Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- On a fresh system where LDAP Configuration doesn't exist
- 1) Ran the redfish validator : PASS
- 2) Get request on account service when there is no LDAP/AD Configuration
- ========================================================================
- curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/AccountService/
- {
- "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService",
- "@odata.id": "/redfish/v1/AccountService",
- "@odata.type": "#AccountService.v1_3_1.AccountService",
- "AccountLockoutDuration": 0,
- "AccountLockoutThreshold": 0,
- "Accounts": {
- "@odata.id": "/redfish/v1/AccountService/Accounts"
- },
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "AccountProviderType@Redfish.AllowableValues": [
- "ActiveDirectoryService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": ""
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- ""
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "ServiceAddresses": [
- ""
- ],
- "ServiceEnabled": false
- },
- "Description": "Account Service",
- "Id": "AccountService",
- "LDAP": {
- "AccountProviderType": "LDAPService",
- "AccountProviderType@Redfish.AllowableValues": [
- "LDAPService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": ""
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- ""
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "ServiceAddresses": [
- ""
- ],
- "ServiceEnabled": false
- },
- "MaxPasswordLength": 20,
- "MinPasswordLength": 8,
- "Name": "Account Service",
- "Roles": {
- "@odata.id": "/redfish/v1/AccountService/Roles"
- },
- "ServiceEnabled": true
- 3) Empty JSON
- =============
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"Authentication": {}}}'
- {
- "error": {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "The request body submitted contained an empty JSON object and the service is unable to process it.",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.EmptyJSON",
- "Resolution": "Add properties in the JSON object and resubmit the request.",
- "Severity": "Warning"
- }
- ],
- "code": "Base.1.4.0.EmptyJSON",
- "message": "The request body submitted contained an empty JSON object and the service is unable to process it."
- }
- }
- 4) Update AccountProvider Type
- =============================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"AccountProviderType": "LDAPService"}}'
- {
- "AccountProviderType@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "The property AccountProviderType is a read only property and cannot be assigned a value.",
- "MessageArgs": [
- "AccountProviderType"
- ],
- "MessageId": "Base.1.4.0.PropertyNotWritable",
- "Resolution": "Remove the property from the request body and resubmit the request if the operation failed.",
- "Severity": "Warning"
- }
- ]
- }
- 5) Update invalid authentication type
- ====================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"Authentication": {"AuthenticationType": "abcdef"}}}'
- {
- "AuthenticationType@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "The value abcdef for the property AuthenticationType is not in the list of acceptable values.",
- "MessageArgs": [
- "abcdef",
- "AuthenticationType"
- ],
- "MessageId": "Base.1.4.0.PropertyValueNotInList",
- "Resolution": "Choose a value from the enumeration list that the implementation can support and resubmit the request if the operation failed.",
- "Severity": "Warning"
- }
- ]
- }
- 6) Update the service address with empty list
- ==============================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"ServiceAddresses": []}}'
- {
- "error": {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "The request failed due to an internal service error. The service is still operational.",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.InternalError",
- "Resolution": "Resubmit the request. If the problem persists, consider resetting the service.",
- "Severity": "Critical"
- }
- ],
- "code": "Base.1.4.0.InternalError",
- "message": "The request failed due to an internal service error. The service is still operational."
- }
- 9) Let's PATCH the LDAP Property.
- ===============================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"ServiceEnabled":false, "ServiceAddresses": ["ldap://9.126.172.69/"],"Authentication": {"AuthenticationType":"UsernameAndPassword","Username": "uid=sivasjxp,dc=ldap,dc=com","Password": "india@123"}, "LDAPService": {"SearchSettings": {"BaseDistinguishedNames": ["dc=ldap,dc=com"]}}}}'
- {
- "LDAP": {
- "AccountProviderType": "LDAPService",
- "AccountProviderType@Redfish.AllowableValues": [
- "LDAPService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": "",
- "Username": "uid=sivasjxp,dc=ldap,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=ldap,dc=com"
- ],
- "GroupsAttribute": "gidNumber",
- "UsernameAttribute": "cn"
- }
- },
- "ServiceAddresses": [
- "ldap://9.126.172.69/"
- ],
- "ServiceEnabled": false
- }
- }
- 10) Do the GET request after Patching the LDAP Configuration.
- =============================================================
- curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/AccountService/
- {
- "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService",
- "@odata.id": "/redfish/v1/AccountService",
- "@odata.type": "#AccountService.v1_3_1.AccountService",
- "AccountLockoutDuration": 0,
- "AccountLockoutThreshold": 0,
- "Accounts": {
- "@odata.id": "/redfish/v1/AccountService/Accounts"
- },
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "AccountProviderType@Redfish.AllowableValues": [
- "ActiveDirectoryService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": ""
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- ""
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "ServiceAddresses": [
- ""
- ],
- "ServiceEnabled": false
- },
- "Description": "Account Service",
- "Id": "AccountService",
- "LDAP": {
- "AccountProviderType": "LDAPService",
- "AccountProviderType@Redfish.AllowableValues": [
- "LDAPService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": "uid=sivasjxp,dc=ldap,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=ldap,dc=com"
- ],
- "GroupsAttribute": "gidNumber",
- "UsernameAttribute": "cn"
- }
- },
- "ServiceAddresses": [
- "ldap://9.126.172.69/"
- ],
- "ServiceEnabled": false
- },
- "MaxPasswordLength": 20,
- "MinPasswordLength": 8,
- "Name": "Account Service",
- "Roles": {
- "@odata.id": "/redfish/v1/AccountService/Roles"
- },
- "ServiceEnabled": true
- 11) Login with LDAP Credentials
- ==================================
- curl --insecure -X POST -D headers.txt https://${BMC_IP}/redfish/v1/SessionService/Sessions -d '{"UserName":"sivasjxp", "Password":"india@123"}'
- {
- "@odata.context": "/redfish/v1/$metadata#Session.Session",
- "@odata.id": "/redfish/v1/SessionService/Sessions/ZuZgsHAJLP",
- "@odata.type": "#Session.v1_0_2.Session",
- "Description": "Manager User Session",
- "Id": "ZuZgsHAJLP",
- "Name": "User Session",
- "UserName": "sivasjxp"
- }
- 12) Let's patch the AD configuration
- =====================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"ServiceEnabled":false, "ServiceAddresses": ["ldap://9.194.251.141/"],"Authentication": {"AuthenticationType":"UsernameAndPassword","Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com","Password": "india@123"}, "LDAPService": {"SearchSettings": {"BaseDistinguishedNames": ["dc=Corp,dc=ibm,dc=com"]}}}}'
- {
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "AccountProviderType@Redfish.AllowableValues": [
- "ActiveDirectoryService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": "",
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": false
- }
- 13) Still Ldap is Enabled, so let's enable the AD
- ==================================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"erviceEnabled":true}}'
- {
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "AccountProviderType@Redfish.AllowableValues": [
- "ActiveDirectoryService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "primaryGroupID",
- "UsernameAttribute": "sAMAccountName"
- }
- },
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": false
- },
- "error": {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "The request failed due to an internal service error. The service is still operational.",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.InternalError",
- "Resolution": "Resubmit the request. If the problem persists, consider resetting the service.",
- "Severity": "Critical"
- }
- ],
- "code": "Base.1.4.0.InternalError",
- "message": "The request failed due to an internal service error. The service is still operational."
- }
- }
- 14) Disable the LDAP first
- ==========================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"LDAP":{"ServiceEnabled":false}}'
- {
- "LDAP": {
- "AccountProviderType": "LDAPService",
- "AccountProviderType@Redfish.AllowableValues": [
- "LDAPService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": "uid=sivasjxp,dc=ldap,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=ldap,dc=com"
- ],
- "GroupsAttribute": "gidNumber",
- "UsernameAttribute": "cn"
- }
- },
- "ServiceAddresses": [
- "ldap://9.126.172.69/"
- ],
- "ServiceEnabled": false
- }
- }
- 15) Enable the AD now
- =====================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{ActiveDirectory":{"ServiceEnabled":true}}'
- {
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "AccountProviderType@Redfish.AllowableValues": [
- "ActiveDirectoryService"
- ],
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "AuthenticationType@Redfish.AllowableValues": [
- "UsernameAndPassword"
- ],
- "Password": null,
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "primaryGroupID",
- "UsernameAttribute": "sAMAccountName"
- }
- },
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": true
- }
- }
- 16) Login with LDAP credentails
- ================================
- curl --insecure -X POST -D headers.txt https://${BMC_IP}/redfish/v1/SessionService/Sessions -d '{"UserName":"sivasjxp", "Password":"india@123"}'
- {
- "error": {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "While accessing the resource at /redfish/v1/SessionService/Sessions, the service received an authorization error Invalid username or password.",
- "MessageArgs": [
- "/redfish/v1/SessionService/Sessions",
- "Invalid username or password"
- ],
- "MessageId": "Base.1.4.0.ResourceAtUriUnauthorized",
- "Resolution": "Ensure that the appropriate access is provided for the service in order for it to access the URI.",
- "Severity": "Critical"
- }
- ],
- "code": "Base.1.4.0.ResourceAtUriUnauthorized",
- "message": "While accessing the resource at /redfish/v1/SessionService/Sessions, the service received an authorization error Invalid username or password."
- }
- }
- 17) login with AD credentials
- =============================
- curl --insecure -X POST -D headers.txt https://${BMC_IP}/redfish/v1/SessionService/Sessions -d '{"UserName":"dvtuser", "Password":"india@123"}'
- {
- "@odata.context": "/redfish/v1/$metadata#Session.Session",
- "@odata.id": "/redfish/v1/SessionService/Sessions/Cjr9YSMrxc",
- "@odata.type": "#Session.v1_0_2.Session",
- "Description": "Manager User Session",
- "Id": "Cjr9YSMrxc",
- "Name": "User Session",
- "UserName": "dvtuser"
- }
- 18) Add the Remote Role mapping for the AD
- ==========================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"RemoteRoleMapping": [{"RemoteGroup": "Admingroup15","LocalRole": "User"},{"RemoteGroup": "Admingroup13","LocalRole": "Administrator"},{"RemoteGroup": "Admingroup14","LocalRole": "Operator"}]}}'
- {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "Successfully Completed Request",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.Success",
- "Resolution": "None",
- "Severity": "OK"
- }
- ],
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "Password": null,
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "RemoteRoleMapping": [
- {
- "LocalRole": "User",
- "RemoteGroup": "Admingroup15"
- },
- {
- "LocalRole": "Administrator",
- "RemoteGroup": "Admingroup13"
- },
- {
- "LocalRole": "Operator",
- "RemoteGroup": "Admingroup14"
- }
- ],
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": false
- }
- 19) Delete the second remote role mapping.
- ==========================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"RemoteRoleMapping": [{},null,{}]}}'
- {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "Successfully Completed Request",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.Success",
- "Resolution": "None",
- "Severity": "OK"
- }
- ],
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "Password": null,
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "RemoteRoleMapping": [
- {
- "LocalRole": "Administrator",
- "RemoteGroup": "Admingroup13"
- },
- null,
- {
- "LocalRole": "Operator",
- "RemoteGroup": "Admingroup14"
- }
- ],
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": false
- }
- 20) change the Remote group of first remote role mapping
- ========================================================
- curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"RemoteRoleMapping": [{"RemoteGroup": "Admingroup25"},{}]}}'
- {
- "@Message.ExtendedInfo": [
- {
- "@odata.type": "/redfish/v1/$metadata#Message.v1_0_0.Message",
- "Message": "Successfully Completed Request",
- "MessageArgs": [],
- "MessageId": "Base.1.4.0.Success",
- "Resolution": "None",
- "Severity": "OK"
- }
- ],
- "ActiveDirectory": {
- "AccountProviderType": "ActiveDirectoryService",
- "Authentication": {
- "AuthenticationType": "UsernameAndPassword",
- "Password": null,
- "Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
- },
- "LDAPService": {
- "SearchSettings": {
- "BaseDistinguishedNames": [
- "dc=Corp,dc=ibm,dc=com"
- ],
- "GroupsAttribute": "",
- "UsernameAttribute": ""
- }
- },
- "RemoteRoleMapping": [
- {
- "LocalRole": "Administrator",
- "RemoteGroup": "Admingroup25"
- },
- {
- "LocalRole": "Operator",
- "RemoteGroup": "Admingroup14"
- }
- ],
- "ServiceAddresses": [
- "ldap://9.194.251.141/"
- ],
- "ServiceEnabled": false
- }
- }
Add Comment
Please, Sign In to add comment