EN
Currency:
EUR – €
Choose a currency
  • Euro EUR – €
  • United States dollar USD – $
VAT:
OT 0%
Choose your country (VAT)
  • OT All others 0%
Choose a language
  • Choose a currency
    Choose you country (VAT)
    Dedicated Servers
  • Instant
  • Custom
  • Single CPU servers
  • Dual CPU servers
  • Servers with 4th Gen CPUs
  • Servers with AMD Ryzen and Intel Core i9
  • Storage Servers
  • Servers with 10Gbps ports
  • Hosting virtualization nodes
  • GPU
  • Sale
  • VPS
  • General VPS
  • Performance VPS
  • Edge VPS
  • Storage VPS
  • VDS
  • GPU
  • Dedicated GPU server
  • VM with GPU
  • Tesla A100 80GB & H100 Servers
  • Sale
    Apps
    Cloud
  • VMware and RedHat's oVirt Сlusters
  • Proxmox VE
  • Colocation
  • Colocation in the Netherlands
  • Remote smart hands
  • Services
  • L3-L4 DDoS Protection
  • Network equipment
  • IPv4 and IPv6 address
  • Managed servers
  • SLA packages for technical support
  • Monitoring
  • Software
  • VLAN
  • Announcing your IP or AS (BYOIP)
  • USB flash/key/flash drive
  • Traffic
  • Hardware delivery for EU data centers
  • AI Chatbot Lite
  • About
  • Careers at HOSTKEY
  • Server Control Panel & API
  • Data Centers
  • Network
  • Speed test
  • Hot deals
  • Sales contact
  • Reseller program
  • Affiliate Program
  • Grants for winners
  • Grants for scientific projects and startups
  • News
  • Our blog
  • Payment terms and methods
  • Legal
  • Abuse
  • Looking Glass
  • The KYC Verification
  • Hot Deals

    21.09.2023

    Dell and Supermicro servers: authorization via LDAP

    server one
    HOSTKEY
    Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

    Author: DevOps Team Leader Hostkey Nikita Zubarev

    We have covered our experience integrating FreeIPA with Active Directory in several past articles (here and here), and now it's time to see how to authorize them.

    LDAP has become the de facto standard for authentication and authorization services. Popular LDAP-based solutions such as FreeIPA provide centralized account and access management. This allows software developers to easily integrate authentication via LDAP into their applications using off-the-shelf client libraries.

    Server hardware manufacturers are also actively using LDAP capabilities. For example, Supermicro has implemented FreeIPA user authentication in its IPMI system for remote server management. This eliminates the need to create accounts in the internal IPMI database for each user on each server.

    Instead of authenticating a user to the internal IPMI user database, the IPMI BMC can request FreeIPA. Users who are allowed to log in are identified by their membership in a specific security group, and access is then granted to any user who is a member . The first priority is the internal IPMI user database, the second priority is external repositories, in our case FreeIPA.

    With this approach, large server infrastructures have a single point of authentication via LDAP. This simplifies administration and tightens security compared to local accounts.

    Whether with a large or not so large fleet of iron servers, when automating management there is a need to have a "single point of entry", which provides a number of advantages (e.g. authorization via LDAP).

    When using proxies to integrate with FreeIPA, there are lots of presets on Go that can be used with tweaks, for example yazynin/supermicro-bmcldap-freeipa or bmc-toolbox/bmcldap. We've been using bmc-toolbox. It was necessary to modify the authorization mechanism according to the task and to refine the logic of requests to FreeIPA.

    We modified the user authorization scheme to conform to accepted internal security standards. In addition, we added CN attribute substitution for UID in LDAP queries to harmonize data schemas between IPMI and FreeIPA.

    Thanks to these improvements, it was possible to configure our IPMI integration with the centralized FreeIPA directory and implement a unified LDAP-based user authentication system for remote access to the servers.

    The project has three protocols, one for Dell, HP and SuperMicro respectively:

    • The HP version we skipped entirely as we do not use it.
    • To integrate with Dell servers, we needed to make changes to the LDAP query logic relative to the base version for Supermicro. First, we removed the use of the memberOf attribute because it is not supported on the Dell side. Instead, we implemented a more complex LDAP query logic to define the user groups. Secondly, we had to modify the query attributes used because in the base version they were hard-wired into Supermicro's implementation. The attributes were changed to match the data schema and Dell's requirements. Thanks to these changes, we were able to adapt the solution and configure the integration of Dell IPMI servers with the centralized LDAP, despite the differences in implementation between the different vendors.
    • The version for Supermicro and for Dell has been corrected, errors in the naming of some config variables have been fixed. Since Supermicro does not separate user rights by groups, but rather gets them from the user record, we have revised this mechanism as well. We have also added advanced logging, which makes debugging and monitoring easier.

    So, build a package and the output is a working microservice.

    To complete the integration, all that remains to connect all the existing servers to a centralized LDAP-based authentication system. Servers in the infrastructure are categorized by type (Supermicro, Dell, etc.) using tags. This allows their list to be retrieved programmatically via API.

    Use the SMCIPMITool utility to connect the servers. Configuration is done in the web-interface or via the command line:

    #SMCIPMITool ip_addr ADMIN pass ipmi oem x10cfg ldap 1 1 636 ip_addr_proxy '' supermicro cn=supermicro,cn=bmcUsers

    For Dell servers, a racadm utility is used.

    Create a text file with the following content:

    /etc/inworker/ldap.cfg
    [iDRAC.LDAP]
    BaseDN=cn=dell
    BindDN=dell
    BindPassword=pass
    CertValidationEnable=Disabled
    Enable=Enabled
    GroupAttribute=memberOf
    GroupAttributeIsDN=Disabled
    Port=636
    SearchFilter=objectClass=posixAccount
    Server=ip_addr
    UserAttribute=uid
    [iDRAC.LDAPRoleGroup.2]
    DN=cn=dell,cn=ipmi_access,cn=groups,cn=accounts,dc=infra,dc=hostkey,dc=nl
    Privilege=0x1ff

    Next, execute the following command:

     racadm -r <ip of IPMI host> -u ADMIN -p <admin_password> set -f ldap.cfg

    What it is and why it's needed

    Implementations of the IPMI protocol and its interaction with LDAP vary significantly from one server hardware vendor to another. Each vendor may have their own specific requirements for LDAP directory structure, types of queries, attributes used, and other integration nuances.

    Some vendors support work only with Active Directory, while others require custom attributes for user authorization. Supporting all these requirements within a single corporate LDAP directory is often extremely difficult and impractical.

    To solve this problem, bmcldap software was developed as a proxy server for enabling IPMI and LDAP integration. It acts as an intermediary between the hardware and the corporate directory, emulating the operation of an LDAP server from the BMC's point of view.

    Bmcldap converts requests from various vendors into a standard LDAP format. It then performs the necessary queries to the target directory and returns the result in the format expected by the particular IPMI implementation.

    This solves the compatibility issue and makes it possible to use any standard LDAP as a single repository for user authentication via IPMI in a heterogeneous IT infrastructure.

    For correct routing of LDAP requests depending on the manufacturer of the equipment, the vendor identifier is added to the DN search string:

    • cn=dell - for Dell devices;
    • cn=supermicro - for Supermicro;
    • cn=hp - for HP, etc.

    For example, for authentication on a Dell server, the DN string would look like this:

    cn=dell,cn=bmcadmins,cn=groups,cn=accounts,dc=example,dc=com

    Upon receiving a request with this DN, the bmcldap proxy server will determine that it needs to process the request specifically for Dell and will perform an LDAP lookup accordingly.

    When a server is added to an authentication configuration via LDAP, it is assigned an ldap tag. This is to avoid having to re-process the server the next time it is started.

    This approach allows for flexible customization of LDAP request handling rules in bmcldap based on the vendor ID in the DN string. This makes it easier to support heterogeneous hardware from different vendors.

    Conclusion

    The use of the bmcldap proxy server solved the problem of integrating heterogeneous server platforms from different vendors with a single corporate LDAP directory for centralized user authentication.

    The key was routing requests from BMC based on the manufacturer ID in the DN string of the LDAP request. This allowed us to realize specific processing for each type of equipment.

    Internal mechanisms of bmcldap were finalized to work correctly with Supermicro and Dell servers, and compatibility problems were eliminated.

    As a result, all servers were integrated with the bmcldap proxy server for authentication via LDAP, taking into account the peculiarities of the different IPMI implementations. This solution simplified administration and increased the security of access to the servers.

    The flexibility of the bmcldap implementation makes it possible to further extend support for new platforms without changing the underlying LDAP infrastructure.

    Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

    Other articles

    28.11.2024

    OpenWebUI Just Got an Upgrade: What's New in Version 0.4.5?

    OpenWebUI has been updated to version 0.4.5! New features for RAG, user groups, authentication, improved performance, and more. Learn how to upgrade and maximize its potential.

    25.11.2024

    How We Replaced the IPMI Console with HTML5 for Managing Our Servers

    Tired of outdated server management tools? See how we replaced the IPMI console with an HTML5-based system, making remote server access seamless and efficient for all users.

    25.10.2024

    TS3 Manager: What Happens When You Fill in the Documentation Gaps

    Having trouble connecting to TS3 Manager after installing it on your VPS? Managing your TeamSpeak server through TS3 Manager isn't as straightforward as it might seem. Let's troubleshoot these issues together!

    16.09.2024

    10 Tips for Open WebUI to Enhance Your Work with AI

    Unleash the true power of Open WebUI and transform your AI workflow with these 10 indispensable tips.

    27.08.2024

    Comparison of SaaS solutions for online store on Wix and WordPress.com versus an on-premise solution on a VPS with WordPress and WooCommerce

    This article compares the simplicity and cost of SaaS platforms like Wix and WordPress.com versus the flexibility and control of a VPS with WordPress and WooCommerce for e-commerce businesses.

    HOSTKEY Dedicated servers and cloud solutions Pre-configured and custom dedicated servers. AMD, Intel, GPU cards, Free DDoS protection amd 1Gbps unmetered port 30
    4.3 67 67
    Upload