 introduces several features designed to enhance flexibility when managing Dell PowerEdge™ servers. This article discusses how administrators can configure the DRAC 5 to use the standard schema of the Microsoft® Active Directory® directory service, without deploying the schema extension required by previous firmware versions.
By RaghavendRa BaBu
deepak panamBuR
Importcorner art
here
systems management
DELL POWER SOLUTIONS | august 20071 Reprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.
ConfiguringtheDRAC5to Use the Microsoft Active Directory Standard Schema
3. Import theDRACservercertificate: Download the DRAC 5 firmware
SSL certificate and import it to all domain controller trusted-certificate
lists. (This step is not required if the certificate is signed by a well-
known CA.)
After completing these steps, administrators can continue configuring the
DRAC using the DRAC GUI, racadm CLI, or serial, Telnet, or SSH interfaces.
Configuring the DRaC 5 with the DRaC gUI Administrators can use the DRAC GUI to easily configure each role group
with the appropriate group name, group domain, privilege level, and privi-
leges. The privileges provided by the DRAC include nine user capabilities,
which administrators can combine as needed when configuring the role
groups. Figure 4 shows the default privilege level, privileges, and bit mask
values for each role group.
Administrators can configure role groups by clicking on a specific
group in the Active Directory Configuration and Management page of the
DRAC GUI. They should first enter an appropriate group name and group
domain (see Figure 5); the group name identifies the role group name in
Figure 1. DRAC 5 and Microsoft Active Directory configuration
Role group Privilege level Privileges Bit mask
1 administrator Login to dRaC, Configure dRaC, Configure users, Clear Logs, execute Server Control Commands, access Console Redirection, access virtual media, Test alerts, and execute diagnostic Commands
0x000001ff
2 power user Login to dRaC, Clear Logs, execute Server Control Commands, access Console Redirection, access virtual media, and Test alerts
0x000000f9
3 guest Login to dRaC (as user) 0x00000001
4 none none 0x00000000
5 none none 0x00000000
DRaC 5 configuration
Configuregroup name and
group domain
Creategroup object
Create user object(member of
group object)
microsoft active Directoryserver configuration
Configure role group privileges• Login to dRaC• Configure dRaC• Configure users• Clear Logs• execute Server Control Commands• access Console Redirection• access virtual media• Test alerts• execute diagnostic Commands
Figure 2. New group creation in the Microsoft Active Directory Users and Computers snap-in for the Microsoft Management Console
Figure 3. Active Directory Configuration and Management screen in the DRAC 5 GUI
Figure 4. Default privilege level, privileges, and bit mask values for DRAC 5 role groups
2www.dell.com/powersolutionsReprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.
www.dell.com/powersolutions
the Active Directory server associated with the DRAC, and the group
domain is a fully qualified root domain name for the Active Directory
forest. After entering these names, administrators should next set the
privilege level and privileges using the drop-down menu and check boxes
in the Role Group Privileges section. Finally, they should click the Apply
link to complete the configuration.
Configuring the DRaC 5 with the racadm CLI The latest version of the racadm utility includes a cfgStandardSchema
group and objects that allow administrators with Configure DRAC privileges
to configure the DRAC 5 to use the Active Directory standard schema. Figure 6
shows these groups and objects along with their values and default settings;
Figure 7 shows some example commands. When modifying group and domain
names, administrators should ensure the names correspond to those on the
Active Directory server. When modifying role group privileges, administrators
should use the bit mask values in the cfgSSADRoleGroupPrivilege Figure 5. Configure Role Group screen in the DRAC 5 GUI
Figure 6. Racadm groups and objects enabling administrators to configure the DRAC 5 to use the Microsoft Active Directory standard schema
Figure 7. Example racadm commands when configuring the DRAC 5 to use the Microsoft Active Directory standard schema
group Object Values Default setting Description
cfgActiveDirectory cfgADType 1: extended schema2: Standard schema
1 defines which type is currently active
cfgStandardSchema cfgSSADRoleGroupIndex 1–5: Role groups 1–5 none Specifies the role group index as defined in the dRaC 5 guI (read-only object)
cfgSSADRoleGroupName Text, up to 254 characters none Specifies the role group name to be configured as defined in the active directory server
cfgSSADRoleGroupDomain Text, up to 254 characters none Specifies the role group domain to be configured as defined in the active directory server
cfgSSADRoleGroupPrivilege 0x00000001: Login to dRaC (bit 0)0x00000002: Configure dRaC (bit 1)0x00000004: Configure users (bit 2)0x00000008: Clear Logs (bit 3)0x00000010: execute Server Control
Commands (bit 4)0x00000020: access Console
Redirection (bit 5)0x00000040: access virtual media (bit 6)0x00000080: Test alerts (bit 7)0x00000100: execute diagnostic
Commands (bit 8)
none Specifies role group privileges to be configured as defined in the dRaC 5 guI
systems management
DELL POWER SOLUTIONS | august 20073 Reprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.
action Command
Use active Directory standard schema racadm config -g cfgActiveDirectory -o cfgADType 2
modify role group name racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupName group_name
modify role group domain racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupDomain fully_qualified_domain_name
modify role group privileges racadm config -g cfgStandardSchema -i index -o cfgSSADRoleGroupPrivilege privilege_bitmask
row of Figure 6 and enter the resulting bit mask value for the desired privi-
leges. For example, to assign Login to DRAC, Configure DRAC, and Configure
Users privileges to a specific group, administrators would change the
cfgSSADRoleGroupPrivilege value to 0x00000007, which is the bit
mask value of those three privileges using the OR operator (0x00000001
OR 0x00000002 OR 0x00000004 = 0x00000007).
Configuring the DRaC 5 with serial, telnet, or ssH interfaces Administrators can also execute the racadm CLI commands described in
the preceding section from a remote system using serial, Telnet, or
SSH interfaces with the appropriate syntax. For more information about
configuring these interfaces, see the Dell Remote Access Controller 5
Firmware Version 1.20 User’s Guide at support.dell.com/support/edocs/
software/smdrac3/drac5/OM5.2.
Logging in to the DRAC 5 with Active Directory credentials After configuring the DRAC 5 to use the Active Directory standard schema,
administrators can use Active Directory credentials to log in to the DRAC
through the DRAC GUI, remote racadm CLI, or a serial, Telnet, or SSH con-
sole. To log in through the DRAC GUI, they can enter https://ipaddress:
portnumber (where ipaddress is the DRAC IP address) and username@
domain as the credentials (where username is the user object created on
the Active Directory server and domain is the Active Directory domain in
which the user resides). To log in using the racadm utility, administrators
can use the following command:
racadm -r ipaddress -u username@domain
-p password racadm_command
To log in using a serial, Telnet, or SSH console, they can enter
username@domain, domain\username, or domain/username.
Simplifying DRAC 5 integration with Active DirectoryEfficient systems management can be essential in enterprise environ-
ments. By allowing administrators to choose whether to use the Active
Directory standard schema or an extended schema, DRAC 5 firmware
version 1.20 can help increase administrative flexibility when managing
Dell PowerEdge servers.
Raghavendra Babu is an engineer analyst on the Enterprise Sustaining
Block Operations team at the Dell Bangalore Development Center. He has
a B.E. in Computer Science and Engineering from Visvesvaraya Technological
University.
Deepak Panambur is an engineer senior analyst on the Enterprise Server
Test team at the Dell Bangalore Development Center. He has an M.Tech. in
Computer Science and Engineering from Visvesvaraya Technological
University.
4www.dell.com/powersolutionsReprinted from Dell Power Solutions, august 2007. Copyright © 2007 dell Inc. all rights reserved.
www.dell.com/powersolutions