Prerequisites for Enabling Active Directory Authentication for the DRAC 5

  Supported Active Directory Authentication Mechanisms

  Standard Schema Active Directory Overview

  Extended Schema Active Directory Overview

  Configuring and Managing Active Directory Certificates

  Enabling SSL on a Domain Controller

  Supported Active Directory Configuration

  Using Active Directory to Log Into the DRAC 5

  Using Active Directory Single Sign-On

  Frequently Asked Questions

To use the Active Directory authentication feature of the DRAC 5, you must have already deployed an Active Directory infrastructure. The DRAC 5 Active Directory authentication supports authentication across multiple trees in a single forest. See "Supported Active Directory Configuration" for information on supported Active Directory configuration with respect to the Domain Function level, Groups, Objects, and so on.

See the Microsoft website for information on how to set up an Active Directory infrastructure, if you don't already have one.

DRAC 5 uses the standard Public Key Infrastructure (PKI) mechanism to authenticate securely into the Active Directory hence, you would also require an integrated PKI into the Active Directory infrastructure.

See the Microsoft website for more information on the PKI setup.

To correctly authenticate to all the domain controllers you will also need to enable the Secure Socket Layer (SSL) on all domain controllers. See "Enabling SSL on a Domain Controller" for more specific information.

Supported Active Directory Authentication Mechanisms

You can use Active Directory to define user access on the DRAC 5 through two methods: you can use a standard schema solution, which uses Active Directory group objects only or you can use the extended schema solution, which Dell has customized to add Dell-defined Active Directory objects. For more information about these solutions, see the sections below.

When using Active Directory to configure access to the DRAC 5, you must choose either the extended schema or the standard schema solution.

The advantages of using the standard schema solution are:

• No schema extension is required because standard schema uses Active Directory objects only.
  
  
• Configuration on Active Directory side is simple.
  
  

The advantages of using the extended schema solution are:

• All of the access control objects are maintained in Active Directory.
  
  
• Maximum flexibility in configuring user access on different DRAC 5 cards with different privilege levels.
  
  

Standard Schema Active Directory Overview

As shown in Figure 6-1, using standard schema for Active Directory integration requires configuration on both Active Directory and the DRAC 5. On the Active Directory side, a standard group object is used as a role group. A user who has DRAC 5 access will be a member of the role group. In order to give this user access to a specific DRAC 5 card, the role group name and its domain name need to be configured on the specific DRAC 5 card. Unlike the extended schema solution, the role and the privilege level is defined on each DRAC 5 card, not in the Active Directory. Up to five role groups can be configured and defined in each DRAC 5. Table 6-12 shows the privileges level of the role groups and Table 6-1shows the default role group settings.

Figure 6-1. Configuration of DRAC 5 with Microsoft Active Directory and Standard Schema

Table 6-1. Default Role Group Privileges 

NOTE: The Bit Mask values are used only when setting Standard Schema with the RACADM.

There are two ways to enable Standard Schema Active Directory:

• With the DRAC 5 web-based user interface. See "Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface".
  
  
• With the RACADM CLI tool. See "Configuring the DRAC 5 With Standard Schema Active Directory and RACADM".
  
  

Configuring Standard Schema Active Directory to Access Your DRAC 5

You need to perform the following steps to configure the Active Directory before an Active Directory user can access the DRAC 5:

1. On an Active Directory server (domain controller), open the Active Directory Users and Computers Snap-in.
   
   
2. Create a group or select an existing group. The name of the group and the name of this domain will need to be configured on the DRAC 5 either with the web-based interface or RACADM (see "Configuring the DRAC 5 With Standard Schema Active Directory and Web-Based Interface" or "Configuring the DRAC 5 With Standard Schema Active Directory and RACADM").
   
   
3. Add the Active Directory user as a member of the Active Directory group to access the DRAC 5.
   
   

Configuring the DRAC 5 With Standard Schema Active Directory and
Web-Based Interface

1. Open a supported Web browser window.
   
   
2. Log in to the DRAC 5 Web-based interface.
   
   
3. Expand the System tree and click Remote Access.
   
   
4. Click the Configuration tab and select Active Directory.
   
   
5. On the Active Directory Main Menu page, select Configure Active Directory and click Next.
   
   
6. In the Common Settings section:
   
   
   1. Select the Enable Active Directory check box.
      
      
   2. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.
      
      
   3. Type the Timeout time in seconds.
      
      
7. Click Use Standard Schema in the Active Directory Schema Selection section.
   
   
8. Click Apply to save the Active Directory settings.
   
   
9. In the Role Groups column of the Standard Schema settings section, click a Role Group.
   
   

The Configure Role Group page appears, which includes a role group's Group Name, Group Domain, and Role Group Privileges.

10. Type the Group Name. The group name identifies the role group in the Active Directory associated with the DRAC 5 card.
    
    
11. Type the Group Domain. The Group Domain is the fully qualified root domain name for the forest.
    
    
12. In the Role Group Privileges page, set the group privileges.
    
    

Table 6-12 describes the Role Group Privileges.

Table 6-13 describes the Role Group Permissions. If you modify any of the permissions, the existing Role Group Privilege (Administrator, Power User, or Guest User) will change to either the Custom group or the appropriate Role Group Privilege based on the permissions modified.

13. Click Apply to save the Role Group settings.
    
    
14. Click Go Back To Active Directory Configuration and Management.
    
    
15. Click Go Back To Active Directory Main Menu.
    
    
16. Upload your domain forest Root CA certificate into the DRAC 5.
    
    
    1. Select the Upload Active Directory CA Certificate check-box and then click Next.
       
       
    2. In the Certificate Upload page, type the file path of the certificate or browse to the certificate file.
       
       

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

The domain controllers' SSL certificates should have been signed by the root CA. Ensure that the root CA certificate is available on your management station that is accessing the DRAC 5 (see "Exporting the Domain Controller Root CA Certificate to the DRAC 5").

3. Click Apply.
   
   

The DRAC 5 Web server automatically restarts after you click Apply.

17. Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration.
    
    
18. In the System tree, click Remote Access.
    
    
19. Click the Configuration tab and then click Network.
    
    

The Network Configuration page appears.

20. If Use DHCP (for NIC IP Address) is selected under Network Settings, select Use DHCP to obtain DNS server address.
    
    

To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses.

21. Click Apply Changes.
    
    

The DRAC 5 Standard Schema Active Directory feature configuration is complete.

Configuring the DRAC 5 With Standard Schema Active Directory and
RACADM

Using the following commands to configure the DRAC 5 Active Directory Feature with Standard Schema using the RACADM CLI instead of the Web-based interface.

1. Open a command prompt and type the following racadm commands:
   
   

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 2

racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupName <common name of the role group>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupDomain <fully qualified domain name>

racadm config -g cfgStandardSchema -i <index> -o cfgSSADRoleGroupPrivilege <Bit Mask Number for specific user permissions>

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

NOTE: For Bit Mask number values, see Table B-4.

2. If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm commands:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

3. If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type the following racadm commands:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

Extended Schema Active Directory Overview

There are two ways to enable Extended Schema Active Directory:

• With the DRAC 5 web-based user interface. See "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface".
  
  
• With the RACADM CLI tool. See "Configuring the DRAC 5 With Extended Schema Active Directory and RACADM".
  
  

Active Directory Schema Extensions

The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user's first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization.

Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service.

Dell extension is: dell

Dell base OID is: 1.2.840.113556.1.8000.1280

RAC LinkID range is: 12070 to 12079

The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell.

Overview of the RAC Schema Extensions

To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity.

Active Directory Object Overview

For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one RAC Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as required. The users and RAC Device Objects can be members of any domain in the enterprise.

However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This example allows an Administrator to control each user's privileges on specific RACs.

The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the RAC to at least one Association Object in order for users to authenticate.

Figure 6-2 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.

Figure 6-2. Typical Setup for Active Directory Objects

NOTE: The RAC privilege object applies to both DRAC 4 and DRAC 5.

You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 5) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 5).

The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the "Users" who have "Privileges" on the RACs (DRAC 5s).

Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 5 cards and give user3 a login privilege to the RAC2 card. Figure 6-3 shows how you set up the Active Directory objects in this scenario.

When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains.

Figure 6-3. Setting Up Active Directory Objects in a Single Domain

To configure the objects for the single domain scenario, perform the following tasks:

1. Create two Association Objects.
   
   
2. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards.
   
   
3. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.
   
   
4. Group user1 and user2 into Group1.
   
   
5. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
   
   
6. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.
   
   

See" Adding DRAC 5 Users and Privileges to Active Directory" for detailed instructions.

Figure 6-4 provides an example of Active Directory objects in multiple domains. In this scenario, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. In this scenario, configure user1 and user 2 with administrator privileges to both DRAC 5 cards and configure user3 with login privileges to the RAC2 card.

Figure 6-4. Setting Up Active Directory Objects in Multiple Domains

To configure the objects for the multiple domain scenario, perform the following tasks:

1. Ensure that the domain forest function is in Native or Windows 2003 mode.
   
   
2. Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain.
   
   

Figure 6-4 shows the objects in Domain2.

3. Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards.
   
   
4. Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges.
   
   
5. Group user1 and user2 into Group1. The group scope of Group1 must be Universal.
   
   
6. Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1.
   
   
7. Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2.
   
   

Configuring Extended Schema Active Directory to Access Your DRAC 5

Before using Active Directory to access your DRAC 5, configure the Active Directory software and the DRAC 5 by performing the following steps in order:

1. Extend the Active Directory schema (see "Extending the Active Directory Schema").
   
   
2. Extend the Active Directory Users and Computers Snap-in (see "Installing the Dell Extension to the Active Directory Users and Computers Snap-In").
   
   
3. Add DRAC 5 users and their privileges to Active Directory (see "Adding DRAC 5 Users and Privileges to Active Directory").
   
   
4. Enable SSL on each of your domain controllers (see "Enabling SSL on a Domain Controller").
   
   
5. Configure the DRAC 5 Active Directory properties using either the DRAC 5 Web-based interface or the RACADM (see "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface" or "Configuring the DRAC 5 With Extended Schema Active Directory and RACADM").
   
   

Extending the Active Directory Schema

Extending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, ensure that you have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.

You can extend your schema using one of the following methods:

• Dell Schema Extender utility
  
  
• LDIF script file
  
  

If you use the LDIF script file, the Dell organizational unit will not be added to the schema.

The LDIF files and Dell Schema Extender are located on your Dell Systems Management Tools and Documentation DVD in the following respective directories:

• DVD drive:\support\OMActiveDirectory Tools\RAC4-5\LDIF_Files
  
  
• DVD drive:\support\OMActiveDirectory Tools\RAC4-5\Schema_Extender
  
  

To use the LDIF files, see the instructions in the readme included in the LDIF_Files directory. To use the Dell Schema Extender to extend the Active Directory Schema, see "Using the Dell Schema Extender."

You can copy and run the Schema Extender or LDIF files from any location.

Using the Dell Schema Extender

NOTICE: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file.

1. In the Welcome screen, click Next.
   
   
2. Read and understand the warning and click Next.
   
   
3. Select Use Current Log In Credentials or enter a user name and password with schema administrator rights.
   
   
4. Click Next to run the Dell Schema Extender.
   
   
5. Click Finish.
   
   

The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC) and the Active Directory Schema snap-in to verify that the following exist:

• Classes (see Table 6-2 through Table 6-7)
  
  
• Attributes (Table 6-8)
  
  

See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC.

Table 6-2. Class Definitions for Classes Added to the Active Directory Schema

Table 6-3. dellRacDevice Class

Table 6-4. dellAssociationObject Class 

Table 6-5. dellRAC4Privileges Class

Table 6-6. dellPrivileges Class

Table 6-7. dellProduct Class

Table 6-8. List of Attributes Added to the Active Directory Schema 

Installing the Dell Extension to the Active Directory Users and Computers Snap-In

When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so the administrator can manage RAC (DRAC 5) devices, Users and User Groups, RAC Associations, and RAC Privileges.

When you install your systems management software using the Dell Systems Management Tools and Documentation DVD, you can extend the snap-in by selecting the Dell Extension to the Active Directory User's and Computers Snap-In option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software.

For more information about the Active Directory User's and Computers snap-in, see your Microsoft documentation.

Installing the Administrator Pack

You must install the Administrator Pack on each system that is managing the Active Directory DRAC 5 Objects. If you do not install the Administrator Pack, you cannot view the Dell RAC Object in the container.

See "Opening the Active Directory Users and Computers Snap-In" for more information.

Opening the Active Directory Users and Computers Snap-In

To open the Active Directory Users and Computers snap-in:

1. If you are logged into the domain controller, click Start Admin Tools→ Active Directory Users and Computers.
   
   

If you are not logged into the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start→ Run, type MMC, and press Enter.

The Microsoft Management Console (MMC) appears.

2. In the Console 1 window, click File (or Console on systems running Windows 2000).
   
   
3. Click Add/Remove Snap-in.
   
   
4. Select the Active Directory Users and Computers snap-in and click Add.
   
   
5. Click Close and click OK.
   
   

Adding DRAC 5 Users and Privileges to Active Directory

Using the Dell-extended Active Directory Users and Computers snap-in, you can add DRAC 5 users and privileges by creating RAC, Association, and Privilege objects. To add each object type, perform the following procedures:

• Create a RAC device Object
  
  
• Create a Privilege Object
  
  
• Create an Association Object
  
  
• Add objects to an Association Object
  
  

Creating a RAC Device Object

1. In the MMC Console Root window, right-click a container.
   
   
2. Select New→ Dell RAC Object.
   
   

The New Object window appears.

3. Type a name for the new object. The name must be identical to the DRAC 5 Name that you will type in step a of "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface."
   
   
4. Select RAC Device Object.
   
   
5. Click OK.
   
   

Creating a Privilege Object

NOTE: A Privilege Object must be created in the same domain as the related Association Object.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New→ Dell RAC Object.
   
   

The New Object window appears.

3. Type a name for the new object.
   
   
4. Select Privilege Object.
   
   
5. Click OK.
   
   
6. Right-click the privilege object that you created, and select Properties.
   
   
7. Click the RAC Privileges tab and select the privileges that you want the user to have (for more information, see Table 5-4).
   
   

Creating an Association Object

The Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, choose the Association Scope that applies to the type of objects you intend to add.

For example, if you select Universal, the association objects are only available when the Active Directory Domain is functioning in Native Mode or above.

1. In the Console Root (MMC) window, right-click a container.
   
   
2. Select New→ Dell RAC Object.
   
   

This opens the New Object window.

3. Type a name for the new object.
   
   
4. Select Association Object.
   
   
5. Select the scope for the Association Object.
   
   
6. Click OK.
   
   

Adding Objects to an Association Object

Using the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups. If your system is running Windows 2000 mode or higher, use Universal Groups to span domains with your user or RAC objects.

You can add groups of Users and RAC devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical.

Adding Users or User Groups

1. Right-click the Association Object and select Properties.
   
   
2. Select the Users tab and click Add.
   
   
3. Type the user or User Group name and click OK.
   
   

Click the Privilege Object tab to add the privilege object to the association that defines the user's or user group's privileges when authenticating to a RAC device. Only one privilege object can be added to an Association Object.

Adding Privileges

1. Select the Privileges Object tab and click Add.
   
   
2. Type the Privilege Object name and click OK.
   
   

Click the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups. Multiple RAC devices can be added to an Association Object.

Adding RAC Devices or RAC Device Groups

To add RAC devices or RAC device groups:

1. Select the Products tab and click Add.
   
   
2. Type the RAC device or RAC device group name and click OK.
   
   
3. In the Properties window, click Apply and click OK.
   
   

Configuring the DRAC 5 With Extended Schema Active Directory and
Web-Based Interface

1. Open a supported Web browser window.
   
   
2. Log in to the DRAC 5 Web-based interface.
   
   
3. Expand the System tree and click Remote Access.
   
   
4. Click the Configuration tab and select Active Directory.
   
   
5. On the Active Directory Main Menu page, select Configure Active Directory and click Next.
   
   
6. In the Common Settings section:
   
   
   1. Select the Enable Active Directory check box.
      
      
   2. Type the Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest.
      
      
   3. Type the Timeout time in seconds.
      
      
7. Click Use Extended Schema in the Active Directory Schema Selection section.
   
   
8. In the Extended Schema Settings section:
   
   
   1. Type the DRAC Name. This name must be the same as the common name of the new RAC object you created in your Domain Controller (see step 3 of Creating a RAC Device Object).
      
      
   2. Type the DRAC Domain Name (for example, drac5.com). Do not use the NetBIOS name. The DRAC Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located.
      
      
9. Click Apply to save the Active Directory settings.
   
   
10. Click Go Back To Active Directory Main Menu.
    
    
11. Upload your domain forest Root CA certificate into the DRAC 5.
    
    
    1. Select the Upload Active Directory CA Certificate check-box and then click Next.
       
       
    2. In the Certificate Upload page, type the file path of the certificate or browse to the certificate file.
       
       

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

The domain controllers' SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 5 (see "Exporting the Domain Controller Root CA Certificate to the DRAC 5").

3. Click Apply.
   
   

The DRAC 5 Web server automatically restarts after you click Apply.

12. Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration.
    
    
13. In the System tree, click Remote Access.
    
    
14. Click the Configuration tab and then click Network.
    
    

The Network Configuration page appears.

15. If Use DHCP (for NIC IP Address) is selected under Network Settings, then select Use DHCP to obtain DNS server address.
    
    

To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses.

16. Click Apply Changes.
    
    

The DRAC 5 Extended Schema Active Directory feature configuration is complete.

Configuring the DRAC 5 With Extended Schema Active Directory and
RACADM

Using the following commands to configure the DRAC 5 Active Directory Feature with Extended Schema using the RACADM CLI tool instead of the Web-based interface.

1. Open a command prompt and type the following racadm commands:
   
   

racadm config -g cfgActiveDirectory -o cfgADEnable 1

racadm config -g cfgActiveDirectory -o cfgADType 1

racadm config -g cfgActiveDirectory -o cfgADRacDomain <fully qualified rac domain name>

racadm config -g cfgActiveDirectory -o cfgADRootDomain <fully qualified root domain name>

racadm config -g cfgActiveDirectory -o cfgADRacName <RAC common name>

racadm sslcertupload -t 0x2 -f <ADS root CA certificate>

racadm sslcertdownload -t 0x1 -f <RAC SSL certificate>

2. If you want to specify an LDAP, Global Catalog server, or Association Object domain instead of using the servers returned by the DNS server to search for a user name, type the following command to enable the Specify Server option:
   
   

racadm config -g cfgActive Directory -o cfgADSpecifyServer Enable 1

NOTE: If you use this option, the hostname in the CA certificate is not matched against the name of the specified server. This is particularly useful if you are a DRAC administrator because it enables you to enter a hostname as well as an IP address.

After the Specify Server option is enabled, you can specify an LDAP server or a Global Catalog server, with an IP address or a fully qualified domain name of the server (FQDN). The FQDN consists of the hostname and the domain name of the server.

NOTE: If you are using Active Directory authentication based on Kerberos, specify only the FQDN of the server; specifying the IP address is not supported. For more information, see "Enabling Kerberos Authentication."

To specify an LDAP server using the command line interface (CLI), type:

racadm config -g cfgActive Directory -o cfgADDomainController <fully qualified domain name or IP address>

To specify a Global Catalog server using the command line interface (CLI), type:

racadm config -g cfgActive Directory -o cfgGlobalCatalog <fully qualified domain name or IP address>

To specify an Association Object domain using the command line interface (CLI), type:

racadm config -g cfgActive Directory -o cfgAODomain <domain>:<fully qualified domain name or IP address>

where <domain> is the domain where the Association Object resides and IP/FQDN is the IP address or the FQDN of the specific host (Domain Controller of domain) to which the DRAC 5 connects.

To specify the Association Object, ensure that you provide the IP or FQDN of the Global Catalog also.

NOTE: If you specify the IP address as 0.0.0.0, DRAC 5 will not search for any server.

You can specify a list of LDAP, Global Catalog servers, or Association Objects separated by commas. DRAC 5 allows you to specify up to four IP addresses or hostnames.

If LDAPS is not correctly configured for all domains and applications, enabling it may produce unexpected results during the functioning of the existing applications/domains.

If you configure the Domain Controller under the Specify Server option on the DRAC and if the Association Object contains the user and RAC object on the same domain, the Active Directory login using Extended Schema will be successful. However, if either the user or the RAC object on the association is from a different domain, and if you provide only the domain controller information, the Active Directory login using Extended Schema will fail. In this case, you should configure the global catalog option to be able to log in.

3. If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm command:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1

4. If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type following racadm commands:
   
   

racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0

racadm config -g cfgLanNetworking -o cfgDNSServer1 <primary DNS IP address>

racadm config -g cfgLanNetworking -o cfgDNSServer2 <secondary DNS IP address>

5. Press Enter to complete the DRAC 5 Active Directory feature configuration.
   
   

Accumulating Privileges Using Extended Schema

The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects associated with the same user through different Association Objects. In other words, Extended Schema Authentication accumulates privileges to allow the user the super set of all assigned privileges corresponding to the different privilege objects associated with the same user.

Figure 6-5 provides an example of accumulating privileges using Extended Schema.

Figure 6-5. Privilege Accumulation for a User

The figure shows two Association Objects—A01 and A02. These Association Objects may be part of the same or different domains. User1 is associated to RAC1 and RAC2 through both association objects. Therefore, User1 has accumulated privileges that results when combining the Privileges set for objects Priv1 and Priv2.

For example, Priv1 had the privileges: Login, Virtual Media, and Clear Logs and Privr2 had the privileges: Login, Configure DRAC, and Test Alerts. User1 will now have the privilege set: Login, Virtual Media, Clear Logs, Configure DRAC, and Test Alerts, which is the combined privilege set of Priv1 and Priv2

Extended Schema Authentication, thus, accumulates privileges to allow the user the maximum set of privileges possible considering the assigned privileges of the different privilege objects associated to the same user.

Configuring and Managing Active Directory Certificates

To access the Active Directory Main Menu:

1. Expand the System tree and click Remote Access.
   
   
2. Click the Configuration tab and click Active Directory.
   
   

Table 6-9 lists the Active Directory Main Menu page options.

Table 6-9. Active Directory Main Menu Page Options

Configuring Active Directory (Standard Schema and Extended Schema)

1. In the Active Directory Main Menu page, select Configure Active Directory and click Next.
   
   
2. In the Active Directory Configuration and Management page, enter the Active Directory settings.
   
   

Table 6-10 describes the Active Directory Configuration and Management page settings.

3. Click Apply to save the settings.
   
   
4. Click the appropriate Active Directory Configuration page button to continue. See Table 6-11.
   
   
5. To configure the Role Groups for Active Directory Standard Schema, click on the individual Role Group (1-5). See Table 6-12 and Table 6-13.
   
   

NOTE: To save the settings on the Active Directory Configuration and Management page, you have to click Apply before proceeding to the Custom Role Group page.

Table 6-10. Active Directory Configuration and Management Page Settings 

Table 6-11. Active Directory Configuration and Management Page Buttons

Table 6-12. Role Group Privileges 

Table 6-13. Role Group Permissions 

Uploading an Active Directory CA Certificate

1. In the Active Directory Main Menu page, select Upload Active Directory CA Certificate and click Next.
   
   
2. In the Certificate Upload page, in the File Path field, type the file path of the certificate or click Browse to navigate to the certificate file.
   
   

NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension.

3. Click Apply.
   
   
4. Click the appropriate Certificate Upload page button to continue. See Table 6-11.
   
   

Downloading a DRAC Server Certificate

1. In the Active Directory Main Menu page, select Download DRAC Server Certificate and click Next.
   
   
2. In the File Download window, click Save and save the file to a directory on your system.
   
   
3. In the Download Complete window, click Close.
   
   

Viewing an Active Directory CA Certificate

Use the Active Directory Main Menu page to view a CA server certificate for your DRAC 5.

1. In the Active Directory Main Menu page, select View Active Directory CA Certificate and click Next.
   
   

Table 6-14 describes the fields and associated descriptions listed in the Certificate window.

2. Click the appropriate View Active Directory CA Certificate page button to continue. See Table 6-11.
   
   

Table 6-14. Active Directory CA Certificate Information

Enabling SSL on a Domain Controller

When the DRAC 5 authenticates users against an Active Directory domain controller, it starts an SSL session with the domain controller. At this time, the domain controller should publish a certificate signed by the Certificate Authority (CA)—the root certificate of which is also uploaded into the DRAC 5. In other words, for DRAC 5 to be able to authenticate to any domain controller—whether it is the root or the child domain controller—that domain controller should have an SSL-enabled certificate signed by the domain's CA.

If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller:

1. Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.
   
   
   1. Click Start→ Administrative Tools→ Domain Security Policy.
      
      
   2. Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.
      
      
   3. In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.
      
      
   4. Click Next and click Finish.
      
      

Exporting the Domain Controller Root CA Certificate to the DRAC 5

NOTE: If your system is running Windows 2000, the following steps may vary.

1. Locate the domain controller that is running the Microsoft Enterprise CA service.
   
   
2. Click Start→ Run.
   
   
3. In the Run field, type mmc and click OK.
   
   
4. In the Console 1 (MMC) window, click File (or Console on Windows 2000 machines) and select Add/Remove Snap-in.
   
   
5. In the Add/Remove Snap-In window, click Add.
   
   
6. In the Standalone Snap-In window, select Certificates and click Add.
   
   
7. Select Computer account and click Next.
   
   
8. Select Local Computer and click Finish.
   
   
9. Click OK.
   
   
10. In the Console 1 window, expand the Certificates folder, expand the Personal folder, and click the Certificates folder.
    
    
11. Locate and right-click the root CA certificate, select All Tasks, and click Export... .
    
    
12. In the Certificate Export Wizard, click Next, and select No do not export the private key.
    
    
13. Click Next and select Base-64 encoded X.509 (.cer) as the format.
    
    
14. Click Next and save the certificate to a directory on your system.
    
    
15. Upload the certificate you saved in step 14 to the DRAC 5.
    
    

To upload the certificate using RACADM, see "Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface".

To upload the certificate using the Web-based interface, perform the following procedure:

1. Open a supported Web browser window.
   
   
2. Log in to the DRAC 5 Web-based interface.
   
   
3. Expand the System tree and click Remote Access.
   
   
4. Click the Configuration tab, and then click Security.
   
   
5. In the Security Certificate Main Menu page, select Upload Server Certificate and click Apply.
   
   
6. In the Certificate Upload screen, perform one of the following procedures:
   
   
   • Click Browse and select the certificate
     
     
   • In the Value field, type the path to the certificate.
     
     
7. Click Apply.
   
   

Importing the DRAC 5 Firmware SSL Certificate

NOTE: If the Active Directory Server is set to authenticate the client during an SSL session initialization phase, you need to upload the DRAC 5 Server certificate to the Active Directory Domain controller as well. This additional step is not required if the Active Directory does not perform a client authentication during an SSL session's initialization phase.

Use the following procedure to import the DRAC 5 firmware SSL certificate to all domain controller trusted certificate lists.

NOTE: If your system is running Windows 2000, the following steps may vary.

NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you are not required to perform the steps in this section.

The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 Web server. All DRAC 5 controllers are shipped with a default self-signed certificate.

To access the certificate using the DRAC 5 Web-based interface, select Configuration→ Active Directory→ Download DRAC 5 Server Certificate.

1. On the domain controller, open an MMC Console window and select Certificates→ Trusted Root Certification Authorities.
   
   
2. Right-click Certificates, select All Tasks and click Import.
   
   
3. Click Next and browse to the SSL certificate file.
   
   
4. Install the RAC SSL Certificate in each domain controller's Trusted Root Certification Authority.
   
   

If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers.

5. Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice.
   
   
6. Click Finish and click OK.
   
   

Setting the SSL Time on the DRAC 5

When the DRAC 5 authenticates an Active Directory user, the DRAC 5 also verifies the certificate published by the Active Directory server to ensure that the DRAC is communicating with an authorized Active Directory server.

This check also ensures that the validity of the certificate is within the time range specified by the DRAC 5. However, there could be a mismatch between the time zones specified on the certificate and the DRAC 5. This could happen when the DRAC 5 time reflects the local system time and the certificate reflects time in GMT.

To ensure that the DRAC 5 uses the GMT time to compare with the certificate times, you must set the time zone offset object.

racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset <offset value>

See "cfgRacTuneTimezoneOffset (Read/Write)" for more details.

Supported Active Directory Configuration

The Active Directory querying algorithm of the DRAC 5 supports multiple trees in a single forest.

DRAC 5 Active Directory Authentication supports mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT® 4.0, Windows 2000, or Windows Server 2003). However, all objects used by the DRAC 5 querying process (among user, RAC Device Object, and Association Object) should be in the same domain. The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode.

DRAC 5 Active Directory supports multiple domain environments provided the domain forest function level is Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups.

NOTE: The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains.

Using Active Directory to Log Into the DRAC 5

You can use Active Directory to log in to the DRAC 5 using one of the following methods:

• Web-based interface
  
  
• Remote RACADM
  
  
• Serial or telnet console.
  
  

The login syntax is the same for all three methods:

<username@domain>

or

<domain>\<username> or <domain>/<username>

where username is an ASCII string of 1–256 bytes.

White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name.

NOTE: You cannot specify NetBIOS domain names, such as Americas, because these names cannot be resolved.

You can also log into the DRAC 5 using the Smart Card. For more information, see "Logging Into the DRAC 5 Using Active Directory Smart Card Authentication."

Using Active Directory Single Sign-On

You can enable the DRAC 5 to use Kerberos—a network authentication protocol—to enable single sign-on and log into the DRAC 5. For more information on setting up the DRAC 5 to use the Active Directory Single Sign-On feature, see "Enabling Kerberos Authentication."

Configuring the DRAC 5 to Use Single Sign-On

1. Navigate to Remote Access→ Configuration tab→ Active Directory subtab→ select Configure Active Directory.
   
   
2. On the Active Directory Configuration and Management page, select Single Sign-On.
   
   

This option enables you to log into the DRAC 5 directly after logging into your workstation.

Logging Into the DRAC 5 Using Single Sign-On

1. Log into your work station using your network account.
   
   
2. Access DRAC Web page using https.
   
   

https://<IP address>

If the default HTTPS port number (port 443) has been changed, type:

https://<IP address>:<port number>

where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number.

The DRAC 5 Single Sign-On page appears.

3. Click Login.
   
   

The DRAC 5 logs you in, using your credentials that were cached in the operating system when you logged in using your valid Active Directory account.

Frequently Asked Questions

Are there any restrictions on Domain Controller SSL configuration?

Yes. All Active Directory servers' SSL certificates in the forest must be signed by the same root CA since DRAC 5 only allows uploading one trusted CA SSL certificate.

I created and uploaded a new RAC certificate and now the Web-based interface does not launch.

If you use Microsoft Certificate Services to generate the RAC certificate, one possible cause of this is you inadvertently chose User Certificate instead of Web Certificate when creating the certificate.

To recover, generate a CSR and then create a new web certificate from Microsoft Certificate Services and load it using the RACADM CLI from the managed system by using the following racadm commands:

racadm sslcsrgen [-g] [-u] [-f {filename}]

racadm sslcertupload -t 1 -f {web_sslcert}

What can I do if I cannot log into the DRAC 5 using Active Directory authentication? How do I troubleshoot the issue?

1. Ensure that you use the correct user domain name during a login and not the NetBIOS name.
   
   
2. If you have a local DRAC user account, log into the DRAC 5 using your local credentials.
   
   

After you are logged in:

1. Ensure that you have checked the Enable Active Directory box on the DRAC 5 Active Directory configuration page.
   
   
2. Ensure that the DNS setting is correct on the DRAC 5 Networking configuration page.
   
   
3. Ensure that you have uploaded the Active Directory certificate from your Active Directory root CA to the DRAC 5.
   
   
4. Check the Domain Controller SSL certificates to ensure that they have not expired.
   
   
5. Ensure that your DRAC Name, Root Domain Name, and DRAC Domain Name match your Active Directory environment configuration.
   
   
6. Ensure that the DRAC 5 password has a maximum of 127 characters. While the DRAC 5 can support passwords of up to 256 characters, Active Directory only supports passwords that have a maximum length of 127 characters.
   
   

Back to Contents Page