|
|
Post by amithalperin on Aug 21, 2023 10:16:55 GMT
Hello, i want to deploy external LDAP service(from idm) on my cisco servers management interface via redfish. I have tried to patch some configuration in "AccountService" endpoint but i can't get to some configurations like:(in the ui) Domain. Method and Binding DN (under Binding Parameters). FIlter Attribute. someone can help me please? ![]() |
|
|
|
Post by mraineri on Aug 21, 2023 12:48:22 GMT
Just to be clear, are you trying to have your Cisco server act as an LDAP server for your environment? Or, are you trying to configure Redfish to interact with an existing LDAP service?
The Redfish configuration in AccountService is to let the Redfish service act as an LDAP client so that users can log in from a remotely-provided LDAP database. So, a Redfish client logging in can have their credentials hosted externally from the remote LDAP server. It's not used to deploy LDAP into an environment.
|
|
|
|
Post by amithalperin on Aug 21, 2023 15:29:58 GMT
I meant that I am trying to configure Redfish to interact with an existing LDAP service,
I already have an LDAP server on Idm(radhat product).
I have tried it with python script that connect the redfish api via http requests, and there are some settings that i can not get to(or I do not know how), like I mentioned above.
also, there are some settings that I succeeded to configure like:
base dn
groups attribute
ldap ip addresses(the ldap address)
|
|
|
|
Post by mraineri on Aug 21, 2023 17:03:59 GMT
Thanks for clarifying. You'll need to perform a PATCH operation on the AccountService resource (/redfish/v1/AccountService) with a payload that looks like this.
{
"LDAP": {
"ServiceEnabled": true,
"ServiceAddresses": [
"ldaps://ldap.example.org:636"
],
"Authentication": {
"AuthenticationType": "UsernameAndPassword",
"Username": "cn=Manager,dc=example,dc=org",
"Password": "LDAP SERVER PASSWORD"
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=example,dc=org"
],
"UsernameAttribute": "uid",
"GroupsAttribute": "memberof"
}
},
"RemoteRoleMapping": [
{
"RemoteUser": "cn=Manager,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=Admins,ou=Groups,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=PowerUsers,ou=Groups,dc=example,dc=org",
"LocalRole": "Operator"
},
{
"RemoteGroup": "(cn=*)",
"LocalRole": "ReadOnly"
}
]
}
}
Everything should be configured from inside the "LDAP" property. Inside of this object are other properties, and each of these would contain the following:
- ServiceAddresses contains the LDAP server address
- Authentication contains the credentials the Redfish service uses to communicate with the LDAP server
- LDAPService contains the SearchSettings for how you would configure the distinguished names and pertinent attributes the Redfish service needs to map.
- RemoteRoleMapping contains the mapping for how the service would take attributes from the LDAP server and apply them to a particular user to set their privilege for service.
I can certainly pass this along to some folks I know who are more familiar with the inner workings with LDAP if you need more details.
|
|
|
|
Post by amithalperin on Aug 22, 2023 7:00:29 GMT
Thanks for clarifying. You'll need to perform a PATCH operation on the AccountService resource (/redfish/v1/AccountService) with a payload that looks like this.
{
"LDAP": {
"ServiceEnabled": true,
"ServiceAddresses": [
"ldaps://ldap.example.org:636"
],
"Authentication": {
"AuthenticationType": "UsernameAndPassword",
"Username": "cn=Manager,dc=example,dc=org",
"Password": "LDAP SERVER PASSWORD"
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=example,dc=org"
],
"UsernameAttribute": "uid",
"GroupsAttribute": "memberof"
}
},
"RemoteRoleMapping": [
{
"RemoteUser": "cn=Manager,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=Admins,ou=Groups,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=PowerUsers,ou=Groups,dc=example,dc=org",
"LocalRole": "Operator"
},
{
"RemoteGroup": "(cn=*)",
"LocalRole": "ReadOnly"
}
]
}
}
Everything should be configured from inside the "LDAP" property. Inside of this object are other properties, and each of these would contain the following: - ServiceAddresses contains the LDAP server address
- Authentication contains the credentials the Redfish service uses to communicate with the LDAP server
- LDAPService contains the SearchSettings for how you would configure the distinguished names and pertinent attributes the Redfish service needs to map.
- RemoteRoleMapping contains the mapping for how the service would take attributes from the LDAP server and apply them to a particular user to set their privilege for service.
I can certainly pass this along to some folks I know who are more familiar with the inner workings with LDAP if you need more details.insert code here
Thanks for the response, but when i try to patch the "Authentication" Parameters and it doesn't working. all the other configuration working but this. In the response I get a message "Some of the properties in the request body cannot be updated because they are either read only, unknown or unsupported". I can send you an image of the cimc ui that presents what setting i need to configure.  |
|
|
|
Post by mraineri on Aug 22, 2023 13:26:44 GMT
Would you be able to provide the GET response for /redfish/v1/AccountService? It's possible the Cisco system didn't implement all of the expected properties in Redfish.
|
|
|
|
Post by amithalperin on Aug 22, 2023 14:59:03 GMT
Would you be able to provide the GET response for /redfish/v1/AccountService? It's possible the Cisco system didn't implement all of the expected properties in Redfish.
"LDAP": {
"AccountProviderType": "LDAPService",
"ServiceEnabled": true,
"ServiceAddresses": [
"ldaps://ldap.example.org:636"
],
"Priority": 0,
"Authentication": {
"AuthenticationType": "UsernameAndPassword"
},
"LDAPService": {
"Oem": {
"Cisco": {
"LDAPGroupAuthorizationEnabled": true
}
}
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=example,dc=org"
],
"GroupsAttribute": "memberof"
}
},
"RemoteRoleMapping": [
{
"RemoteUser": "cn=Manager,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=Admins,ou=Groups,dc=example,dc=org",
"LocalRole": "Administrator"
},
{
"RemoteGroup": "cn=PowerUsers,ou=Groups,dc=example,dc=org",
"LocalRole": "Operator"
},
{
"RemoteGroup": "(cn=*)",
"LocalRole": "ReadOnly"
}
]
}
I need to configure the " filter attribure" and i dond find it...  |
|
|
|
Post by amithalperin on Aug 23, 2023 6:01:58 GMT
I need to add a lable or change something?
my last setting that i left to configure the LDAP authentication is the "filter attribure".
can you help me please?
|
|
|
|
Post by mraineri on Aug 23, 2023 13:18:44 GMT
I forwarded this along to folks at Cisco to look at to see if they can better explain how it's implemented for them. At least right now there's no standard property in the Redfish model to convey filter attributes, but if this something needed, this is something we can add into the model.
|
|
|
|
Post by amithalperin on Aug 23, 2023 14:01:52 GMT
Thank you so mutch!
|
|
|
|
Post by phanindrabec on Aug 30, 2023 21:47:01 GMT
Hello amithalperin,
Latest redfish account service schema has search LDAP setting properties but not all cisco UCS LDAP search properties are covered.
By looking at redfish account service response payload you have provided , it looks like UCS server is running with old cimc firmware.
If possible, please share redfish/v1/ and /redfish/v1/UpdateService/FirmwareInventory/CIMC so I can see product and CIMC firmware version and will suggest next steps.
|
|
|
|
Post by mraineri on Oct 13, 2023 19:07:08 GMT
So, I passed this to someone internal who has some LDAP experience and from the screenshots you provided it looks like the "Filter Attribute" really is the "UsernameAttribute" property in Redfish.
|
|
