Перейти к основному содержанию

iLO — настройка Active Directory аутентификации через PowerShell

PowerShell

Чем больше серверов у системного администратора, тем сложнее ими управлять вручную. Сегодня автоматизируем настройку Active Directory аутентификации в iLO 4 и iLO 5 с помощью PowerShell скриптов.

Для управления iLO с помощью PowerShell скриптов компания Hewlett Packard выпускает и поддерживает набор командлетов под названием Scripting Tools for Windows PowerShell: iLO cmdlets.

Текущая версия пакета 4.3.0.0 от 16 ноября 2023 года может быть использована для конфигурации управления iLO на серверах HPE ProLiant Gen8, Gen9, Gen10, Gen10 Plus, Gen11. iLO cmdlets поддерживает iLO 4, iLO 5 и iLO 6 ProLiant серверы. Для работы командлеты используют RIBCL, REST(Limited) и Redfish интерфейсы iLO. Для работы скриптов понадобится .NET Framework 4.5 - 4.7.1.

Но не стоит думать, что стоит написать скрипт для iLO 5 и он тут же заработает для iLO 4. Я уже убедился, что лучше сделать два разных скрипта для iLO 4 и iLO 5. Однако, сегодня будет именно такой скрипт, чтобы работал и для iLO 4 и для iLO 5.

Устанавливаем .NET и HPEiLOCmdlets. Работаю в ОС Windows 10.

Управление iLO через PowerShell

Примеры PowerShell скриптов можно найти в папке по умолчанию C:\HPEiLOCmdlets\Samples.

ilo

Примеры можно брать как основу для творчества, но в них тоже есть ошибки. Скрипты подписаны цифровой подписью, в процессе отладки вам она не понадобится. У меня в итоге получилось три файла:

  • iLOInput.csv
  • GetAD.ps1
  • SetAD.ps1

ilo

В iLOInput.csv указывается список серверов в виде:

IP,Username,Password
192.168.1.2,admin,password
192.168.1.3,admin,password

Здесь нужно указать IP адрес или DNS имя iLO, логин, пароль.

GetAD.ps1 — выводит текущие настройки AD аутентификации.

  • ####################################################################
    #iLO Active Directory Information
    ####################################################################
    
    <#
    .Synopsis
        This Script gets the AD settings for NTLM auth.
        iLO 4 and iLO 5 supported.
    
    .DESCRIPTION
        This Script gets the Active Directory settings for NTLM auth authentication.
    	
    	The cmdlets used from HPEiLOCmdlets module in the script are as stated below:
    	Enable-HPEiLOLog, Connect-HPEiLO, Disconnect-HPEiLO, Disable-HPEiLOLog, 
    	Get-HPEiLODirectorySettins, Get-HPEiLODirectoryGroup.
    
    .PARAMETER Key
        Specifies the security dashboard settings to be updated in iLO.
    
    .EXAMPLE
        
        PS C:\HPEiLOCmdlets\Prod\> .\GetAD.ps1 
    	
        This script display AD info from iLO.
     
    .INPUTS
    	iLOInput.csv file in the script folder location having iLO IPv4 address, iLO Username and iLO Password.
    
    .OUTPUTS
        None (by default)
    
    .NOTES
    	Always run the PowerShell in administrator mode to execute the script.
    	
        Company : Internet-lab.ru
        Version : 1.0.0.0
        Date    : 2023-01-18 
    
    .LINK
        http://internet-lab.ru
    #>
    
    #Command line parameters
    Param(
        [switch]$IgnoreSecureBoot,
        [switch]$IgnoreSecurityOverrideSwitch,
        [switch]$IgnorePasswordComplexity,
        [switch]$IgnoreIPMIDCMIOverLAN,
        [switch]$IgnoreMinimumPasswordLength,
        [switch]$IgnoreRequireLoginforiLORBSU,
        [switch]$IgnoreAuthenticationFailureLogging,
        [switch]$IgnoreLastFirmwareScanResult,
        [switch]$IgnoreRequireHostAuthentication
    )
    
    try
    {
        $path = Split-Path -Parent $PSCommandPath
        $path = join-Path $path "\iLOInput.csv"
        $inputcsv = Import-Csv $path
    	if($inputcsv.IP.count -eq $inputcsv.Username.count -eq $inputcsv.Password.count -eq 0)
    	{
    		Write-Host "Provide values for IP, Username and Password columns in the iLOInput.csv file and try again."
            exit
    	}
    
        $notNullIP = $inputcsv.IP | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
        $notNullUsername = $inputcsv.Username | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
        $notNullPassword = $inputcsv.Password | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
    	if(-Not($notNullIP.Count -eq $notNullUsername.Count -eq $notNullPassword.Count))
    	{
            Write-Host "Provide equal number of values for IP, Username and Password columns in the iLOInput.csv file and try again."
            exit
    	}
    }
    catch
    {
        Write-Host "iLOInput.csv file import failed. Please check the file path of the iLOInput.csv file and try again."
        Write-Host "iLOInput.csv file path: $path"
        exit
    }
    
    #Clear-Host
    
    # script execution started
    Write-Host "****** Script execution started ******`n" -ForegroundColor Yellow
    #Decribe what script does to the user
    
    Write-Host "This script sets the security dashboard settings to the given value and gets the same.`n"
    
    #Load HPEiLOCmdlets module
    $InstalledModule = Get-Module
    $ModuleNames = $InstalledModule.Name
    
    if(-not($ModuleNames -like "HPEiLOCmdlets"))
    {
        Write-Host "Loading module :  HPEiLOCmdlets"
        Import-Module HPEiLOCmdlets
        if(($(Get-Module -Name "HPEiLOCmdlets")  -eq $null))
        {
            Write-Host ""
            Write-Host "HPEiLOCmdlets module cannot be loaded. Please fix the problem and try again"
            Write-Host ""
            Write-Host "Exit..."
            exit
        }
    }
    else
    {
        $InstallediLOModule  =  Get-Module -Name "HPEiLOCmdlets"
        Write-Host "HPEiLOCmdlets Module Version : $($InstallediLOModule.Version) is installed on your machine."
        Write-host ""
    }
    
    $Error.Clear()
    
    #Enable logging feature
    Write-Host "Enabling logging feature" -ForegroundColor Yellow
    $log = Enable-HPEiLOLog
    $log | fl
    
    if($Error.Count -ne 0)
    { 
    	Write-Host "`nPlease launch the PowerShell in administrator mode and run the script again." -ForegroundColor Yellow 
    	Write-Host "`n****** Script execution terminated ******" -ForegroundColor Red 
    	exit 
    }	
    
    try
    {
    	$ErrorActionPreference = "SilentlyContinue"
    	$WarningPreference ="SilentlyContinue"
    	
        [bool]$isParameterCountEQOne = $false;
    
        foreach ($Key in $MyInvocation.BoundParameters.keys)
        {
            $count = $($MyInvocation.BoundParameters[$Key]).Count        
    
        }
        Write-Host "`nConnecting using Connect-HPEiLO`n" -ForegroundColor Yellow
    
        $connection = @(Connect-HPEiLO -IP $inputcsv.IP -Username $inputcsv.Username -Password $inputcsv.Password -DisableCertificateAuthentication)
    	
    	$Error.Clear()
    	
        if($Connection -eq $null)
        {
            Write-Host "`nConnection could not be established to any target iLO.`n" -ForegroundColor Red
            $inputcsv.IP | fl
            exit;
        }
    
        if($Connection.count -ne $inputcsv.IP.count)
        {
            #List of IP's that could not be connected
            Write-Host "`nConnection failed for below set of targets" -ForegroundColor Red
            foreach($item in $inputcsv.IP)
            {
                if($Connection.IP -notcontains $item)
                {
                    $item | fl
                }
            }
    
            #Prompt for user input
            $mismatchinput = Read-Host -Prompt 'Connection object count and parameter value count does not match. Do you want to continue? Enter Y to continue with script execution. Enter N to cancel.'
            if($mismatchinput -ne 'Y')
            {
                Write-Host "`n****** Script execution stopped ******" -ForegroundColor Yellow
                exit;
            }
        }
    
        foreach($connect in $connection)
        {
            #Displaying Directory Settings
            Write-Host "`nGetting HPE iLO Directory Settins for $($connect.IP)" -ForegroundColor Green
            $output = Get-HPEiLODirectorySetting -Connection $connect
            
            if($output.Status -ne "OK")
            {   
                $message = $output.StatusInfo.Message; 
                Write-Host "`nFailed to get Get-HPEiLODirectorySetting for $($output.IP): "$message -ForegroundColor Red
            }
            else
            {  
                $output[0]
            }  
    
            Write-Host "`nGetting HPE iLO Directory Group for $($connect.IP)" -ForegroundColor Green
            $output = Get-HPEiLODirectoryGroup -Connection $connect
           
            #Displaying Directory Group
            if($output.Status -ne "OK")
            {   
                $message = $output.StatusInfo.Message; 
                Write-Host "`nFailed to get Get-HPEiLODirectoryGroup for $($output.IP): "$message -ForegroundColor Red
            }
            else
            {  
                $output.GroupAccountInfo 
            } 
            
        }
     }
     catch
     {
     }
    finally
    {
        if($connection -ne $null)
        {
            #Disconnect 
    		Write-Host "Disconnect using Disconnect-HPEiLO `n" -ForegroundColor Yellow
    		$disconnect = Disconnect-HPEiLO -Connection $Connection
    		$disconnect | fl
    		Write-Host "All connections disconnected successfully.`n"
        }  
    	
    	#Disable logging feature
    	Write-Host "Disabling logging feature`n" -ForegroundColor Yellow
    	$log = Disable-HPEiLOLog
    	$log | fl
    	
    	if($Error.Count -ne 0 )
        {
            Write-Host "`nScript executed with few errors. Check the log files for more information.`n" -ForegroundColor Red
        }
    	
        Write-Host "`n****** Script execution completed ******" -ForegroundColor Yellow
    }

SetAD.ps1 — изменяет настройки AD аутентификации. Я в скрипте устанавливал только те параметры, которые мне были нужны, вам нужно внести изменения в конфигурационную часть:

<#
####################################################################
#CONFIGURATION
####################################################################
#>

$ConfLDAPDirectoryAuthentication = "DirectoryDefaultSchema"
$ConfGenericLDAPEnabled = "Yes"
$ConfDirectoryServerAddress = "ldap.domain.local"
$ConfDirectoryServerPort = "636"
$ConfUserContextIndex = ,@(1,2)
$ConfUserContextValue = ,@("@domain.local","DC=domain,DC=local")

$ConfGroupName = "smena"
$ConfGroupSID = "S-1-5-21-2606053222-2546427529-1258059324-16321"
$ConfLoginPrivilege = "Yes"
$ConfRemoteConsolePrivilege = "Yes"
$ConfVirtualPowerAndResetPrivilege = "Yes"
$ConfVirtualMediaPrivilege = "Yes"
$ConfHostBIOSConfigPrivilege = "No"
$ConfiLOConfigPrivilege = "No"
$ConfUserConfigPrivilege = "No"
$ConfHostNICConfigPrivilege = "No"
$ConfHostStorageConfigPrivilege = "No"
$ConfSystemRecoveryConfigPrivilege = "No"

<#
####################################################################
#END CONFIGURATION
####################################################################
#>

DirectoryAuthentication может принимать значения:

  • Disabled
  • ExtendedSchema
  • DirectoryDefaultSchema

Долго не мог добиться одновременной работы iLO 4 и iLO 5 пока не обнаружил во встроенной документации этот чудесный текст:

Because of iLO5 issue, if you modify port number (change the default number 636) then Start-HPEiLODirectorySettingTest will fail as iLO updates the Directory server address with port number as in it.(like IP:PORT format). The workaround is if you want to modify port number of directory server LDAP then first input the required port number for set cmdlet then in second call try without port number just with directory server settings.

  • ####################################################################
    #iLO Configure Active Directory Information 
    ####################################################################
    
    <#
    .Synopsis
        This Script sets the AD settings for NTLM auth.
        iLO 4 and iLO 5 supported.
    
    .DESCRIPTION
        This Script sets the Active Directory settings for NTLM auth authentication.
    	
    	The cmdlets used from HPEiLOCmdlets module in the script are as stated below:
    	Enable-HPEiLOLog, Connect-HPEiLO, Disconnect-HPEiLO, Disable-HPEiLOLog, 
    	Set-HPEiLODirectorySettins, Add-HPEiLODirectoryGroup, Set-HPEiLODirectoryGroup.
    
    .PARAMETER Key
        Specifies the security dashboard settings to be updated in iLO.
    
    .EXAMPLE
        
        PS C:\HPEiLOCmdlets\Prod\> .\SetAD.ps1 
    	
        This script display AD info from iLO.
     
    .INPUTS
    	iLOInput.csv file in the script folder location having iLO IPv4 address, iLO Username and iLO Password.
    
    .OUTPUTS
        None (by default)
    
    .NOTES
    	Always run the PowerShell in administrator mode to execute the script.
    
        Company : Internet-lab.ru
        Version : 1.0.0.0
        Date    : 2023-01-18 
    
    .LINK
        http://internet-lab.ru
    #>
    
    #Command line parameters
    Param(
        [switch]$IgnoreSecureBoot,
        [switch]$IgnoreSecurityOverrideSwitch,
        [switch]$IgnorePasswordComplexity,
        [switch]$IgnoreIPMIDCMIOverLAN,
        [switch]$IgnoreMinimumPasswordLength,
        [switch]$IgnoreRequireLoginforiLORBSU,
        [switch]$IgnoreAuthenticationFailureLogging,
        [switch]$IgnoreLastFirmwareScanResult,
        [switch]$IgnoreRequireHostAuthentication
    )
    
    <#
    ####################################################################
    #CONFIGURATION
    ####################################################################
    #>
    
    $ConfLDAPDirectoryAuthentication = "DirectoryDefaultSchema"
    $ConfGenericLDAPEnabled = "Yes"
    $ConfDirectoryServerAddress = "ldap.domain.local"
    $ConfDirectoryServerPort = "636"
    $ConfUserContextIndex = ,@(1,2)
    $ConfUserContextValue = ,@("@domain.local","DC=domain,DC=local")
    
    $ConfGroupName = "smena"
    $ConfGroupSID = "S-1-5-21-2606053222-2546427529-1258059324-16321"
    $ConfLoginPrivilege = "Yes"
    $ConfRemoteConsolePrivilege = "Yes"
    $ConfVirtualPowerAndResetPrivilege = "Yes"
    $ConfVirtualMediaPrivilege = "Yes"
    $ConfHostBIOSConfigPrivilege = "No"
    $ConfiLOConfigPrivilege = "No"
    $ConfUserConfigPrivilege = "No"
    $ConfHostNICConfigPrivilege = "No"
    $ConfHostStorageConfigPrivilege = "No"
    $ConfSystemRecoveryConfigPrivilege = "No"
    
    <#
    ####################################################################
    #END CONFIGURATION
    ####################################################################
    #>
    
    try
    {
        $path = Split-Path -Parent $PSCommandPath
        $path = join-Path $path "\iLOInput.csv"
        $inputcsv = Import-Csv $path
    	if($inputcsv.IP.count -eq $inputcsv.Username.count -eq $inputcsv.Password.count -eq 0)
    	{
    		Write-Host "Provide values for IP, Username and Password columns in the iLOInput.csv file and try again."
            exit
    	}
    
        $notNullIP = $inputcsv.IP | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
        $notNullUsername = $inputcsv.Username | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
        $notNullPassword = $inputcsv.Password | Where-Object {-Not [string]::IsNullOrWhiteSpace($_)}
    	if(-Not($notNullIP.Count -eq $notNullUsername.Count -eq $notNullPassword.Count))
    	{
            Write-Host "Provide equal number of values for IP, Username and Password columns in the iLOInput.csv file and try again."
            exit
    	}
    }
    catch
    {
        Write-Host "iLOInput.csv file import failed. Please check the file path of the iLOInput.csv file and try again."
        Write-Host "iLOInput.csv file path: $path"
        exit
    }
    
    Clear-Host
    
    # script execution started
    Write-Host "****** Script execution started ******`n" -ForegroundColor Yellow
    #Decribe what script does to the user
    
    Write-Host "This script sets the security dashboard settings to the given value and gets the same.`n"
    
    #Load HPEiLOCmdlets module
    $InstalledModule = Get-Module
    $ModuleNames = $InstalledModule.Name
    
    if(-not($ModuleNames -like "HPEiLOCmdlets"))
    {
        Write-Host "Loading module :  HPEiLOCmdlets"
        Import-Module HPEiLOCmdlets
        if(($(Get-Module -Name "HPEiLOCmdlets")  -eq $null))
        {
            Write-Host ""
            Write-Host "HPEiLOCmdlets module cannot be loaded. Please fix the problem and try again"
            Write-Host ""
            Write-Host "Exit..."
            exit
        }
    }
    else
    {
        $InstallediLOModule  =  Get-Module -Name "HPEiLOCmdlets"
        Write-Host "HPEiLOCmdlets Module Version : $($InstallediLOModule.Version) is installed on your machine."
        Write-host ""
    }
    
    $Error.Clear()
    
    #Enable logging feature
    Write-Host "Enabling logging feature" -ForegroundColor Yellow
    $log = Enable-HPEiLOLog
    $log | fl
    
    if($Error.Count -ne 0)
    { 
    	Write-Host "`nPlease launch the PowerShell in administrator mode and run the script again." -ForegroundColor Yellow 
    	Write-Host "`n****** Script execution terminated ******" -ForegroundColor Red 
    	exit 
    }	
    
    try
    {
    	$ErrorActionPreference = "SilentlyContinue"
    	$WarningPreference ="SilentlyContinue"
    	
        [bool]$isParameterCountEQOne = $false;
    
        foreach ($Key in $MyInvocation.BoundParameters.keys)
        {
            $count = $($MyInvocation.BoundParameters[$Key]).Count        
    
        }
        Write-Host "`nConnecting using Connect-HPEiLO`n" -ForegroundColor Yellow
    
        $connection = @(Connect-HPEiLO -IP $inputcsv.IP -Username $inputcsv.Username -Password $inputcsv.Password -DisableCertificateAuthentication)
    	
    	$Error.Clear()
    
        if($Connection -eq $null)
        {
            Write-Host "`nConnection could not be established to any target iLO.`n" -ForegroundColor Red
            $inputcsv.IP | fl
            exit;
        }
    
        if($Connection.count -ne $inputcsv.IP.count)
        {
            #List of IP's that could not be connected
            Write-Host "`nConnection failed for below set of targets - $($Connection.count)" -ForegroundColor Red
            foreach($item in $inputcsv.IP)
            {
                if($Connection.IP -notcontains $item)
                {
                    $item | fl
                }
            }
    
            #Prompt for user input
            $mismatchinput = Read-Host -Prompt 'Connection object count and parameter value count does not match. Do you want to continue? Enter Y to continue with script execution. Enter N to cancel.'
            if($mismatchinput -ne 'Y')
            {
                Write-Host "`n****** Script execution stopped ******" -ForegroundColor Yellow
                exit;
            }
        }
    
        foreach($connect in $connection)
        {
            #Set Directory Settings
            Write-Host "`nSetting HPE iLO Directory Settings for $($connect.IP)" -ForegroundColor Green
    
            #Clear Context
            $ClearUserContextIndex = ,@(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15)
            $ClearUserContextValue = ,@("","","","","","","","","","","","","","","")
            $output = Set-HPEiLODirectorySetting -Connection $connect `
                -UserContextIndex $ClearUserContextIndex `
                -UserContext $ClearUserContextValue
            $Error.Clear()
            #$output.StatusInfo
    
            #Set Settings with new context
            $output = Set-HPEiLODirectorySetting -Connection $connect `
                -DirectoryServerAddress $ConfDirectoryServerAddress `
                -DirectoryServerPort $ConfDirectoryServerPort
            $Error.Clear()
            #$output.StatusInfo
    
            #Because of iLO5 issue, if you modify port number (change the default number 636) then Start-HPEiLODirectorySettingTest
            #will fail as iLO updates the Directory server address with port number as in it.(like IP:PORT format).
            #The workaround is if you want to modify port number of directory server LDAP
            #then first input the required port number for set cmdlet 
            #then in second call try without port number just with directory server settings.
            $output = Set-HPEiLODirectorySetting -Connection $connect `
                -LDAPDirectoryAuthentication $ConfLDAPDirectoryAuthentication `
                -GenericLDAPEnabled $ConfGenericLDAPEnabled `
                -DirectoryServerAddress $ConfDirectoryServerAddress `
                -UserContextIndex $ConfUserContextIndex `
                -UserContext $ConfUserContextValue
            $Error.Clear()
            #$output.StatusInfo
    
            Write-Host "`nDirectory Settings OK" -ForegroundColor Cyan
            
            #Add  Directory Group
            Write-Host "`nAdding HPE iLO Directory Group for $($connect.IP)" -ForegroundColor Green
    
            #Add Empty Directory Group if not exist
            $output = Add-HPEiLODirectoryGroup -Connection $connect `
                -GroupName $ConfGroupName `
                -GroupSID $ConfGroupSID
            $Error.Clear()
            #$output.StatusInfo
    
            #Set role for iLO4 and iLO5
            $output = Set-HPEiLODirectoryGroup -Connection $connect `
                -GroupName $ConfGroupName `
                -GroupSID $ConfGroupSID `
                -LoginPrivilege $ConfLoginPrivilege `
                -RemoteConsolePrivilege $ConfRemoteConsolePrivilege `
                -VirtualMediaPrivilege $ConfVirtualMediaPrivilege `
                -VirtualPowerAndResetPrivilege $ConfVirtualPowerAndResetPrivilege `
                -iLOConfigPrivilege $ConfiLOConfigPrivilege `
                -UserConfigPrivilege $ConfUserConfigPrivilege
            $Error.Clear()
            #$output.StatusInfo
    
            #Set additional role for iLO5
            $output = Set-HPEiLODirectoryGroup -Connection $connect `
                -GroupName $ConfGroupName `
                -HostBIOSConfigPrivilege $ConfHostBIOSConfigPrivilege `
                -HostNICConfigPrivilege $ConfHostNICConfigPrivilege `
                -HostStorageConfigPrivilege $ConfHostStorageConfigPrivilege `
                -SystemRecoveryConfigPrivilege $ConfSystemRecoveryConfigPrivilege
            $Error.Clear()
            #$output.StatusInfo
    
            Write-Host "`nDirectory Group OK" -ForegroundColor Cyan
    
        }
     }
     catch
     {
     }
    finally
    {
        if($connection -ne $null)
        {
            #Disconnect 
    		Write-Host "Disconnect using Disconnect-HPEiLO `n" -ForegroundColor Yellow
    		$disconnect = Disconnect-HPEiLO -Connection $Connection
    		$disconnect | fl
    		Write-Host "All connections disconnected successfully.`n"
        }  
    	
    	#Disable logging feature
    	Write-Host "Disabling logging feature`n" -ForegroundColor Yellow
    	$log = Disable-HPEiLOLog
    	$log | fl
    	
    	if($Error.Count -ne 0 )
        {
            Write-Host "`nScript executed with few errors. Check the log files for more information.`n" -ForegroundColor Red
        }
    	
        Write-Host "`n****** Script execution completed ******" -ForegroundColor Yellow
    }

ilo

Ссылки

Разрешить запуск скриптов PowerShell

Управление iLO через PowerShell

Скрипты в виде архива добавил в Сборку для системного администратора.

Цены

 

Похожие материалы

Замена батарейки в HP Proliant DL360 Gen9

Не знаю почему, но батарейки в серверах HP Proliant DL360 Gen9 дохнут одна за одной, уже с десяток заменили. Возможно, партия такая была, не берусь судить. Новые батарейки пока работают без проблем. Вашему вниманию предлагается мини-инструкция по замене батарейки.

Теги

HPE ProLiant MicroServer Gen10 — мониторинг дисков

Что-то я обеспокоился состоянием дисков своего домашнего сервера HPE ProLiant MicroServer Gen10. У этого сервера есть одна маленькая, но очень большая проблема — мониторинг состояния дисков и дисковых массивов.