This guide assumes the following pre-requisites are currently configured:
- An active Domain Environment using Windows Server 2008 R2 or newer.
- A physical Syslog-ng Store Box (SSB) appliance.
Before starting, please review the permissions for the User, Operator, and Administrator access within the IPMI via the table directly below:
1.) Start by logging into Active Directory Users and Computers.
2.) Next, locate the Organizational Unit (OU) in which the 3 security groups will be created for access to the IPMI.
3.) Start by creating the User group.
3.a) Right-click and select New > Group
3.b) Enter in a Group name for this group. It can be any name, just know that this group only applies "User" permissions to those who are members.
3.c) The Group scope should be "Global" and the Group type should be "Security".
3.d) Click OK.
4.) Next, create the Operator group.
4.a) Right-click and select New > Group
4.b) Enter in a Group name for this group. It can be any name, just know that this group only applies "Operator" permissions to those who are members.
4.c) The Group scope should be "Global" and the Group type should be "Security".
4.d) Click OK.
5.) Next, create the Administrator group.
5.a) Right-click and select New > Group
5.b) Enter in a Group name for this group. It can be any name, just know that this group will apply "Administrator" permissions to those who are members.
5.c) The Group scope should be "Global" and the Group type should be "Security".
5.d) Click OK.
6.) Now that the 3 groups have been created members can be added to the groups based on what permissions are desired for those accounts.
7.) Navigate to the IPMI of the Syslog-ng Store Box (SSB) via a web browser.
8.) Log into the IPMI with the ADMIN account and navigate to Configuration > Active Directory.
9.) Left-click on Role Group ID number 1 to highlight this group and then left-click on the option "Modify Role Group".
10.) A new page will appear, fill out the following as follows:
10.a) Role Group Name: - This is the group name created for "User" privileges only.
10.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.
10.c) Role Group Privilege: - Left-click the drop-down and choose "User".
10.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.
11.) The page will redirect back to the Active Directory options page, continue forward with left-clicking on Role Group ID number 2 to highlight this group and then left-click on the option "Modify Role Group".
12.) A new page will appear, fill out the following as follows:
12.a) Role Group Name: - This is the group name created for "Operator" privileges only.
12.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.
12.c) Role Group Privilege: - Left-click the drop-down and choose "Operator".
12.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.
13.) The page will redirect back to the Active Directory options page, continue forward with left-clicking on Role Group ID number 3 to highlight this group and then left-click on the option "Modify Role Group".
14.) A new page will appear, fill out the following as follows:
14.a) Role Group Name: - This is the group name created for "Administrator" privileges.
14.b) Role Group Domain: - This will be the Fully Qualified Domain Name (FQDN) of the domain authenticating against.
14.c) Role Group Privilege: - Left-click the drop-down and choose "Administrator".
14.d) Left-click on the "Modify" option which will apply the changes made. A small window at the top of the page may appear stating the changes were successful, if so, left-click "OK" when prompted.
15.) Now that the groups have been defined, left-click on the linked text "here" at the top of the page where the following appears: "To enable or configure the Active Directory server, please click. here"
16.) Start by left-clicking the checkbox for "Enable Active Directory Authentication."
17.) If SSL is desired the checkbox for "Active Directory Authentication over SSL." may be checked. Please ensure that the proper certificates have been uploaded to Configuration > SSL Certification.
18.) By default, AD authentication is done over port 389 using TCP, when using SSL port 636 using TCP is the default. Ensure all firewall rules and access is allowed for the successful connection of Active Directory.
19.) For "User Domain Name" please fill in with the FQDN of the domain.
20.) For "Time Out" the default is 10 seconds, feel free to adjust accordingly.
21.) For Domain Controller Server Address1,2 and 3, please input the IP Address of 1,2, or 3 Domain Controllers within the domain specified in the "User Domain Name".
*NOTE* Only IPv4 addresses can be used at this time, support for hostnames and/or IPv6 is not available currently.
*NOTE* Only a single domain can be used at this time. The IPMI cannot be configured for access across multiple domains at this time.
22.) Left-click the "Save" option once done. A small window at the top of the page may appear stating "The requested configuration has been successfully set.", if so, left-click "OK" when prompted.
23.) Active Directory authentication should be set, please log out and try logging in using an Active Directory account in the following format:
Username - exampleaccount@example.domain.local
Password - Active Directory password for the above account.