|
| 1 | +# BMC Directory Service Configuration - Requirements Definition - Extracted from sap.baremetal - deve-_role - bmc_directory |
| 2 | + |
| 3 | +## Overview |
| 4 | +This document defines the functional requirements for BMC (Baseboard Management Controller) Active Directory/LDAP integration, based on existing automation for Dell iDRAC, HPE iLO, Lenovo XCC, and Lenovo IMM systems. |
| 5 | + |
| 6 | +## Functional Requirements |
| 7 | + |
| 8 | +### 1. Multi-Vendor BMC Support |
| 9 | +The solution must configure Active Directory integration for: |
| 10 | +- Dell iDRAC (versions < 10 and iDRAC 10) |
| 11 | +- HPE iLO |
| 12 | +- Lenovo XCC (XCC, XCC2, XCC3 variants) |
| 13 | +- Lenovo IMM (legacy systems) |
| 14 | + |
| 15 | +### 2. Active Directory/LDAP Integration |
| 16 | + |
| 17 | +#### 2.1 LDAP Server Configuration |
| 18 | +The solution must configure: |
| 19 | +- Domain controller hostname/IP address |
| 20 | +- LDAPS port (636) |
| 21 | +- Base Distinguished Name derived from domain (e.g., `DC=ad,DC=region,DC=cloud,DC=sap`) |
| 22 | +- Search username attribute: `sAMAccountName` |
| 23 | +- Authentication type: Username/Password |
| 24 | + |
| 25 | +**Current Implementation:** |
| 26 | +- **Dell iDRAC**: PATCH to `/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1` with attributes: |
| 27 | + - `ActiveDirectory.1.DomainController1`: `<dc-hostname>` |
| 28 | + - `UserDomain.1.Name`: `<domain-name>` |
| 29 | + - `ActiveDirectory.1.AuthTimeout`: `120` |
| 30 | +- **HPE iLO**: PATCH to `/redfish/v1/AccountService/` with body: |
| 31 | + ```json |
| 32 | + { |
| 33 | + "LDAP": { |
| 34 | + "ServiceAddresses": ["<dc-hostname>"], |
| 35 | + "Authentication": { |
| 36 | + "Username": "DC=<DN>" |
| 37 | + } |
| 38 | + } |
| 39 | + } |
| 40 | + ``` |
| 41 | +- **Lenovo XCC**: PATCH to `/redfish/v1/AccountService` with: |
| 42 | + ```json |
| 43 | + { |
| 44 | + "LDAP": { |
| 45 | + "ServiceAddresses": ["<dc-hostname>:636"], |
| 46 | + "LDAPService": { |
| 47 | + "SearchSettings": { |
| 48 | + "BaseDistinguishedNames": ["DC=<DN>"], |
| 49 | + "UsernameAttribute": "sAMAccountName" |
| 50 | + } |
| 51 | + } |
| 52 | + } |
| 53 | + } |
| 54 | + ``` |
| 55 | +- **Lenovo IMM**: Raw CLI command: `ldap -s1ip <dc-hostname> -s1pn 636 -r <DN> -u sAMAccountName` |
| 56 | + |
| 57 | +#### 2.2 Authentication Mode Configuration |
| 58 | +The solution must: |
| 59 | +- Enable local account authentication as fallback |
| 60 | +- Enable LDAP/Active Directory authentication |
| 61 | +- Configure hybrid authentication mode (LDAP + local) |
| 62 | + |
| 63 | +**Current Implementation:** |
| 64 | +- **Dell iDRAC**: Sets `ActiveDirectory.1.Enable: "Enabled"` via manager attributes |
| 65 | +- **HPE iLO**: Sets `LocalAccountAuth: "Enabled"` in AccountService |
| 66 | +- **Lenovo XCC**: Sets `LocalAccountAuth: Fallback` in AccountService |
| 67 | +- **Lenovo IMM**: Raw CLI: `accseccfg -am ldaplocal` |
| 68 | + |
| 69 | +#### 2.3 AD Group to Role Mapping |
| 70 | +The solution must: |
| 71 | +- Map multiple Active Directory groups to BMC administrator roles |
| 72 | +- Support region-specific group mappings (production vs QA/lab) |
| 73 | +- Clear existing group mappings before applying new configuration |
| 74 | +- Support vendor-specific slot/privilege models |
| 75 | + |
| 76 | +**Current Implementation:** |
| 77 | + |
| 78 | +**Dell iDRAC** (15 slots): |
| 79 | +- PATCH manager attributes with combined group data: |
| 80 | + ```json |
| 81 | + { |
| 82 | + "ADGroup.1.Name": "<group-name>", |
| 83 | + "ADGroup.1.Privilege": 511, // full admin |
| 84 | + "ADGroup.1.Domain": "<domain>", |
| 85 | + "ADGroup.2.Name": "", |
| 86 | + "ADGroup.2.Privilege": 000, // empty slot |
| 87 | + ... |
| 88 | + } |
| 89 | + ``` |
| 90 | +- iDRAC 10 uses `ADGroup.X.Role: "Administrator"` instead of Privilege |
| 91 | + |
| 92 | +**HPE iLO** (dynamic): |
| 93 | +- PATCH to `/redfish/v1/AccountService/`: |
| 94 | + ```json |
| 95 | + { |
| 96 | + "ActiveDirectory": { |
| 97 | + "RemoteRoleMapping": [ |
| 98 | + {"LocalRole": "Administrator", "RemoteGroup": "<group1>"}, |
| 99 | + {"LocalRole": "Administrator", "RemoteGroup": "<group2>"} |
| 100 | + ] |
| 101 | + } |
| 102 | + } |
| 103 | + ``` |
| 104 | + |
| 105 | +**Lenovo XCC2/XCC3** (dynamic): |
| 106 | +- PATCH to `/redfish/v1/AccountService`: |
| 107 | + ```json |
| 108 | + { |
| 109 | + "LDAP": { |
| 110 | + "RemoteRoleMapping": [ |
| 111 | + {"LocalRole": "Administrator", "RemoteGroup": "CP_CONV_BMAAS"} |
| 112 | + ] |
| 113 | + } |
| 114 | + } |
| 115 | + ``` |
| 116 | + |
| 117 | +**Lenovo XCC** (16 slots - legacy): |
| 118 | +- First, create empty mapping array, then update group profiles: |
| 119 | +- PATCH to `/redfish/v1/AccountService/Oem/Lenovo/GroupProfiles/Group<N>`: |
| 120 | + ```json |
| 121 | + { |
| 122 | + "Privilege": ["Supervisor"], |
| 123 | + "GroupName": "<ad-group>" |
| 124 | + } |
| 125 | + ``` |
| 126 | + |
| 127 | +**Lenovo IMM** (16 slots): |
| 128 | +- Get existing: `gprofile` |
| 129 | +- Delete all: `gprofile -<N> -clear` |
| 130 | +- Create new: `gprofile -<N> -n <group-name> -a super` |
| 131 | + |
| 132 | +#### 2.4 DNS Configuration (Dell only) |
| 133 | +The solution must configure DNS servers for name resolution. |
| 134 | + |
| 135 | +**Current Implementation:** |
| 136 | +- **Dell iDRAC < 10**: Manager attributes `IPv4Static.1.DNS1`, `IPv4Static.1.DNS2` |
| 137 | +- **Dell iDRAC 10**: Manager attributes `IPv4.1.StaticDNS1`, `IPv4.1.StaticDNS2` |
| 138 | + |
| 139 | +### 3. SSL/TLS Certificate Management |
| 140 | + |
| 141 | +#### 3.1 CA Certificate Installation |
| 142 | +The solution must: |
| 143 | +- Download CA certificate from specified URL |
| 144 | +- Install CA certificate on BMC for LDAPS validation |
| 145 | +- Enable certificate validation after installation |
| 146 | + |
| 147 | +**Current Implementation:** |
| 148 | + |
| 149 | +**Dell iDRAC**: |
| 150 | +- Download certificate via HTTP GET |
| 151 | +- POST to certificate endpoint with certificate content: |
| 152 | + - iDRAC < 10: `/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate` |
| 153 | + - iDRAC 10: Different path (version-specific) |
| 154 | + - Body: `{"CertificateType": "CA", "SSLCertificateFile": "<pem-content>"}` |
| 155 | +- Sets `ActiveDirectory.1.CertValidationEnable: "Enabled"` |
| 156 | + |
| 157 | +**HPE iLO**: |
| 158 | +- Download certificate via HTTP GET |
| 159 | +- POST to `/redfish/v1/AccountService/ExternalAccountProviders/LDAP/Certificates/`: |
| 160 | + ```json |
| 161 | + { |
| 162 | + "CertificateType": "PEM", |
| 163 | + "CertificateString": "<pem-content>" |
| 164 | + } |
| 165 | + ``` |
| 166 | + |
| 167 | +**Lenovo XCC**: |
| 168 | +1. GET existing certificates: `/redfish/v1/AccountService/LDAP/Certificates` |
| 169 | +2. Disable LDAPS: PATCH `/redfish/v1/Managers/1/Oem/Lenovo/Security` with `{"SSLSettings": {"EnableLDAPS": false}}` |
| 170 | +3. Wait 5 seconds |
| 171 | +4. DELETE each existing certificate via returned `@odata.id` |
| 172 | +5. POST new certificate to `/redfish/v1/AccountService/LDAP/Certificates`: |
| 173 | + ```json |
| 174 | + { |
| 175 | + "CertificateType": "PEM", |
| 176 | + "CertificateString": "<pem-content>" |
| 177 | + } |
| 178 | + ``` |
| 179 | +6. Wait 5 seconds |
| 180 | +7. Enable LDAPS: PATCH Security endpoint with `{"SSLSettings": {"EnableLDAPS": true}}` |
| 181 | + |
| 182 | +**Lenovo IMM**: |
| 183 | +1. Disable SSL: `sslcfg -client disabled` |
| 184 | +2. Delete existing: `sslcfg -tc1 remove`, `sslcfg -tc2 remove`, etc. (4 slots) |
| 185 | +3. Import new: `sslcfg -tc1 import -i <tftp-server> -l <cert-path>` |
| 186 | +4. Check for self-signed cert: `sslcfg` |
| 187 | +5. Create if missing: `sslcfg -cert client -c DE -sp "BW" -cl "St. Leon Rot" -on "SAP SE" -hn <hostname>` |
| 188 | +6. Enable SSL: `sslcfg -client enabled` |
| 189 | + |
| 190 | +#### 3.2 Certificate Validation |
| 191 | +The solution must enable LDAPS certificate validation after certificate installation. |
| 192 | + |
| 193 | +**Current Implementation:** |
| 194 | +- **Dell**: Sets manager attribute `ActiveDirectory.1.CertValidationEnable: "Enabled"` |
| 195 | +- **HPE**: Automatic when certificate is installed |
| 196 | +- **Lenovo XCC**: Enables via `EnableLDAPS: true` in Security settings |
| 197 | +- **Lenovo IMM**: Enables via `sslcfg -client enabled` |
| 198 | + |
| 199 | +### 4. Session Management |
| 200 | + |
| 201 | +#### 4.1 Authentication Session Lifecycle |
| 202 | +The solution must: |
| 203 | +- Create authenticated session before configuration operations |
| 204 | +- Use session token for subsequent API calls |
| 205 | +- Delete session after operations complete |
| 206 | + |
| 207 | +**Current Implementation (Redfish BMCs):** |
| 208 | +- **Session Creation**: POST to `/redfish/v1/SessionService/Sessions` with credentials, returns token |
| 209 | +- **Token Usage**: Include `X-Auth-Token: <token>` in all request headers |
| 210 | +- **Session Deletion**: DELETE to session URI after completion |
| 211 | + |
| 212 | +**Lenovo IMM**: Uses SSH connection with username/password for raw CLI commands |
| 213 | + |
| 214 | +### 5. Region-Specific Configuration |
| 215 | + |
| 216 | +#### 5.1 Environment-Based Group Selection |
| 217 | +The solution must: |
| 218 | +- Identify deployment region (production, QA, lab) |
| 219 | +- Select appropriate AD groups based on region |
| 220 | +- Override production groups with QA-specific groups in test environments |
| 221 | + |
| 222 | +**Current Implementation:** |
| 223 | +- Checks if `region in qa_regions` or `region in lab_regions` |
| 224 | +- Overrides `ad_group` variable with `ad_group_qa` when condition is true |
| 225 | +- Applies overridden groups to role mapping configuration |
| 226 | + |
| 227 | +### 6. Vendor-Specific Requirements |
| 228 | + |
| 229 | +#### 6.1 Dell iDRAC Version Detection |
| 230 | +The solution must detect iDRAC version and adjust configuration accordingly. |
| 231 | + |
| 232 | +**Current Implementation:** |
| 233 | +- Checks if `model in idrac10_models` |
| 234 | +- Uses different manager attributes and API endpoints for iDRAC 10: |
| 235 | + - GC Root Domain setting: `ActiveDirectory.1.GCRootDomain: "<domain>"` |
| 236 | + - GC Lookup: `ActiveDirectory.1.GCLookupEnable: "Enabled"` |
| 237 | + - Different DNS attributes: `IPv4.1.StaticDNS1` vs `IPv4Static.1.DNS1` |
| 238 | + - Role-based privileges: `ADGroup.X.Role` vs `ADGroup.X.Privilege` |
| 239 | + |
| 240 | +#### 6.2 Lenovo XCC Variant Detection |
| 241 | +The solution must detect XCC variant (XCC, XCC2, XCC3) and use appropriate API structure. |
| 242 | + |
| 243 | +**Current Implementation:** |
| 244 | +- Checks `lenovo_xcc_type` variable |
| 245 | +- XCC2/XCC3: Use LDAP configuration in AccountService directly |
| 246 | +- XCC (legacy): Use separate GroupProfiles endpoint for privilege mapping |
| 247 | +- PATCH to `/redfish/v1/Managers/1/NetworkProtocol/Oem/Lenovo/LDAPClient` for initial LDAP client setup (all versions) |
| 248 | + |
| 249 | +#### 6.3 HPE-Specific Settings |
| 250 | +The solution must configure HPE OEM-specific directory settings. |
| 251 | + |
| 252 | +**Current Implementation:** |
| 253 | +- PATCH to `/redfish/v1/AccountService/` includes: |
| 254 | + ```json |
| 255 | + { |
| 256 | + "Oem": { |
| 257 | + "Hpe": { |
| 258 | + "DirectorySettings": { |
| 259 | + "LdapAuthenticationMode": "DefaultSchema" |
| 260 | + } |
| 261 | + } |
| 262 | + } |
| 263 | + } |
| 264 | + ``` |
| 265 | + |
| 266 | +### 7. Error Handling and Validation |
| 267 | + |
| 268 | +#### 7.1 Operation Verification |
| 269 | +The solution must: |
| 270 | +- Verify successful HTTP status codes (200, 201, 202, 204) |
| 271 | +- Validate command output for CLI-based operations (check for "ok" in stdout) |
| 272 | +- Detect and report errors (import failures, authentication errors) |
| 273 | + |
| 274 | +**Current Implementation:** |
| 275 | +- Ansible URI module: `status_code: [200, 201, 202, 204]` |
| 276 | +- Ansible raw CLI: `changed_when: '"ok" in stdout'` and `failed_when: '"Error" in stdout'` |
| 277 | + |
| 278 | +#### 7.2 Timeout Configuration |
| 279 | +The solution must handle long-running operations with appropriate timeouts. |
| 280 | + |
| 281 | +**Current Implementation:** |
| 282 | +- API timeouts range from 15 to 360 seconds depending on operation |
| 283 | +- Certificate operations: 120-300 seconds |
| 284 | +- Standard configuration: 120-360 seconds |
| 285 | + |
| 286 | +### 8. Operational Requirements |
| 287 | + |
| 288 | +#### 8.1 Wait Periods |
| 289 | +The solution must respect vendor timing requirements between operations. |
| 290 | + |
| 291 | +**Current Implementation:** |
| 292 | +- Lenovo XCC: 5-second pause after disabling LDAPS and after certificate import |
| 293 | +- Implemented via: `ansible.builtin.pause: seconds: 5` |
| 294 | + |
| 295 | +#### 8.2 Idempotency |
| 296 | +The solution must: |
| 297 | +- Clear existing configurations before applying new settings |
| 298 | +- Support re-running without creating duplicate entries |
| 299 | +- Only modify configurations that differ from desired state |
| 300 | + |
| 301 | +**Current Implementation:** |
| 302 | +- Dell: Overwrites all 15 slots (populated and empty) |
| 303 | +- Lenovo IMM: Deletes all existing gprofiles before creating new ones |
| 304 | +- Lenovo XCC: Deletes all existing LDAP certificates before importing new one |
| 305 | +- HPE: Replaces entire RemoteRoleMapping array |
| 306 | + |
| 307 | +#### 8.3 Certificate Validation Bypass |
| 308 | +The solution must disable SSL certificate validation when communicating with BMCs (self-signed certificates). |
| 309 | + |
| 310 | +**Current Implementation:** |
| 311 | +- All Redfish API calls: `validate_certs: false` |
| 312 | +- Allows connection to BMCs with self-signed certificates |
0 commit comments