# Managing iLO users NOTE It is possible that some properties or resources described in this section are not implemented in HPE iLO 4 and iLO 5. HPE iLO supports: - Local user authentication - Directory authentication - Role based local user administration via Redfish - Directory authentication configuration via Redfish User account modifications require Redfish clients to be authenticated with the "Administer User Accounts" privilege (`UserConfigPriv` in the Redfish `ManagerAccount` resource type TIP: Managing iLO users with iLOrest is described in this [documentation section](/docs/redfishclients/ilorest-userguide/ilocommands#iloaccounts-command). ## The Account service The iLO user management service is described in the `AccountService` subsystem . This subsystem contains the capabilities of the service (i.e. Active Directory, LDAP) as well the URIs of various resources like the entry point of the local account database. The following example retrieves the local user account and application accounts URIs from the `AccountService`. NOTE Application accounts have been introduced with [HPE iLO 7](/docs/redfishservices/ilos/supplementdocuments/securityservice/#transitioning-to-hpe-ilo-7). iLOrest ```shell ilorest login ilo-ip -u ilo-user -p password ilorest list Accounts Oem/Hpe/AppAccounts --select AccountService. --json { "Accounts": { "@odata.id": "/redfish/v1/AccountService/Accounts/" }, "Oem": { "Hpe": { "AppAccounts": { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/" } } } } ilorest logout ``` cURL(1) ```shell curl --insecure --silent --location -u ilo-user:password \ https://ilo-ip/redfish/v1/AccountService | \ jq '.Accounts, .Oem.Hpe.AppAccounts' { "@odata.id": "/redfish/v1/AccountService/Accounts" } { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts" } ``` cURL(2) ```json curl --insecure --silent --location -u ilo-user:password \ 'https://ilo-ip/redfish/v1/AccountService/?%24select=Accounts%2C%20Oem/Hpe/AppAccounts' | \ jq '.' { "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService", "@odata.etag": "W/\"985003737\"", "@odata.id": "/redfish/v1/AccountService/", "@odata.type": "#AccountService.v1_15_0.AccountService", "Accounts": { "@odata.id": "/redfish/v1/AccountService/Accounts/" }, "Oem": { "Hpe": { "AppAccounts": { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/" } } } } ``` ## Local user administration HPE iLO holds a local user database enabling consistent user management for all interfaces including the Web interface (GUI) as well as the Redfish API. Refer to the example of the [previous paragraph](#the-account-service) to retrieve the URIs of the local user accounts. TIP: Refer to this [documentation section](/docs/redfishclients/ilorest-userguide/ilocommands#iloaccounts-command) of iLO user management with iLOrest. The following example lists the URIs of local iLO users and application accounts. Generic GET requests ```text GET /redfish/v1/AccountService/Accounts/ and GET /redfish/v1/AccountService/Oem/Hpe/AppAccounts ``` iLOrest ```shell ilorest login ilo-ip -u ilo-user -p password ilorest list Members --select ManagerAccountCollection --json [ { "Members": [ { "@odata.id": "/redfish/v1/AccountService/Accounts/65536/" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65544/" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65545/" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65546/" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65547/" } ] }, { "Members": [ { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/65605/" }, { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/65606/" } ] } ] ilorest logout ``` cURL ```shell curl --insecure --silent --location -u ilo-user:password \ https://ilo-ip/redfish/v1/AccountService/Accounts | \ jq '.' { "@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection", "@odata.etag": "W/\"144846794\"", "@odata.id": "/redfish/v1/AccountService/Accounts", "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection", "Description": "iLO User Accounts", "Name": "Accounts", "Members": [ { "@odata.id": "/redfish/v1/AccountService/Accounts/65536" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65544" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65545" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65546" }, { "@odata.id": "/redfish/v1/AccountService/Accounts/65547" } ], "Members@odata.count": 5 } curl --insecure --silent --location -u ilo-user:password \ https://ilo-ip/redfish/v1/AccountService/Oem/Hpe/AppAccounts | \ jq '.' { "@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection", "@odata.etag": "W/\"1459770610\"", "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts", "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection", "Description": "iLO Application Accounts", "Name": "Application Accounts", "Members": [ { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/65605" }, { "@odata.id": "/redfish/v1/AccountService/Oem/Hpe/AppAccounts/65606" } ], "Members@odata.count": 2 } ``` A local user account consists of a user name, password, and a set of privileges. The `RoleId` property describes one of three defined Redfish roles based upon assigned privileges. The `Oem/Hpe/LoginName` property is a description of the account. NOTE Due to a terminology mismatch between the Redfish standard and historical iLO products, the properties for `UserName` and `LoginName` are reversed in Redfish vs. the HPE iLO Web interface. The following table provides a detailed description of each property in the different contexts. | Redfish Property | GUI Term | Description | Example | | --- | --- | --- | --- | | `UserName` | Login Name | The user identity string used with a password to log into iLO | jsmith | | `Oem/Hpe/LoginName` | User Name | The descriptive name of the user | Jane Smith - Director of IT | The following example retrieves the properties of iLO user with `UserName` equal to `jsmith`. GET account properties ```text GET /redfish/v1/AccountService/Accounts/?$filter=UserName eq 'jsmith' ``` ilOrest ```shell ilorest login ilo-ip -u ilo-user -p password ilorest list --select ManagerAccount. --filter UserName=jsmith --json ilorest logout ``` cURL ```shell curl --insecure --silent --location -u ilo-user:password \ https://ilo-ip/redfish/v1/AccountService/Accounts/?%24filter=UserName%20eq%20'jsmith' | \ jq '.' ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection", "@odata.etag": "W/\"2314145909\"", "@odata.id": "/redfish/v1/AccountService/Accounts/", "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection", "Description": "iLO User Accounts", "Name": "Accounts", "Members": [ { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.id": "/redfish/v1/AccountService/Accounts/65543/", "@odata.type": "#ManagerAccount.v1_12_1.ManagerAccount", "Id": "65543", "AccountTypes": [ "WebUI" ], "Description": "iLO User Account", "Enabled": true, "Keys": { "@odata.id": "/redfish/v1/AccountService/Accounts/65543/Keys/" }, "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator/" } }, "Name": "User Account", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeiLOAccount.HpeiLOAccount", "@odata.type": "#HpeiLOAccount.v2_2_0.HpeiLOAccount", "LoginName": "Jane Smith - Director of IT", "Privileges": { "HostBIOSConfigPriv": true, "HostNICConfigPriv": true, "HostStorageConfigPriv": true, "LoginPriv": true, "RemoteConsolePriv": true, "SystemRecoveryConfigPriv": false, "UserConfigPriv": false, "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true, "iLOConfigPriv": false }, "ServiceAccount": false } }, "Password": null, "PasswordChangeRequired": false, "RoleId": "Operator", "UserName": "jsmith" } ], "Members@odata.count": 1 } ``` NOTE `Password` is always shown as `null` even though it is a PATCHable property. ### Roles and privileges HPE iLO uses a set of `Privileges` assigned to each user account to grant and restrict access to features. HPE iLO privileges are: | Redfish | iLO Web Interface (GUI) | | --- | --- | | LoginPriv | Login | | RemoteConsolePriv | Remote Console | | VirtualPowerAndResetPriv | Virtual Power and Reset | | VirtualMediaPriv | Virtual Media | | HostBIOSConfigPriv | Host BIOS | | iLOConfigPriv | Configure iLO Settings | | UserConfigPriv | Administer User Accounts | | HostNICConfigPriv | Host NIC | | HostStorageConfigPriv | Host Storage | | SystemRecoveryConfigPriv | Recovery Set | #### Application accounts Application accounts have been introduced with HPE Gen12 servers including an iLO 7. These accounts and associated application token allow host based applications (i.e. AMS, iSUT, SUM, iLOrest) to get authenticated for in-band communication, by the iLO Redfish service without requiring any human being intervention for supplying iLO credentials. Refer to the [Transitioning to HPE iLO 7](/docs/redfishservices/ilos/supplementdocuments/securityservice/#transitioning-to-hpe-ilo-7) section for more detail on those specific accounts. #### Roles You can use `RoleId` property to create users with specific starting privileges. On a GET of the local user account, `RoleId` is synthesized based upon the enabled privileges. iLO does not store a separate `RoleId` value. For this reason, modifications to raw privileges may or may not result in a changed `RoleId` based upon iLO's mapping. If the PATCH includes both `RoleID` and individual privileges, the privileges corresponding to the RoleId are assigned to the local user account first, and then the explicit privileges are assigned. The following example sets all iLO privileges as long as the account performing the operation already has sufficient privileges to grant these privileges. Account role configuration ```text PATCH /redfish/v1/AccountService/Accounts/{accountId} ``` Body ```json { "RoleId": "Administrator", "Oem": { "Hpe": { "Privileges": { "SystemRecoveryConfigPriv": true } } } } ``` #### Privileges granted on local account creation by RoleId | RoleId | Privileges | | --- | --- | | Administrator | HostBIOSConfigPriv, HostNICConfigPriv, HostStorageConfigPriv, LoginPriv, RemoteConsolePriv, UserConfigPriv, VirtualMediaPriv, VirtualPowerAndResetPriv, iLOConfigPriv | | Operator | HostBIOSConfigPriv, HostNICConfigPriv, HostStorageConfigPriv, LoginPriv, RemoteConsolePriv, VirtualMediaPriv, VirtualPowerAndResetPriv | | ReadOnly | LoginPriv | #### RoleId shown on an existing local user account by privilege The `RoleId` reported is the smallest superset of assigned privileges. | Privileges | RoleId | | --- | --- | | LoginPriv only | ReadOnly | | iLOConfigPriv or UserConfigPriv or SystemRecoveryConfigPriv and anything else | Administrator | | any other combination | Operator | ### Creating a new local user account The simplest possible new local user account create operation is to `POST` to the Accounts collection, as shown in the example below. The following example creates a user account `jsmith` with the default `ReadOnly` RoleId and only the iLO Login privilege. Notice that `Oem/Hpe/LoginName` defaults to the provided `UserName` unless it is specifically specified. User creation ```text POST /redfish/v1/AccountService/Accounts/ ``` Body ```json { "UserName": "jsmith", "Password": "passwordexample" } ``` NOTE Each local user account must have a unique `UserName`. Get account properties ```text GET /redfish/v1/AccountService/Accounts/{accountId} ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.etag": "W/\"B103601C\"", "@odata.id": "/redfish/v1/AccountService/Accounts/12/", "@odata.type": "#ManagerAccount.v1_1_3.ManagerAccount", "Id": "12", "Description": "iLO User Account", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly/" } }, "Name": "User Account", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeiLOAccount.HpeiLOAccount", "@odata.type": "#HpeiLOAccount.v2_2_0.HpeiLOAccount", "LoginName": "jsmith", "Privileges": { "HostBIOSConfigPriv": false, "HostNICConfigPriv": false, "HostStorageConfigPriv": false, "LoginPriv": true, "RemoteConsolePriv": false, "SystemRecoveryConfigPriv": false, "UserConfigPriv": false, "VirtualMediaPriv": false, "VirtualPowerAndResetPriv": false, "iLOConfigPriv": false }, "ServiceAccount": false } }, "Password": null, "RoleId": "ReadOnly", "UserName": "jsmith" } ``` ### Creating a new account using a RoleId You may specify a `RoleId` with a new user account, as shown in the following example. Account creation with RoleId ```text POST /redfish/v1/AccountService/Accounts/ ``` Body ```json { "UserName": "jsmith", "Password": "passwordexample", "RoleId": "Operator" } ``` To retrieve the just created account, perform a GET operation like in the following example. Retrieve account properties ```text GET /redfish/v1/AccountService/Accounts/{accountId} ``` Body ```json { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.etag": "W/\"6C16FDE3\"", "@odata.id": "/redfish/v1/AccountService/Accounts/14/", "@odata.type": "#ManagerAccount.v1_1_3.ManagerAccount", "Id": "14", "Description": "iLO User Account", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator/" } }, "Name": "User Account", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeiLOAccount.HpeiLOAccount", "@odata.type": "#HpeiLOAccount.v2_2_0.HpeiLOAccount", "LoginName": "jsmith", "Privileges": { "HostBIOSConfigPriv": true, "HostNICConfigPriv": true, "HostStorageConfigPriv": true, "LoginPriv": true, "RemoteConsolePriv": true, "SystemRecoveryConfigPriv": false, "UserConfigPriv": false, "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true, "iLOConfigPriv": false }, "ServiceAccount": false } }, "Password": null, "RoleId": "Operator", "UserName": "jsmith" } ``` ### Creating a new account with specific privileges You may also create a local user with specific privileges. Create user with specific privileges ```text POST /redfish/v1/AccountService/Accounts/ Payload: { "UserName": "jsmith", "Password": "passwordexample", "Oem": { "Hpe": { "LoginName": "Director of IT", "Privileges": { "LoginPriv": true, "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true } } } } ``` iLOrest ```json ilorest login ilo-ip -u ilo-user -p password ilorest iloaccounts add jsmith "Jane Smit - Director of IT" passwordexample --addprivs 1,5,6 ilorest logout ``` This results in the following new local user account: Retrieve account properties ```text GET /redfish/v1/AccountService/Accounts/{accountId} ``` iLOrest ```shell ilorest login ilo-ip -u ilo-user -p password ilorest list --select ManagerAccount. --filter UserName=jsmith --json ilorest logout ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.etag": "W/\"E8037663\"", "@odata.id": "/redfish/v1/AccountService/Accounts/15/", "@odata.type": "#ManagerAccount.v1_1_3.ManagerAccount", "Id": "15", "Description": "iLO User Account", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator/" } }, "Name": "User Account", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeiLOAccount.HpeiLOAccount", "@odata.type": "#HpeiLOAccount.v2_2_0.HpeiLOAccount", "LoginName": "Jane Smith - Director of IT", "Privileges": { "HostBIOSConfigPriv": false, "HostNICConfigPriv": false, "HostStorageConfigPriv": false, "LoginPriv": true, "RemoteConsolePriv": false, "SystemRecoveryConfigPriv": false, "UserConfigPriv": false, "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true, "iLOConfigPriv": false }, "ServiceAccount": false } }, "Password": null, "RoleId": "Operator", "UserName": "jsmith" } ``` Info Several Python examples have been posted in the GitHub repository of the HPE Redfish library. - Add user account - Modify user account - Remove user account ### Modifying a local user account The following properties can be modified on an existing local user account: - `UserName` - `Password` - this is always returned as null, but you may PATCH it with a value to change the password - `RoleId` - PATCHing `RoleId` on an existing local user account will reset it’s existing privileges with those mapped to the RoleId. - `Oem/Hpe/LoginName` - `Oem/Hpe/Privileges/*` - any of the privileges may be modified with true or false ### Adding and removing privileges Local user account privileges may be modified with a PATCH to the URI of the desired `ManagerAccount` resource, as shown in the example below. PATCH user account ```text PATCH /redfish/v1/AccountService/Accounts/{accountId}/ ``` Body ```json { "Oem": { "Hpe": { "Privileges": { "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true } } } } ``` ### Changing roles PATCH roles ```text PATCH /redfish/v1/AccountService/Accounts/{accountId}/ ``` Body ```json { "RoleId": "Operator" } ``` Successful response body ```json { "error": { "code": "iLO.0.10.ExtendedInfo", "message": "See @Message.ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "MessageId": "Base.1.0.AccountModified" } ] } } ``` ### Changing password Local user account passwords may be modified with a PATCH to the URI of the desired `ManagerAccount` resource, as shown in the example below. User password modification ```text PATCH /redfish/v1/AccountService/Accounts/{accountId}/ ``` Body ```json { "Password": "newpassword" } ``` ### Enabling and disabling user accounts The `Enabled` Boolean account property allows an account to perform the actions and operations allowed by its [RoleId or privileges](#roles-and-privileges). If the `Enabled` property is set to `False`, the corresponding iLO account will not be able log into the iLO. Accounts with the `UserConfigPriv` [privilege](#roles-and-privileges) can modify the `Enabled` property of manager accounts (including itself). The following example retrieves the properties of a specific user with property `Enabled=true`. GET view enabled account ```text GET redfish/v1/AccountService/Accounts/{AccountId} ``` GET response ```json { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.etag": "W/\"9DE38055\"", "@odata.id": "/redfish/v1/AccountService/Accounts/14", "@odata.type": "#ManagerAccount.v1_3_0.ManagerAccount", "Id": "14", "Description": "iLO User Account", "Enabled": true, "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Administrator" } }, "Name": "User Account", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeiLOAccount.HpeiLOAccount", "@odata.type": "#HpeiLOAccount.v2_2_0.HpeiLOAccount", "LoginName": "admin", "Privileges": { "HostBIOSConfigPriv": true, "HostNICConfigPriv": true, "HostStorageConfigPriv": true, "LoginPriv": true, "RemoteConsolePriv": true, "SystemRecoveryConfigPriv": false, "UserConfigPriv": true, "VirtualMediaPriv": true, "VirtualPowerAndResetPriv": true, "iLOConfigPriv": true }, "ServiceAccount": false } }, "Password": null, "PasswordChangeRequired": false, "RoleId": "Administrator", "UserName": "admin" } ``` A local user account can be enabled or disabled with a PATCH to the URI of desired `ManagerAccount` resource, as shown in the example below. setting Enabled property ```text PATCH redfish/v1/AccountService/Accounts/{AccountId} ``` PATCH Payload ```json { "Enabled": true } ``` PATCH Response ```json { "error": { "code": "iLO.0.10.ExtendedInfo", "message": "See @Message.ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "MessageId": "Base.1.17.AccountModified" } ] } } ``` #### Enabling and disabling all local users at once The following example disables all local users by modifying the `LocalAccountAuth` property . Note Disabling all local users is not allowed when both Directory Authentication AND Kerberos Authentication are disabled. Generic request ```text PATCH /redfish/v1/AccountService/ Payload: { "LocalAccountAuth": "Disabled" } ``` iLOrest ```json ilorest login ilo-ip -u ilo-user -p password ilorest set LocalAccountAuth=Disabled --select AccountService. --commit ilorest logout ``` ### Default iLO factory account When HPE iLO is reset to factory defaults using iLOrest `factorydefaults` [command](/docs/redfishclients/ilorest-userguide/ilocommands#factorydefaults-command), the Redfish action or using the System Utilities/iLO Configuration Utility menu, all user setting data are erased. Default credentials are required to access HPE iLO after a factory reset. The following example sets default HPE iLO username and password after an iLO factory reset action . cURL ```shell curl --insecure --silent --user :password \ --header 'Content-Type: application/json' \ --request PATCH 'https:///redfish/v1/AccountService' \ --data '{ "Oem": { "Hpe": { "DefaultUserName": "administrator", "DefaultPassword": "DefaultFactoryPassword" }} }' ``` iLOrest ```shell ilorest login -u -p password ilorest select AccountService. ilorest set Oem/Hpe/DefaultUserName="administrator" ilorest set Oem/Hpe/DefaultPassword="DefaultFactoryPassword" ilorest commit ilorest logout ``` ### Removing a local user account A local user account can be removed by a user with the `UserConfigPriv` [privilege](#roles-and-privileges), with a DELETE request toward the URI of the desired resource, as shown in the example below. User removal ```text DELETE /redfish/v1/AccountService/Accounts/{accountId}/ ``` ## Directory administration This paragraph provides useful examples to manage LDAP, Microsoft Active Directory and Kerberos integration with HPE iLO. ### Configuring Active Directory Authentication The following example enables authentication by a Microsoft Active Directory service using default standard port `636`. Generic Request ```text PATCH /redfish/v1/AccountService/ ``` Active Directory authentication ```json { "LDAP": { "AccountProviderType": "ActiveDirectoryService", "ServiceEnabled": true, "ServiceAddresses": [ "" ] } } ``` The following example enables authentication by a Microsoft Active Directory using a custom TCP/UDP port. NOTE In order to use a custom port for directory authentication, you need first to send a PATCH request with the custom port mentioned in the `ServiceAddresses[]` array, as shown in step 1 of the below example. Then, you have to remove the custom port and send the PATCH request again as mentioned in step 2 below. The first step populates the `Oem.Hpe.DirectorySettings.LdapServerPort` read-only property, but keeps the port number in the `ServiceAddresses[]` array, which makes it redundant. The second step removes the redundant port number in the `ServiceAddresses[]` array. Generic Request ```text PATCH /redfish/v1/AccountService/ ``` Step 1 ```json { "LDAP": { "AccountProviderType": "ActiveDirectoryService", "ServiceEnabled": true, "ServiceAddresses": [ ":4646" ] } } ``` Step 2 ```json { "LDAP": { "AccountProviderType": "ActiveDirectoryService", "ServiceEnabled": true, "ServiceAddresses": [ "" ] } } ``` ### Configuring generic LDAP Authentication The following example enables authentication by a generic LDAP service using the default TCP/UDP port `636`. Generic LDAP configuration request ```text PATCH /redfish/v1/AccountService/ ``` Default LDAP server port 636 ```json { "LDAP": { "AccountProviderType": "LDAPService", "ServiceEnabled": true, "ServiceAddresses": [ "" ] } } ``` The following example enables authentication by a generic LDAP service using a custom TCP/UDP port. NOTE In order to use a custom port for directory authentication, you need first to send a PATCH request with the custom port mentioned in the `ServiceAddresses[]` array, as shown in step 1 of the below example. Then, you have to remove the custom port and send the request again as mentioned in step 2 below. The first step populates the `Oem.Hpe.DirectorySettings.LdapServerPort` read-only property, but keeps this port number in the `ServiceAddresses[]` array. The second step removes the redundant port number in the `ServiceAddresses[]` array. Generic LDAP configuration request ```text PATCH /redfish/v1/AccountService/ ``` Step 1 ```json { "LDAP": { "AccountProviderType": "LDAPService", "ServiceEnabled": true, "ServiceAddresses": [ ":4646" ] } } ``` Step 2 ```json { "LDAP": { "AccountProviderType": "LDAPService", "ServiceEnabled": true, "ServiceAddresses": [ "" ] } } ``` ### Disable Active Directory and generic LDAP Authentication Disabling Active Directory and LDAP ```text PATCH /redfish/v1/AccountService/ ``` Body 1 ```json { "LDAP": { "AccountProviderType": "ActiveDirectoryService", "ServiceEnabled": false, } } ``` Body 2 ```json { "LDAP": { "AccountProviderType": "LDAPService", "ServiceEnabled": false, } } ``` ### Enable and configure HPE Extended Schema Authentication (Active Directory only) HPE extended Schema authentication (AD only) ```text PATCH /redfish/v1/AccountService/ ``` Body ```json { "LDAP": { "ServiceEnabled": true, "ServiceAddresses": [ "" ], "Authentication": { "Username": "CN=testdevice,CN=Users,DC=ilotest2,DC=com" } }, "Oem": { "Hpe": { "DirectorySettings": { "LdapAuthenticationMode": "ExtendedSchema" } } } } ``` ### Add User Search Contexts The following example shows two possibilities to add user search contexts The first one (Body 1) adds two new User Search Contexts, with no already existing User Search Context present. The second one (Body 2) adds a new User Search Context, with two existing User Search Contexts present. Add User Search contexts ```text PATCH /redfish/v1/AccountService/ ``` Body 1 ```json { "LDAP": { "LDAPService": { "SearchSettings": { "BaseDistinguishedNames": [ "CN=Users,DC=domain,DC=com", "DC=domain,DC=com" ] } } } } ``` Body 2 ```json { "LDAP": { "LDAPService": { "SearchSettings": { "BaseDistinguishedNames": [ "CN=Users,DC=domain,DC=com", "DC=domain,DC=com", "DC=testdomain,DC=com" ] } } } } ``` ### Delete User Search Contexts The following example shows two possibilities to delete User Search Contexts. The first one (Body 1) deletes one/multiple User Search Contexts: Assume you have three existing User Search Contexts, e.g. "CN=Users,DC=domain,DC=com", "DC=domain,DC=com" and "DC=testdomain,DC=com". To delete one, exclude it from the payload and keep the ones to be retained. The second one (Body 2) deletes all User Search Contexts. Delate User Search Contexts ```text PATCH /redfish/v1/AccountService/ ``` Body 1 ```json { "LDAP": { "LDAPService": { "SearchSettings": { "BaseDistinguishedNames": [ "CN=Users,DC=domain,DC=com", "DC=domain,DC=com" ] } } } } ``` Body 2 ```json { "LDAP": { "LDAPService": { "SearchSettings": { "BaseDistinguishedNames": [ "" ] } } } } ``` ### LDAP server CA certificate management This paragraph provides examples for managing the LDAP server Certificate Authority (CA) certificate that can be used by HPE iLO. Tip Several other Redfish subsystems use also certificates to secure their use. Refer to the following documentation sections for their management: - [iLO TLS certificates](/docs/redfishservices/ilos/supplementdocuments/securityservice#ilo-tls-certificates) - [Server management identities](/docs/redfishservices/ilos/supplementdocuments/securityservice#server-management-identities) - [Secure boot databases](/docs/concepts/securebootdatabases#accessing-secure-boot-databases-from-redfish) - [UEFI/BIOS TLS subsystem](/docs/redfishservices/ilos/supplementdocuments/biostlsconf#installing-certificates-in-the-hpe-tls-boot-subsystem) #### Import LDAP server CA certificate Import LDAP Server CA certificate ```text POST /redfish/v1/AccountService/ExternalAccountProviders/LDAP/Certificates/ ``` Body ```json { "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIEHTCCAwWgAwIBAgIQe8LmWgF5edKw01/avJg69DANBgkqhkiG9w0BAQsFADCB ………………………………………………………………………………………………………………………………… ………………………………………………………………………………………………………………………………… Ow==\n-----END CERTIFICATE-----\n" } ``` #### View LDAP server CA certificate status LDAP server CA certificate status ```text GET /redfish/v1/AccountService/?$select=Oem/Hpe/DirectorySettings/LdapCaCertificateLoaded` ``` Response Body ```json { "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService", "@odata.etag": "W/\"8F1B1B4B\"", "@odata.id": "/redfish/v1/AccountService/", "@odata.type": "#AccountService.v1_5_0.AccountService", "Oem": { "Hpe": { "DirectorySettings": { "LdapCaCertificateLoaded": false } } } } ``` #### View LDAP server CA certificate details NOTE The LDAP provider supports a single certificate LDAP server CA certificate details ```text GET /redfish/v1/AccountService/ExternalAccountProviders/LDAP/Certificates/{certId}/ ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.etag": "W/\"A1110A63\"", "@odata.id": "/redfish/v1/AccountService/ExternalAccountProviders/LDAP/Certificates/1/", "@odata.type": "#Certificate.v0_9_0.Certificate", "Id": "1", "Issuer": "/C=US/O=Hewlett Packard Enterprise Company/OU=Infrastructure Services/CN=Hewlett Packard Enterprise Private Root CA", "Name": "LDAP Certificate", "SerialNumber": "7BC2E65A017979D2B0D35FDABC983AF4", "Subject": "/C=US/O=Hewlett Packard Enterprise Company/OU=Infrastructure Services/CN=Hewlett Packard Enterprise Private Root CA", "ValidNotAfter": "2025-03-16T23:59:59Z", "ValidNotBefore": "2015-03-17T00:00:00Z" } ``` ### Add new Directory Groups (No Existing Groups) Note "Administrator" and "Operator" are predefined Redfish [RoleIds](#roles-and-privileges). "LDAP" can also be used instead of "ActiveDirectory". Add new directory Groups ```text PATCH /redfish/v1/AccountService/ ``` Body ```json { "ActiveDirectory": { "RemoteRoleMapping": [ { "LocalRole": "Administrator", "RemoteGroup": "TestGroup1" }, { "LocalRole": "Operator", "RemoteGroup": "TestGroup2" } ] } } ``` ### View Directory Groups View Directory Groups ```text GET /redfish/v1/AccountService/?$select=LDAP/RemoteRoleMapping, ActiveDirectory/RemoteRoleMapping` ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService", "@odata.etag": "W/\"8F1B1B4B\"", "@odata.id": "/redfish/v1/AccountService/", "@odata.type": "#AccountService.v1_5_0.AccountService", "ActiveDirectory": { "RemoteRoleMapping": [ { "LocalRole": "dirgroupb3d8954f6ebbe735764e9f7c", "RemoteGroup": "Administrators" }, { "LocalRole": "dirgroup9d4546a03a03bb977c03086a", "RemoteGroup": "Authenticated Users:S-1-5-11" } ] }, "LDAP": { "RemoteRoleMapping": [ { "LocalRole": "dirgroupb3d8954f6ebbe735764e9f7c", "RemoteGroup": "Administrators" }, { "LocalRole": "dirgroup9d4546a03a03bb977c03086a", "RemoteGroup": "Authenticated Users:S-1-5-11" } ] } } ``` ### Add New Directory Groups to Existing Groups In the following example, assume that two directory groups are already present (TestGroup1 and TestGroup2). Use the `LocaleRole` and `RemoteGroup` values for the existing directory groups in the payload. Add an additional group "TestGroup3" with "ReadOnly" Redfish Role. "LDAP can also be used instead of "ActiveDirectory". Add New Directory groups to existing groups ```text PATCH /redfish/v1/AccountService/ ``` Body ```json { "ActiveDirectory": { "RemoteRoleMapping": [ { "LocalRole": "dirgroup4c6c827762dd20dc530c52ef", "RemoteGroup": "TestGroup1" }, { "LocalRole": "dirgroupeb9a3afc9cd9d126249c3aed", "RemoteGroup": "TestGroup2" }, { "LocalRole": "ReadOnly", "RemoteGroup": "TestGroup3" } ] } } ``` ### Delete Directory Groups In the following example, assume you have three existing directory groups, e.g. "TestGroup1", "TestGroup2" and "TestGroup3". To delete "TestGroup3", exclude it from the payload and keep the ones to be retained. "LDAP" can also be used instead of "ActiveDirectory". It shows how to delete one/multiple Directory Groups (Body 1) or all Directory Groups (Body 2). NOTE "LDAP" can also be used instead of "ActiveDirectory" Delete Directory Groups ```text PATCH /redfish/v1/AccountService/ ``` Body 1 ```json { "ActiveDirectory": { "RemoteRoleMapping": [ { "LocalRole": "dirgroup4c6c827762dd20dc530c52ef", "RemoteGroup": "TestGroup1" }, { "LocalRole": "dirgroupeb9a3afc9cd9d126249c3aed", "RemoteGroup": "TestGroup2" } ] } } ``` Body 2 ```json { "ActiveDirectory": { "RemoteRoleMapping": [ {} ] } } ``` ### View Directory Group Privileges Retrieve Roles collection ```text GET /redfish/v1/AccountService/Roles/ ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#RoleCollection.RoleCollection", "@odata.etag": "W/\"08A22FCA\"", "@odata.id": "/redfish/v1/AccountService/Roles/", "@odata.type": "#RoleCollection.RoleCollection", "Description": "iLO Roles Collection", "Name": "Roles", "Members": [ { "@odata.id": "/redfish/v1/AccountService/Roles/Administrator/" }, { "@odata.id": "/redfish/v1/AccountService/Roles/Operator/" }, { "@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly/" }, { "@odata.id": "/redfish/v1/AccountService/Roles/dirgroup4c6c827762dd20dc530c52ef/" }, { "@odata.id": "/redfish/v1/AccountService/Roles/dirgroupeb9a3afc9cd9d126249c3aed/" } ], "Members@odata.count": 5 } ``` GET specific Directory Group privileges ```text GET /redfish/v1/AccountService/Roles/{directoryGroupId}/ ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#Role.Role", "@odata.etag": "W/\"D17157B3\"", "@odata.id": "/redfish/v1/AccountService/Roles/dirgroup4c6c827762dd20dc530c52ef/", "@odata.type": "#Role.v1_2_1.Role", "Id": "dirgroup4c6c827762dd20dc530c52ef", "AssignedPrivileges": [ "Login", "ConfigureSelf", "ConfigureManager", "ConfigureUsers" ], "Description": "iLO Directory Group Role", "IsPredefined": false, "Name": "Group Role", "Oem": { "Hpe": { "@odata.context": "/redfish/v1/$metadata#HpeDirectoryGroup.HpeDirectoryGroup", "@odata.type": "#HpeDirectoryGroup.v1_0_0.HpeDirectoryGroup", "GroupDn": "TestGroup1", "GroupSid": "" } }, "OemPrivileges": [ "RemoteConsolePriv", "VirtualMediaPriv", "VirtualPowerAndResetPriv", "HostBIOSConfigPriv", "HostNICConfigPriv", "HostStorageConfigPriv" ], "RoleId": "dirgroup4c6c827762dd20dc530c52ef" } ``` ### Modify Directory Group Privileges Sample Body 1 (Update AssignedPrivileges): Add/Remove the privileges in the AssignedPrivileges[] array. Sample Body 2 (Update OemPrivileges): Add/Remove the privileges in the OemPrivileges[] array. Add ```text PATCH /redfish/v1/AccountService/Roles/{directoryGroupId}/ ``` Body 1 ```json { "AssignedPrivileges": [ "Login", "ConfigureSelf", "ConfigureUsers" ] } ``` Body 2 ```json { "OemPrivileges": [ "RemoteConsolePriv", "VirtualPowerAndResetPriv", "HostNICConfigPriv", "HostStorageConfigPriv" ] } ``` ### Enable, Configure, Disable Kerberos Authentication Configure Kerberos ```text PATCH /redfish/v1/AccountService/ ``` Body for Disable ```json { "ActiveDirectory": { "ServiceEnabled": false } } ``` Body for Enable realm ```json { "ActiveDirectory": { "ServiceEnabled": true, "ServiceAddresses": [ "testkdc.hpe.com@TESTKDCREALM.COM" ] } } ``` Body with custom KDC server port ```json { "ActiveDirectory": { "ServiceEnabled": true, "ServiceAddresses": [ "testkdc.hpe.com:8888@TESTKDCREALM.COM" ] } } ``` ### Import Kerberos Keytab File Import Keytab file ```text POST /redfish/v1/AccountService/Actions/Oem/Hpe/HpeiLOAccountService.ImportKerberosKeytab/ ``` Body ```json { "ImportUri": "http://" } ``` ## Start directory test Directory test ```text POST on /redfish/v1/AccountService/DirectoryTest/Actions/HpeDirectoryTest.StartTest/ ``` Body 1 ```json { } ``` Body 2 ```json { "TestUserName": "TestUser1", "TestUserPassword": "TestPassword1" } ``` Body 3 ```json { "TestUserName": "TestUser1", "TestUserPassword": "TestPassword1", "DirectoryAdminDn": "CN=Administrator,CN=Users,DC=ilotest2,DC=com", "DirectoryAdminPassword": "AdminPassword" } ``` ### Stop Directory Test Stop tests ```text POST /redfish/v1/AccountService/DirectoryTest/Actions/HpeDirectoryTest.StopTest/ ``` Body ```json { } ``` ### View Directory Test Result View test results ```text GET /redfish/v1/AccountService/DirectoryTest/ ``` Response body ```json { "@odata.context": "/redfish/v1/$metadata#HpeDirectoryTest.HpeDirectoryTest", "@odata.etag": "W/\"6B3F28F1\"", "@odata.id": "/redfish/v1/AccountService/DirectoryTest/", "@odata.type": "#HpeDirectoryTest.v1_0_0.HpeDirectoryTest", "Id": "DirectoryTest", "Actions": { "#HpeDirectoryTest.StartTest": { "target": "/redfish/v1/AccountService/DirectoryTest/Actions/HpeDirectoryTest.StartTest/" }, "#HpeDirectoryTest.StopTest": { "target": "/redfish/v1/AccountService/DirectoryTest/Actions/HpeDirectoryTest.StopTest/" } }, "OverallStatus": "NotRun", "TestResults": [ { "Notes": "", "Status": "NotRun", "TestName": "Directory Server DNS Name" }, { "Notes": "", "Status": "NotRun", "TestName": "Ping Directory Server" }, { "Notes": "", "Status": "NotRun", "TestName": "Connect to Directory Server" }, { "Notes": "", "Status": "NotRun", "TestName": "Connect using SSL" }, { "Notes": "", "Status": "NotRun", "TestName": "Bind to Directory Server" }, { "Notes": "", "Status": "NotRun", "TestName": "Directory Administrator login" }, { "Notes": "", "Status": "NotRun", "TestName": "User Authentication" }, { "Notes": "", "Status": "NotRun", "TestName": "User Authorization" }, { "Notes": "", "Status": "NotRun", "TestName": "Directory User Contexts" }, { "Notes": "", "Status": "NotRun", "TestName": "LOM Object exists" } ] } ```