1 Rookie
•
9 Posts
0
226
IDRAC9 LDAP (FreeIPA) MFA (password + OTP) authentication fails
There is another thread for this but it's a few years old and under the PowerEdge forum, think iDRAC related goes more under this one.
Has anyone used MFA on iDRAC? I have a vanilla setup of FreeIPA. I connect iDRAC to it and it works for user/password authentication. If I enable a user to use password + OTP then that user cannot log into iDRAC. This works fine on HPE ILO and Cisco CIMC. Looking at logs it seems like it does one BIND the work, and then a 2nd identical BIND which fails. Possible bug it doesnt pass credentials right the 2nd time?
Access log on LDAP server
conn=1420 fd=233 slot=233 SSL connection from 10.10.10.60 to 10.10.10.13
conn=1420 op=-1 fd=233 Disconnect - Encountered end of file.
conn=1421 fd=233 slot=233 SSL connection from 10.10.10.60 to 10.10.10.13
conn=1421 TLS1.3 128-bit AES-GCM
conn=1421 op=0 BIND dn="uid=admin,cn=users,cn=accounts,DC=domain,DC=local" method=128 version=3
conn=1421 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.009837808 optime=0.020517794 etime=0.030353984 dn="uid=admin,cn=users,cn=accounts,DC=domain,DC=local"
conn=1421 op=1 SRCH base="cn=users,cn=accounts,DC=domain,DC=local" scope=2 filter="(uid=user123)" attrs="objectClass memberOf distinguishedName uid objectcategory defaultnamingcontext namingContexts ldapservicename supportedControl supportedExtension"
conn=1421 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000105536 optime=0.000465411 etime=0.000569243
conn=1421 op=2 UNBIND
conn=1421 op=2 fd=233 Disconnect - Cleanly Closed Connection - U1
conn=1422 fd=234 slot=234 SSL connection from 10.10.10.60 to 10.10.10.13
conn=1422 TLS1.3 128-bit AES-GCM
conn=1422 op=0 BIND dn="uid=user123,cn=users,cn=accounts,DC=domain,DC=local" method=128 version=3 <--- This BIND works with user123
conn=1422 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.010495809 optime=0.021563040 etime=0.032051833 dn="uid=user123,cn=users,cn=accounts,DC=domain,DC=local"
conn=1422 op=1 UNBIND
conn=1422 op=1 fd=234 Disconnect - Cleanly Closed Connection - U1
conn=1423 fd=233 slot=233 SSL connection from 10.10.10.60 to 10.10.10.13
conn=1423 TLS1.3 128-bit AES-GCM
conn=1423 op=0 BIND dn="uid=user123,cn=users,cn=accounts,DC=domain,DC=local" method=128 version=3 <--- This BIND fails with user123
conn=1423 op=0 RESULT err=49 tag=97 nentries=0 wtime=0.009417751 optime=0.000500152 etime=0.009916215
conn=1423 op=1 UNBIND
conn=1423 op=1 fd=233 Disconnect - Cleanly Closed Connection - U1
Output from iDRAC test with MFA user
Initiating Directory Services Settings Diagnostics:
trying LDAP server ldapserver.domain.local:636
Server Address ldapserver.domain.local resolved to 10.10.10.13
connect to 10.10.10.13:636 passed
Connecting to ldaps://[ldapserver.domain.local]:636...
Test user authenticated user=uid=admin,cn=users,cn=accounts,DC=domain,DC=local host=ldapserver.domain.local
Search command:
Bind DN: uid=admin,cn=users,cn=accounts,DC=domain,DC=local
Scope: subtree
Base DN: cn=users,cn=accounts,DC=domain,DC=local
Search filter: (uid=user123)
Attribute list:
objectClass
memberOf
dn
uid
objectCategory
defaultNamingContext
namingContexts
ldapServiceName
supportedControl
supportedExtension
Connecting to ldaps://[ldapserver.domain.local]:636...
Test user authenticated user=uid=user123,cn=users,cn=accounts,DC=domain,DC=local <--- This BIND works with user123
host=ldapserver.domain.local
Connecting to ldaps://[ldapserver.domain.local]:636...
ERROR: bind failed: Invalid credentials, (null): <--- This BIND fails with user123 user=uid=user123,cn=users,cn=accounts,DC=domain,DC=local host=ldapserver.domain.local
Appreciate if anyone has any ideas. Thanks
BytesAndBourbon
1 Rookie
1 Rookie
•
9 Posts
0
December 20th, 2023 15:45
Looks like iDRAC 7.00.60.00 fixed this
DELL-Joey C
Moderator
Moderator
•
3.4K Posts
0
October 2nd, 2023 09:09
Hi,
The only documentation that I can find is iDRAC9 to use RSA SecurID 2FA login. It may not be the same as what you're using with FreeIPA, but probably with reference it can help you identify the issue
https://dell.to/46uAEjq
I'd probably will say to leave to the community members to provide any feedback if they have any similar setup as you.
BytesAndBourbon
1 Rookie
1 Rookie
•
9 Posts
0
October 2nd, 2023 17:55
Thanks Joey, I read through what you sent. The password + pin is similar to RSA but doesn't look like the attached document will work outside of an RSA environment. I opened a support case and the awesome folks in support were able to get me an answer that this functionality is coming. Here is what support provided:
So as or right now, The iDRAC won't currently work with 2FA solutions that use an OTP because of the way it handles binds.
When using LDAP authentication, the iDRAC makes three separate bind requests:
1. User info query (anonymous or bindDN)
2. Authentication (user credentials)
3. Authorization (user credentials)
The OTP is consumed in step 2, which causes the request in step 3 to fail.
***There's going to be an iDRAC firmware update later this year which will add an option to use anonymous/bindDN instead of user credentials for step 3.
garrya
1 Message
0
March 18th, 2024 06:36
Following up on this. has the iDRAC firmware been updated to support this?
DELL-Joey C
Moderator
Moderator
•
3.4K Posts
0
March 18th, 2024 08:45
Hi,
It seems that the post owner mentioned the fix is on the newer version for his issue.