Чем больше серверов у системного администратора, тем сложнее ими управлять вручную. Сегодня автоматизируем настройку Active Directory аутентификации в iLO 4 и iLO 5 с помощью PowerShell скриптов.
Для управления iLO с помощью PowerShell скриптов компания Hewlett Packard выпускает и поддерживает набор командлетов под названием Scripting Tools for Windows PowerShell: iLO cmdlets.
Текущая версия пакета 4.3.0.0 от 16 ноября 2023 года может быть использована для конфигурации управления iLO на серверах HPE ProLiant Gen8, Gen9, Gen10, Gen10 Plus, Gen11. iLO cmdlets поддерживает iLO 4, iLO 5 и iLO 6 ProLiant серверы. Для работы командлеты используют RIBCL, REST(Limited) и Redfish интерфейсы iLO. Для работы скриптов понадобится .NET Framework 4.5 - 4.7.1.
Но не стоит думать, что стоит написать скрипт для iLO 5 и он тут же заработает для iLO 4. Я уже убедился, что лучше сделать два разных скрипта для iLO 4 и iLO 5. Однако, сегодня будет именно такой скрипт, чтобы работал и для iLO 4 и для iLO 5.
Устанавливаем .NET и HPEiLOCmdlets. Работаю в ОС Windows 10.
Управление iLO через PowerShell
Примеры PowerShell скриптов можно найти в папке по умолчанию C:\HPEiLOCmdlets\Samples.
Примеры можно брать как основу для творчества, но в них тоже есть ошибки. Скрипты подписаны цифровой подписью, в процессе отладки вам она не понадобится. У меня в итоге получилось три файла:
- iLOInput.csv
- GetAD.ps1
- SetAD.ps1
В iLOInput.csv указывается список серверов в виде:
IP,Username,Password
192.168.1.2,admin,password
192.168.1.3,admin,password
Здесь нужно указать IP адрес или DNS имя iLO, логин, пароль.
GetAD.ps1 — выводит текущие настройки AD аутентификации.
####################################################################
#iLO Active Directory Information
####################################################################
<#
.Synopsis
This Script gets the AD settings for NTLM auth.
iLO 4 and iLO 5 supported.
.DESCRIPTION
This Script gets the Active Directory settings for NTLM auth authentication.
The cmdlets used from HPEiLOCmdlets module in the script are as stated below:
Enable-HPEiLOLog, Connect-HPEiLO, Disconnect-HPEiLO, Disable-HPEiLOLog,
Get-HPEiLODirectorySettins, Get-HPEiLODirectoryGroup.
.PARAMETER Key
Specifies the security dashboard settings to be updated in iLO.
.EXAMPLE
PS C:\HPEiLOCmdlets\Prod\> .\GetAD.ps1
This script display AD info from iLO.
.INPUTS
iLOInput.csv file in the script folder location having iLO IPv4 address, iLO Username and iLO Password.
.OUTPUTS
None (by default)
.NOTES
Always run the PowerShell in administrator mode to execute the script.
Company : Internet-lab.ru
Version : 1.0.0.0
Date : 2023-01-18
.LINK
http://internet-lab.ru
#>
#Command line parameters
Param(
[switch]$IgnoreSecureBoot,
[switch]$IgnoreSecurityOverrideSwitch,
[switch]$IgnorePasswordComplexity,
[switch]$IgnoreIPMIDCMIOverLAN,
[switch]$IgnoreMinimumPasswordLength,
[switch]$IgnoreRequireLoginforiLORBSU,
[switch]$IgnoreAuthenticationFailureLogging,
[switch]$IgnoreLastFirmwareScanResult,
[switch]$IgnoreRequireHostAuthentication
)
try
{
$path = Split-Path -Parent $PSCommandPath
$path = join-Path $path "\iLOInput.csv"
$inputcsv = Import-Csv $path
if($inputcsv.IP.count -eq $inputcsv.Username.count -eq $inputcsv.Password.count -eq 0)
{
Write-Host "Provide values for IP, Username and Password columns in the iLOInput.csv file and try again."
exit
}
$notNullIP = $inputcsv.IP | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
$notNullUsername = $inputcsv.Username | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
$notNullPassword = $inputcsv.Password | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
if(-Not($notNullIP.Count -eq $notNullUsername.Count -eq $notNullPassword.Count))
{
Write-Host "Provide equal number of values for IP, Username and Password columns in the iLOInput.csv file and try again."
exit
}
}
catch
{
Write-Host "iLOInput.csv file import failed. Please check the file path of the iLOInput.csv file and try again."
Write-Host "iLOInput.csv file path: $path"
exit
}
#Clear-Host
# script execution started
Write-Host "****** Script execution started ******`n" -ForegroundColor Yellow
#Decribe what script does to the user
Write-Host "This script sets the security dashboard settings to the given value and gets the same.`n"
#Load HPEiLOCmdlets module
$InstalledModule = Get-Module
$ModuleNames = $InstalledModule.Name
if(-not($ModuleNames -like "HPEiLOCmdlets"))
{
Write-Host "Loading module : HPEiLOCmdlets"
Import-Module HPEiLOCmdlets
if(($(Get-Module -Name "HPEiLOCmdlets") -eq $null))
{
Write-Host ""
Write-Host "HPEiLOCmdlets module cannot be loaded. Please fix the problem and try again"
Write-Host ""
Write-Host "Exit..."
exit
}
}
else
{
$InstallediLOModule = Get-Module -Name "HPEiLOCmdlets"
Write-Host "HPEiLOCmdlets Module Version : $($InstallediLOModule.Version) is installed on your machine."
Write-host ""
}
$Error.Clear()
#Enable logging feature
Write-Host "Enabling logging feature" -ForegroundColor Yellow
$log = Enable-HPEiLOLog
$log | fl
if($Error.Count -ne 0)
{
Write-Host "`nPlease launch the PowerShell in administrator mode and run the script again." -ForegroundColor Yellow
Write-Host "`n****** Script execution terminated ******" -ForegroundColor Red
exit
}
try
{
$ErrorActionPreference = "SilentlyContinue"
$WarningPreference ="SilentlyContinue"
[bool]$isParameterCountEQOne = $false;
foreach ($Key in $MyInvocation.BoundParameters.keys)
{
$count = $($MyInvocation.BoundParameters[$Key]).Count
}
Write-Host "`nConnecting using Connect-HPEiLO`n" -ForegroundColor Yellow
$connection = @(Connect-HPEiLO -IP $inputcsv.IP -Username $inputcsv.Username -Password $inputcsv.Password -DisableCertificateAuthentication)
$Error.Clear()
if($Connection -eq $null)
{
Write-Host "`nConnection could not be established to any target iLO.`n" -ForegroundColor Red
$inputcsv.IP | fl
exit;
}
if($Connection.count -ne $inputcsv.IP.count)
{
#List of IP's that could not be connected
Write-Host "`nConnection failed for below set of targets" -ForegroundColor Red
foreach($item in $inputcsv.IP)
{
if($Connection.IP -notcontains $item)
{
$item | fl
}
}
#Prompt for user input
$mismatchinput = Read-Host -Prompt 'Connection object count and parameter value count does not match. Do you want to continue? Enter Y to continue with script execution. Enter N to cancel.'
if($mismatchinput -ne 'Y')
{
Write-Host "`n****** Script execution stopped ******" -ForegroundColor Yellow
exit;
}
}
foreach($connect in $connection)
{
#Displaying Directory Settings
Write-Host "`nGetting HPE iLO Directory Settins for $($connect.IP)" -ForegroundColor Green
$output = Get-HPEiLODirectorySetting -Connection $connect
if($output.Status -ne "OK")
{
$message = $output.StatusInfo.Message;
Write-Host "`nFailed to get Get-HPEiLODirectorySetting for $($output.IP): "$message -ForegroundColor Red
}
else
{
$output[0]
}
Write-Host "`nGetting HPE iLO Directory Group for $($connect.IP)" -ForegroundColor Green
$output = Get-HPEiLODirectoryGroup -Connection $connect
#Displaying Directory Group
if($output.Status -ne "OK")
{
$message = $output.StatusInfo.Message;
Write-Host "`nFailed to get Get-HPEiLODirectoryGroup for $($output.IP): "$message -ForegroundColor Red
}
else
{
$output.GroupAccountInfo
}
}
}
catch
{
}
finally
{
if($connection -ne $null)
{
#Disconnect
Write-Host "Disconnect using Disconnect-HPEiLO `n" -ForegroundColor Yellow
$disconnect = Disconnect-HPEiLO -Connection $Connection
$disconnect | fl
Write-Host "All connections disconnected successfully.`n"
}
#Disable logging feature
Write-Host "Disabling logging feature`n" -ForegroundColor Yellow
$log = Disable-HPEiLOLog
$log | fl
if($Error.Count -ne 0 )
{
Write-Host "`nScript executed with few errors. Check the log files for more information.`n" -ForegroundColor Red
}
Write-Host "`n****** Script execution completed ******" -ForegroundColor Yellow
}
SetAD.ps1 — изменяет настройки AD аутентификации. Я в скрипте устанавливал только те параметры, которые мне были нужны, вам нужно внести изменения в конфигурационную часть:
<#
####################################################################
#CONFIGURATION
####################################################################
#>
$ConfLDAPDirectoryAuthentication = "DirectoryDefaultSchema"
$ConfGenericLDAPEnabled = "Yes"
$ConfDirectoryServerAddress = "ldap.domain.local"
$ConfDirectoryServerPort = "636"
$ConfUserContextIndex = ,@(1,2)
$ConfUserContextValue = ,@("@domain.local","DC=domain,DC=local")
$ConfGroupName = "smena"
$ConfGroupSID = "S-1-5-21-2606053222-2546427529-1258059324-16321"
$ConfLoginPrivilege = "Yes"
$ConfRemoteConsolePrivilege = "Yes"
$ConfVirtualPowerAndResetPrivilege = "Yes"
$ConfVirtualMediaPrivilege = "Yes"
$ConfHostBIOSConfigPrivilege = "No"
$ConfiLOConfigPrivilege = "No"
$ConfUserConfigPrivilege = "No"
$ConfHostNICConfigPrivilege = "No"
$ConfHostStorageConfigPrivilege = "No"
$ConfSystemRecoveryConfigPrivilege = "No"
<#
####################################################################
#END CONFIGURATION
####################################################################
#>
DirectoryAuthentication может принимать значения:
- Disabled
- ExtendedSchema
- DirectoryDefaultSchema
Долго не мог добиться одновременной работы iLO 4 и iLO 5 пока не обнаружил во встроенной документации этот чудесный текст:
Because of iLO5 issue, if you modify port number (change the default number 636) then Start-HPEiLODirectorySettingTest will fail as iLO updates the Directory server address with port number as in it.(like IP:PORT format). The workaround is if you want to modify port number of directory server LDAP then first input the required port number for set cmdlet then in second call try without port number just with directory server settings.
####################################################################
#iLO Configure Active Directory Information
####################################################################
<#
.Synopsis
This Script sets the AD settings for NTLM auth.
iLO 4 and iLO 5 supported.
.DESCRIPTION
This Script sets the Active Directory settings for NTLM auth authentication.
The cmdlets used from HPEiLOCmdlets module in the script are as stated below:
Enable-HPEiLOLog, Connect-HPEiLO, Disconnect-HPEiLO, Disable-HPEiLOLog,
Set-HPEiLODirectorySettins, Add-HPEiLODirectoryGroup, Set-HPEiLODirectoryGroup.
.PARAMETER Key
Specifies the security dashboard settings to be updated in iLO.
.EXAMPLE
PS C:\HPEiLOCmdlets\Prod\> .\SetAD.ps1
This script display AD info from iLO.
.INPUTS
iLOInput.csv file in the script folder location having iLO IPv4 address, iLO Username and iLO Password.
.OUTPUTS
None (by default)
.NOTES
Always run the PowerShell in administrator mode to execute the script.
Company : Internet-lab.ru
Version : 1.0.0.0
Date : 2023-01-18
.LINK
http://internet-lab.ru
#>
#Command line parameters
Param(
[switch]$IgnoreSecureBoot,
[switch]$IgnoreSecurityOverrideSwitch,
[switch]$IgnorePasswordComplexity,
[switch]$IgnoreIPMIDCMIOverLAN,
[switch]$IgnoreMinimumPasswordLength,
[switch]$IgnoreRequireLoginforiLORBSU,
[switch]$IgnoreAuthenticationFailureLogging,
[switch]$IgnoreLastFirmwareScanResult,
[switch]$IgnoreRequireHostAuthentication
)
<#
####################################################################
#CONFIGURATION
####################################################################
#>
$ConfLDAPDirectoryAuthentication = "DirectoryDefaultSchema"
$ConfGenericLDAPEnabled = "Yes"
$ConfDirectoryServerAddress = "ldap.domain.local"
$ConfDirectoryServerPort = "636"
$ConfUserContextIndex = ,@(1,2)
$ConfUserContextValue = ,@("@domain.local","DC=domain,DC=local")
$ConfGroupName = "smena"
$ConfGroupSID = "S-1-5-21-2606053222-2546427529-1258059324-16321"
$ConfLoginPrivilege = "Yes"
$ConfRemoteConsolePrivilege = "Yes"
$ConfVirtualPowerAndResetPrivilege = "Yes"
$ConfVirtualMediaPrivilege = "Yes"
$ConfHostBIOSConfigPrivilege = "No"
$ConfiLOConfigPrivilege = "No"
$ConfUserConfigPrivilege = "No"
$ConfHostNICConfigPrivilege = "No"
$ConfHostStorageConfigPrivilege = "No"
$ConfSystemRecoveryConfigPrivilege = "No"
<#
####################################################################
#END CONFIGURATION
####################################################################
#>
try
{
$path = Split-Path -Parent $PSCommandPath
$path = join-Path $path "\iLOInput.csv"
$inputcsv = Import-Csv $path
if($inputcsv.IP.count -eq $inputcsv.Username.count -eq $inputcsv.Password.count -eq 0)
{
Write-Host "Provide values for IP, Username and Password columns in the iLOInput.csv file and try again."
exit
}
$notNullIP = $inputcsv.IP | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
$notNullUsername = $inputcsv.Username | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
$notNullPassword = $inputcsv.Password | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
if(-Not($notNullIP.Count -eq $notNullUsername.Count -eq $notNullPassword.Count))
{
Write-Host "Provide equal number of values for IP, Username and Password columns in the iLOInput.csv file and try again."
exit
}
}
catch
{
Write-Host "iLOInput.csv file import failed. Please check the file path of the iLOInput.csv file and try again."
Write-Host "iLOInput.csv file path: $path"
exit
}
Clear-Host
# script execution started
Write-Host "****** Script execution started ******`n" -ForegroundColor Yellow
#Decribe what script does to the user
Write-Host "This script sets the security dashboard settings to the given value and gets the same.`n"
#Load HPEiLOCmdlets module
$InstalledModule = Get-Module
$ModuleNames = $InstalledModule.Name
if(-not($ModuleNames -like "HPEiLOCmdlets"))
{
Write-Host "Loading module : HPEiLOCmdlets"
Import-Module HPEiLOCmdlets
if(($(Get-Module -Name "HPEiLOCmdlets") -eq $null))
{
Write-Host ""
Write-Host "HPEiLOCmdlets module cannot be loaded. Please fix the problem and try again"
Write-Host ""
Write-Host "Exit..."
exit
}
}
else
{
$InstallediLOModule = Get-Module -Name "HPEiLOCmdlets"
Write-Host "HPEiLOCmdlets Module Version : $($InstallediLOModule.Version) is installed on your machine."
Write-host ""
}
$Error.Clear()
#Enable logging feature
Write-Host "Enabling logging feature" -ForegroundColor Yellow
$log = Enable-HPEiLOLog
$log | fl
if($Error.Count -ne 0)
{
Write-Host "`nPlease launch the PowerShell in administrator mode and run the script again." -ForegroundColor Yellow
Write-Host "`n****** Script execution terminated ******" -ForegroundColor Red
exit
}
try
{
$ErrorActionPreference = "SilentlyContinue"
$WarningPreference ="SilentlyContinue"
[bool]$isParameterCountEQOne = $false;
foreach ($Key in $MyInvocation.BoundParameters.keys)
{
$count = $($MyInvocation.BoundParameters[$Key]).Count
}
Write-Host "`nConnecting using Connect-HPEiLO`n" -ForegroundColor Yellow
$connection = @(Connect-HPEiLO -IP $inputcsv.IP -Username $inputcsv.Username -Password $inputcsv.Password -DisableCertificateAuthentication)
$Error.Clear()
if($Connection -eq $null)
{
Write-Host "`nConnection could not be established to any target iLO.`n" -ForegroundColor Red
$inputcsv.IP | fl
exit;
}
if($Connection.count -ne $inputcsv.IP.count)
{
#List of IP's that could not be connected
Write-Host "`nConnection failed for below set of targets - $($Connection.count)" -ForegroundColor Red
foreach($item in $inputcsv.IP)
{
if($Connection.IP -notcontains $item)
{
$item | fl
}
}
#Prompt for user input
$mismatchinput = Read-Host -Prompt 'Connection object count and parameter value count does not match. Do you want to continue? Enter Y to continue with script execution. Enter N to cancel.'
if($mismatchinput -ne 'Y')
{
Write-Host "`n****** Script execution stopped ******" -ForegroundColor Yellow
exit;
}
}
foreach($connect in $connection)
{
#Set Directory Settings
Write-Host "`nSetting HPE iLO Directory Settings for $($connect.IP)" -ForegroundColor Green
#Clear Context
$ClearUserContextIndex = ,@(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15)
$ClearUserContextValue = ,@("","","","","","","","","","","","","","","")
$output = Set-HPEiLODirectorySetting -Connection $connect `
-UserContextIndex $ClearUserContextIndex `
-UserContext $ClearUserContextValue
$Error.Clear()
#$output.StatusInfo
#Set Settings with new context
$output = Set-HPEiLODirectorySetting -Connection $connect `
-DirectoryServerAddress $ConfDirectoryServerAddress `
-DirectoryServerPort $ConfDirectoryServerPort
$Error.Clear()
#$output.StatusInfo
#Because of iLO5 issue, if you modify port number (change the default number 636) then Start-HPEiLODirectorySettingTest
#will fail as iLO updates the Directory server address with port number as in it.(like IP:PORT format).
#The workaround is if you want to modify port number of directory server LDAP
#then first input the required port number for set cmdlet
#then in second call try without port number just with directory server settings.
$output = Set-HPEiLODirectorySetting -Connection $connect `
-LDAPDirectoryAuthentication $ConfLDAPDirectoryAuthentication `
-GenericLDAPEnabled $ConfGenericLDAPEnabled `
-DirectoryServerAddress $ConfDirectoryServerAddress `
-UserContextIndex $ConfUserContextIndex `
-UserContext $ConfUserContextValue
$Error.Clear()
#$output.StatusInfo
Write-Host "`nDirectory Settings OK" -ForegroundColor Cyan
#Add Directory Group
Write-Host "`nAdding HPE iLO Directory Group for $($connect.IP)" -ForegroundColor Green
#Add Empty Directory Group if not exist
$output = Add-HPEiLODirectoryGroup -Connection $connect `
-GroupName $ConfGroupName `
-GroupSID $ConfGroupSID
$Error.Clear()
#$output.StatusInfo
#Set role for iLO4 and iLO5
$output = Set-HPEiLODirectoryGroup -Connection $connect `
-GroupName $ConfGroupName `
-GroupSID $ConfGroupSID `
-LoginPrivilege $ConfLoginPrivilege `
-RemoteConsolePrivilege $ConfRemoteConsolePrivilege `
-VirtualMediaPrivilege $ConfVirtualMediaPrivilege `
-VirtualPowerAndResetPrivilege $ConfVirtualPowerAndResetPrivilege `
-iLOConfigPrivilege $ConfiLOConfigPrivilege `
-UserConfigPrivilege $ConfUserConfigPrivilege
$Error.Clear()
#$output.StatusInfo
#Set additional role for iLO5
$output = Set-HPEiLODirectoryGroup -Connection $connect `
-GroupName $ConfGroupName `
-HostBIOSConfigPrivilege $ConfHostBIOSConfigPrivilege `
-HostNICConfigPrivilege $ConfHostNICConfigPrivilege `
-HostStorageConfigPrivilege $ConfHostStorageConfigPrivilege `
-SystemRecoveryConfigPrivilege $ConfSystemRecoveryConfigPrivilege
$Error.Clear()
#$output.StatusInfo
Write-Host "`nDirectory Group OK" -ForegroundColor Cyan
}
}
catch
{
}
finally
{
if($connection -ne $null)
{
#Disconnect
Write-Host "Disconnect using Disconnect-HPEiLO `n" -ForegroundColor Yellow
$disconnect = Disconnect-HPEiLO -Connection $Connection
$disconnect | fl
Write-Host "All connections disconnected successfully.`n"
}
#Disable logging feature
Write-Host "Disabling logging feature`n" -ForegroundColor Yellow
$log = Disable-HPEiLOLog
$log | fl
if($Error.Count -ne 0 )
{
Write-Host "`nScript executed with few errors. Check the log files for more information.`n" -ForegroundColor Red
}
Write-Host "`n****** Script execution completed ******" -ForegroundColor Yellow
}
Ссылки
Разрешить запуск скриптов PowerShell
Управление iLO через PowerShell
Скрипты в виде архива добавил в Сборку для системного администратора.
