search

dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
606 stars 279 forks source link

idrac 8 and ldap #113

Closed beren41 closed 4 years ago

beren41 commented 4 years ago

Hi Why is it difficult to use redfish to configure ldap parameters in idrac 8 ? If possible, tell us which link in redfish contains the ldap parameters. I am ready to write a script =). If this is not possible please tell me how to automate the connection to ldap idrac 8

texroemer commented 4 years ago

Hi @beren41

iDRAC 7/8 doesn't support PATCH operation to set individual iDRAC attributes, you will need to leverage OEM Server Configuration Profile (SCP) feature to do this. Example below is showing using SCP to import an XML file to change iDRAC LDAP settings. I also pasted below this XML example which you can leverage and this XML contains all iDRAC LDAP settings which can be configured.

C:\Python38-32>ImportSystemConfigurationLocalFilenameREDFISH.py -ip 192.168.0.120 -u root -p calvin -t IDRAC -f configure_iDRAC_LDAP.xml

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: Enable LDAP ErrCode: 0 Name: LDAP.1#Enable NewValue: Enabled OldValue: Disabled Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Server ErrCode: 0 Name: LDAP.1#Server NewValue: 192.168.0.140 OldValue: 192.168.0.130 Severity: OK

Message: Successfully imported and applied Server Configuration Profile. MessageArgs: [] MessageArgs@odata.count: 0 MessageId: SYS053

Content of "configure_iDRAC_LDAP.xml" XML:

<SystemConfiguration> 
<Component FQDD="iDRAC.Embedded.1"> 
 <Attribute Name="LDAP.1#Enable">Enabled</Attribute> 
 <Attribute Name="LDAP.1#Server">192.168.0.140</Attribute> 
 <Attribute Name="LDAP.1#Port">636</Attribute> 
 <Attribute Name="LDAP.1#BaseDN"/> 
 <Attribute Name="LDAP.1#UserAttribute"/> 
 <Attribute Name="LDAP.1#GroupAttribute"/> 
 <Attribute Name="LDAP.1#GroupAttributeIsDN">Enabled</Attribute> 
 <Attribute Name="LDAP.1#BindDN"/> 
 <!-- <Attribute Name="LDAP.1#BindPassword">******</Attribute>--> 
 <Attribute Name="LDAP.1#SearchFilter"/> 
 <Attribute Name="LDAP.1#CertValidationEnable">Enabled</Attribute> 
 <Attribute Name="LDAPRoleGroup.1#DN"/> 
 <Attribute Name="LDAPRoleGroup.1#Privilege">0</Attribute> 
 <Attribute Name="LDAPRoleGroup.2#DN"/> 
 <Attribute Name="LDAPRoleGroup.2#Privilege">0</Attribute> 
 <Attribute Name="LDAPRoleGroup.3#DN"/> 
 <Attribute Name="LDAPRoleGroup.3#Privilege">0</Attribute> 
 <Attribute Name="LDAPRoleGroup.4#DN"/> 
 <Attribute Name="LDAPRoleGroup.4#Privilege">0</Attribute> 
 <Attribute Name="LDAPRoleGroup.5#DN"/> 
 <Attribute Name="LDAPRoleGroup.5#Privilege">0</Attribute> 
</Component> 
</SystemConfiguration>
beren41 commented 4 years ago

I have an idea to combine scripts SetIdracLcSystemAttributesREDFISH.py and ImportSystemConfigurationLocalFilenameREDFISH.py. That is if idrac 9 changes the LDAP attributes using SetIdracLcSystemAttributesREDFISH.py. If idrac 8 changes the LDAP attributes using ImportSystemConfigurationLocalFilenameREDFISH.py. Can I do this ? )

texroemer commented 4 years ago

Yes, that will work but would be easier to go ahead and use SCP script for both iDRAC 8 and 9. By doing this, you wouldn't need code to first check the iDRAC version to figure out which script needs to be executed. Also the same set of iDRAC LDAP attributes are supported on iDRAC 8 and 9.

beren41 commented 4 years ago

Thanks. Did I understand correctly that the SCP method will require a server reboot ? It is the server or only the iDRAC ?

texroemer commented 4 years ago

SCP feature will only reboot the server to apply attribute changes related to storage, BIOS or network. If you are using SCP to only apply iDRAC attribute changes, these will get applied immediately and no server reboot is needed.

beren41 commented 4 years ago

Thanks. Last question =) Is this the correct xml file for changing ldap attributes ?

`

Enabled 10.15.12.8 636 dc=domain,dc=com memberUid memberUid Enabled cn=kvm,ou=Users,dc=domain,dc=com gd#845Xm*P Disabled cn=dc,ou=Groups,dc=domain,dc=com 511 0 0 0 0

` That is an ldap group for dc administrators

texroemer commented 4 years ago

XML is missing closed attribute tags when setting a value. When attribute it listed as:

This means no value is being passed in which format is the same as:

Since you want to set the attribute now, need to remove / and add the closing attribute tag.

I went ahead and corrected the XML file, even tested it on my server and passed.

<SystemConfiguration> 
<Component FQDD="iDRAC.Embedded.1">
<Attribute Name="LDAP.1#Enable">Enabled</Attribute> 
<Attribute Name="LDAP.1#Server">10.15.12.8</Attribute> 
<Attribute Name="LDAP.1#Port">636</Attribute> 
<Attribute Name="LDAP.1#BaseDN">dc=domain,dc=com</Attribute> 
<Attribute Name="LDAP.1#UserAttribute">memberUid</Attribute> 
<Attribute Name="LDAP.1#GroupAttribute">memberUid</Attribute>
<Attribute Name="LDAP.1#GroupAttributeIsDN">Enabled</Attribute>
<Attribute Name="LDAP.1#BindDN">cn=kvm,ou=Users,dc=domain,dc=com</Attribute>
<Attribute Name="LDAP.1#BindPassword">gYFd#845Xm*P</Attribute>
<Attribute Name="LDAP.1#SearchFilter"></Attribute>
<Attribute Name="LDAP.1#CertValidationEnable">Disabled</Attribute>
<Attribute Name="LDAPRoleGroup.1#DN">cn=dc,ou=Groups,dc=domain,dc=com</Attribute>
<Attribute Name="LDAPRoleGroup.1#Privilege">511</Attribute>
<Attribute Name="LDAPRoleGroup.2#DN"></Attribute>
<Attribute Name="LDAPRoleGroup.2#Privilege">0</Attribute> 
<Attribute Name="LDAPRoleGroup.3#DN"></Attribute> 
<Attribute Name="LDAPRoleGroup.3#Privilege">0</Attribute>
<Attribute Name="LDAPRoleGroup.4#DN"></Attribute>
<Attribute Name="LDAPRoleGroup.4#Privilege">0</Attribute> 
<Attribute Name="LDAPRoleGroup.5#DN"></Attribute>
<Attribute Name="LDAPRoleGroup.5#Privilege">0</Attribute>
</Component>
</SystemConfiguration>

C:\Python38-32>ImportSystemConfigurationLocalFilenameREDFISH.py -ip 192.168.0.120 -u root -p calvin -t IDRAC -f git.xml

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Server ErrCode: 0 Name: LDAP.1#Server NewValue: 10.15.12.8 OldValue: 192.168.0.140 Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Base Domain Name ErrCode: 0 Name: LDAP.1#BaseDN NewValue: dc=domain,dc=com Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP User Attribute ErrCode: 0 Name: LDAP.1#UserAttribute NewValue: memberUid Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Group Attribute ErrCode: 0 Name: LDAP.1#GroupAttribute NewValue: memberUid Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Bind User Distinguished Name ErrCode: 0 Name: LDAP.1#BindDN NewValue: cn=kvm,ou=Users,dc=domain,dc=com Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Bind Password ErrCode: 0 Name: LDAP.1#BindPassword NewValue: ** OldValue: ** Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: Enable LDAP Certificate Validation ErrCode: 0 Name: LDAP.1#CertValidationEnable NewValue: Disabled OldValue: Enabled Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Role Group Domain Name ErrCode: 0 Name: LDAPRoleGroup.1#DN NewValue: cn=dc,ou=Groups,dc=domain,dc=com Severity: OK

@odata.type: #DellManager.v1_0_0.ServerConfigurationProfileResults DisplayValue: LDAP Role Group Privilege ErrCode: 0 Name: LDAPRoleGroup.1#Privilege NewValue: 511 OldValue: 0 Severity: OK

Message: Successfully imported and applied Server Configuration Profile. MessageArgs: [] MessageArgs@odata.count: 0 MessageId: SYS053

beren41 commented 4 years ago

Thanks for the help