Configuring RADIUS or LDAP on Supermicro (ATEN) IPMI

authentication ldap radius ipmi supermicro
5,954

Here are the magic numbers, which I have no idea of the meaning, that I got (a while ago) from Supermicro (via our vendor, Silicon Mechanics):

#vi /etc/raddb/users

Example:
    myuser          Auth-Type   :=Local, User-Password == “123456”
                    Vendor-Specific = “H=4, I=4”

    testuser        Auth-Type   :=Local, User-Password == “654321”
                    Vendor-Specific = “H=3, I=3”

So, obviously H= and I= mean something, and at least 3 and 4 are valid values (and I don't believe the syntax is even allowed by the RFCs, but whatever). I replied asking what those mean, and haven't heard back. I just sent a followup...

edit

Got a reply: >

Those setting match the user account type in IPMI Web GUI.

CallBack (H=1, I=1) = No Access
Basically, this type of account will be rejected by IPMI. It can be used to temporarily disable an account.

User (H=2, I=2) = User
This type of the account is only allowed to check the system status.

Operator (H=3, I=3) = Operator
This type of the account is allowed to do the remote control & check the system statsus, but can't change the configuration.

Administrator (H=4, I=4) = Administrator
The type of accout is allowed to do everything.

There is no other privilege.

edit 2

Reply to the two different field meanings.

This is the info SuperMicro got from ATEN:

"H" means if for the user privilege. IPMI spec 2.0 defines the following channel privilege levels. We don't use the OEM Proprietary level for special privilege.

Channel Privilege Level Limit:
      0h = reserved
      1h = CALLBACK level
      2h = USER level
      3h = OPERATOR level
      4h = ADMINISTRATOR level
      5h = OEM Proprietary level

"I" is for debug purpose and it is reserved option. Please ignore it.

Below is the definition of the Channel Privilege Levels from IPMI spec 2.0:

Callback
This may be considered the lowest privilege level. Only commands necessary to support initiating a Callback are allowed.

User
Only 'benign' commands are allowed. These are primarily commands that read data structures and retrieve status. Commands that can be used to alter BMC configuration, write data to the BMC or other management controllers, or perform system actions such as resets, power on/off, and watchdog activation are disallowed.

Operator
All BMC commands are allowed, except for configuration commands that can change the behavior of the out-of band interfaces. For example, Operator privilege does not allow the capability to disable individual channels, or change user access privileges.

Administrator
All BMC commands are allowed, including configuration commands. An Adminstrator can even execute configuration commands that would disable the channel that the Administrator is communicating over.

Share:
5,954

Related videos on Youtube

derobert
Author by

derobert

Updated on September 17, 2022

Comments

  • derobert
    derobert over 1 year

    I'm trying to get our new server, a X8DTN+-F's IMPI configured to talk to our authentication servers. The two choices are LDAP and RADIUS.

    I'm debugging this by looking at packet captures, as it seems the IPMI stuff doesn't log anything.

    I first tried LDAP, but the IMPI stuff insisted on binding as a user other than the one logging in (wtf). Once I set it up its own user, it managed to find the user (though not by searching for the attribute I wanted, and there seemed no way to change it), but even upon getting a response... didn't allow the login. Maybe it expected a password attribute in the response, which of course it didn't get. It should just bind as the user who is logging in (and should use LDAP over SSL, but that's another story).

    So I tried RADIUS. Now, it sends the expected Access-Request packet (with expected username, an encrypted password, a NAS IP Address of 127.0.0.1 [wtf], and a port of 1). It then gets back an access-accept packet, with a service-type of Administrative-User… and then it rejects the login.

    (Note: by rejects the login, I mean redisplays the login page. Its not like this thing believes in error messages. Or logs.)

    So, is there some magic attribute I need to get the RADIUS server to reply with? Has anyone gotten RADIUS to work with Supermicro's IPMI

    • Daniel Lawson
      Daniel Lawson almost 14 years
      Which IPMI Firmware version are you using? I've got v 1.32 on an X8DTH-6F, and it only has LDAP and AD options, no RADIUS.
    • derobert
      derobert almost 14 years
      @aniel Lawson: 2.01 now. Turns out there are definitely some weird attributes that need to be set, they sent me a doc with some examples but no explanation. Still following up to find out what they mean...
    • JohannesM
      JohannesM over 9 years
      For me the IPMI LDAP Authentification with Supermicro (Aten) did work with greater than Version 3.10 but not with less than Version 2.14
  • Admin
    Admin over 13 years
    Could you please post the settings supplied by Supermicro here? I have a similar issue and cannot get hold of anyone knowledgeable from Supermicro. ]-[
  • derobert
    derobert over 13 years
    @Hunta: I now have an answer from SuperMicro. Edited in.
  • derobert
    derobert over 13 years
    @Hunta: updated. Not sure if you're watching this. I think I've now got a full answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Central Authentication For Windows, Linux, Network Devices
LDAP authentication failed:data 52e
User authentication over LDAP in asp
LDAP Authentication on Windows
Could not authenticate you from Ldapmain because "Invalid credentials for user.name"
Uncategorized exception for using correct credentials in LDAP authentication
How to Deactivate a LDAP User?
LDAP vs Relational Database
Tomcat 7.0.14 LDAP authentication
SVN + SASL + ActiveDirectory: How to