Supermicro IPMI has the capability to use Active Directory to authenticate users without having to add each individual user to the IPMI system on each server device. Instead of authenticating a user against the internal IPMI user database, the IPMI BMC can query Active Directory. Users with authorization to login are identified by a specific security group. Any user which is a member of the security group is granted access.
The login precedence is:
- Authenticate against the internal IPMI database
- Authenticate against other repositories, in this case Active Directory
Configuration steps to perform
- Create USER Account in Active Directory
- Create GROUP to give users access to Supermicro systems via IPMI
- Add the Active Directory group to IPMI
- Configure IPMI for your Active Directory Server
- Test access to your Supermicro system
Create USER Account in Active Directory
In this example we will create a typical user. There is nothing special about the user details as any user account will work.
Create the user account on Active Directory.
In this example we set Password Never Expires for simplicity. This is not typical and not required. Create the user account with your IT standard procedure.
Create Active Directory Group
Create a group to identify IPMI users with authorization to log into IPMI.
Active Directory Users and Groups >> Users >> New >> Group
In this example, we use the group name IPMILogin. Any group name will work.
Add the Group to Active Directory User Account
Active Directory Users and Computers >> <user> >> Properties (right click)
Select “Members Of” Tab
Click on OK
Click on Add
Enter your group and click Check Names then OK
And the user is now a member of the IPMI login group.
Add the Active Directory group to IPMI
Now we will configure the server by adding the Active Directory group to the IPMI system.
Log into the server via IPMI via the built-in IPMI account.
The default is:
Click on Configuration
Select the Active Directory configuration button.
On the Active Directory IPMI configuration screen, there are a set of rows available to configure.
Click on the first available row.
Then click on the Add Role Group button.
Fill in the form and press OK.
The resultant for row 1 should be something like this example.
Notice the Group Domain. This should be the fully qualified domain for your Active Directory system.
Configure IPMI for your Active Directory Server
The IPMI system will need to be configured with the details to find your Active Directory server.
Select Advance Settings
Enter the Details of your Active Directory, such as the AD fully qualified domain. This should match your user configuration.
Then click on Save.
The system should be configured.
Test access to your Supermicro IPMI BMC
Login to IPMI, this time use your Active Directory user credentials.
In this example
Password: <created in Active Directory>
If login is successful, you should see your AD username in the Identification at the top.