Skip to main content

Contents

  1. Preface
  2. Chapter 1 Understanding an Overview of the SPARC M12/M10
    1.  1.1 Basics of the SPARC M12/M10
    2. Click 1.2 Basics of the XSCF Firmware
    3. Click 1.3 Network Configuration
    4.  1.4 Basics of Hypervisor
    5.  1.5 Basics of Oracle VM Server for SPARC
    6.  1.6 Basics of OpenBoot PROM
  3. Chapter 2 Logging In/Out of the XSCF
    1. Click 2.1 Connecting the System Management Terminal
    2. Click 2.2 Logging In to the XSCF Shell
    3.  2.3 Logging Out from the XSCF Shell
    4. Click 2.4 Logging In to XSCF Web
    5.  2.5 Logging Out From XSCF Web
    6.  2.6 Number of Connectable Users
  4. Chapter 3 Configuring the System
    1. Click 3.1 Preliminary Work for XSCF Setup
    2. Click 3.2 Understanding the Contents of the XSCF Firmware Settings
    3.  3.3 Setting Up From the XSCF Shell
    4.  3.4 Setting Up From XSCF Web
    5. Click 3.5 Creating/Managing XSCF Users
    6. Click 3.6 Setting the XSCF Time/Date
    7. Click 3.7 Configuring the SSH/Telnet Service for Login to the XSCF
    8. Click 3.8 Configuring the HTTPS Service for Login to the XSCF
    9. Click 3.9 Configuring the XSCF Network
    10. Click 3.10 Configuring Auditing to Strengthen XSCF Security
  5. Chapter 4 Configuring the System to Suit the Usage Type
    1. Click 4.1 Setting/Checking the System Altitude
    2. Click 4.2 Controlling System Start
    3. Click 4.3 Enabling/Disabling Dual Power Feed
    4. Click 4.4 Reducing Power Consumption
    5. Click 4.5 Connecting a DVD Drive
    6. Click 4.6 Using Remote Storage
  6. Chapter 5 CPU Activation
    1.  5.1 Basic Concepts of CPU Activation
    2.  5.2 CPU Activation Key
    3. Click 5.3 Adding CPU Core Resources
    4. Click 5.4 Deleting CPU Core Resources
    5. Click 5.5 Moving CPU Core Resources
    6. Click 5.6 Displaying CPU Activation Information
    7. Click 5.7 Saving/Restoring CPU Activation Keys
    8. Click 5.8 Troubleshooting CPU Activation Errors
    9.  5.9 Important Notes about CPU Activation
  7. Chapter 6 Starting/Stopping the System
    1. Click 6.1 Starting the System
    2. Click 6.2 Stopping the System
    3.  6.3 Rebooting the System
    4.  6.4 Suppressing Starting Oracle Solaris at Power-on
  8. Chapter 7 Controlling Physical Partitions
    1.  7.1 Configuring a Physical Partition
    2. Click 7.2 Setting the Physical Partition Operation Mode
    3.  7.3 Powering On a Physical Partition
    4.  7.4 Powering Off a Physical Partition
    5.  7.5 Changing the Configuration of a Physical Partition
  9. Chapter 8 Controlling Logical Domains
    1.  8.1 Configuring a Logical Domain
    2. Click 8.2 Configuring the Oracle Solaris Kernel Zone
    3. Click 8.3 Switching to the Control Domain Console From the XSCF Shell
    4. Click 8.4 Returning to the XSCF Shell From the Control Domain Console
    5.  8.5 Starting a Logical Domain
    6.  8.6 Shutting Down a Logical Domain
    7. Click 8.7 Ordered Shutdown of Logical Domains
    8.  8.8 Checking CPU Activation Information
    9. Click 8.9 Setting the OpenBoot PROM Environment Variables of the Control Domain
    10. Click 8.10 Domain Console Logging Function
    11.  8.11 Changing the Configuration of a Logical Domain
    12.  8.12 Setting the Logical Domain Time
    13. Click 8.13 Collecting a Hypervisor Dump File
    14. Click 8.14 Managing Logical Domain Resources Associated with CPU Sockets
    15. Click 8.15 Setting the Physical Partition Dynamic Reconfiguration Policy
    16. Click 8.16 Setting the Maximum Page Size of a Logical Domain
  10. Chapter 9 Managing the Systems Daily
  11. Chapter 10 Preparing/Taking Action for Failures
    1.  10.1 Learning about Troubleshooting and Related Functions
    2. Click 10.2 Receiving Notification by E-mail When a Failure Occurs
    3. Click 10.3 Monitoring/Managing the System Status With the SNMP Agent
    4. Click 10.4 Monitoring the System
    5.  10.5 Understanding the Failure Degradation Mechanism
    6. Click 10.6 Checking Failed Hardware Resources
    7. Click 10.7 Setting Automatic Replacement of Failed CPU Cores
    8.  10.8 Setting Recovery Mode
    9.  10.9 Setting Up a Redundant Component Configuration
    10. Click 10.10 Saving/Restoring XSCF Settings Information
    11. Click 10.11 Saving/Restoring Logical Domain Configuration Information in the XSCF
    12. Click 10.12 Saving/Restoring Logical Domain Configuration Information in an XML File
    13. Click 10.13 Saving/Restoring the OpenBoot PROM Environment Variables
    14.  10.14 Saving/Restoring the Contents of a Hard Disk
    15.  10.15 Resetting a Logical Domain
    16. Click 10.16 Causing a Panic in a Logical Domain
    17.  10.17 Resetting a Physical Partition
    18. Click 10.18 Returning the Server to the State at Factory Shipment
    19.  10.19 Collecting a Crash Dump File Using Deferred Dump
  12. Chapter 11 Checking the System Status
    1. Click 11.1 Checking the System Configuration/Status
    2. Click 11.2 Checking a Physical Partition
  13. Chapter 12 Checking Logs and Messages
    1. Click 12.1 Checking a Log Saved by the XSCF
    2. Click 12.2 Checking Warning and Notification Messages
  14. Chapter 13 Switching to Locked Mode/Service Mode
    1.  13.1 Understanding the Differences Between Locked Mode and Service Mode
    2.  13.2 Switching the Operating Mode
  15. Chapter 14 Configuring a Highly Reliable System
    1. Click 14.1 Configuring Memory Mirroring
    2. Click 14.2 Configuring Hardware RAID
    3.  14.3 Using the LDAP Service
    4.  14.4 Using SAN Boot
    5.  14.5 Using iSCSI
    6. Click 14.6 Remote Power Management for the SPARC M12/M10 and I/O Devices
    7.  14.7 Using an Uninterruptible Power Supply
    8. Click 14.8 Using Verified Boot
  16. Chapter 15 Expanding the System Configuration
    1.  15.1 Changing the Virtual CPU Configuration
    2.  15.2 Changing the Memory Configuration
    3. Click 15.3 Dynamic Reconfiguration Function for PCIe Endpoint Devices
    4. Click 15.4 Using the PCI Expansion Unit
    5.  15.5 Expanding the SPARC M12-2S/M10-4S
  17. Chapter 16 Updating the XCP Firmware
    1. Click 16.1 Basics of Firmware Update
    2. Click 16.2 Before Updating Firmware
    3.  16.3 Update Flow
    4.  16.4 Preparing an XCP Image File
    5. Click 16.5 Updating Firmware
    6.  16.6 Updating Firmware From XSCF Web
    7. Click 16.7 Firmware Version Matching with Parts Addition/Replacement
    8.  16.8 Trouble During Firmware Update
    9.  16.9 FAQ Relating to Firmware Update
  18. Chapter 17 Updating Oracle Solaris and Oracle VM Server for SPARC
  19. Chapter 18 Troubleshooting
    1.  18.1 Troubleshooting for the XSCF
    2.  18.2 Precautions Concerning Using the RESET Switch
    3.  18.3 Frequently Asked Questions / FAQ
    4.  18.4 System Troubleshooting With the XSCF
  20. Appendix A Lists of SPARC M12/M10 System Device Paths
    1.  A.1 SPARC M12-1 Device Paths
    2. Click A.2 SPARC M12-2 Device Paths
    3. Click A.3 SPARC M12-2S Device Paths
    4.  A.4 SPARC M10-1 Device Paths
    5. Click A.5 SPARC M10-4 Device Paths
    6. Click A.6 SPARC M10-4S Device Paths
  21. Appendix B Identifying an SAS2 Device Based on a WWN
    1.  B.1 World Wide Name (WWN) Syntax
    2.  B.2 Overview of probe-scsi-all Command Output
    3. Click B.3 Identifying a Disk Slot by Using the probe-scsi-all Command
    4. Click B.4 Identifying Disk Slot
  22. Appendix C List of the XSCF Web Pages
    1.  C.1 Overview of the Pages
    2.  C.2 Understanding the Menu Configuration
    3. Click C.3 Available Pages
  23. Appendix D XSCF MIB Information
    1.  D.1 MIB Object Identification
    2.  D.2 Standard MIB
    3. Click D.3 Extended MIB
    4.  D.4 Traps
  24. Appendix E SPARC M12/M10 System-specific Functions of Oracle VM Server for SPARC
    1.  E.1 Ordered Shutdown of Logical Domains
    2.  E.2 CPU Activation Support
    3. Click E.3 Checking Failed Resources
    4.  E.4 Automatic Replacement of Failed CPUs
    5.  E.5 Hypervisor Dump
    6.  E.6 Domain Console Logging Function
    7.  E.7 CPU Socket Restrictions
  25. Appendix F SAS2IRCU Utility Command Examples
    1.  F.1 Displaying a List of SAS Controllers Recognized by sas2ircu
    2.  F.2 Displaying the Information of a Hardware RAID Volume
    3.  F.3 Adding a Hardware RAID Volume
    4.  F.4 Displaying the Configuration Status of a Hardware RAID Volume
    5.  F.5 Creating a Hot Spare of a Hardware RAID Volume
    6.  F.6 Deleting a Hot Spare of a Hardware RAID Volume
    7.  F.7 Deleting a Hardware RAID Volume
    8.  F.8 Identifying the Faulty Disk Drive of a Hardware RAID Volume
  26. Appendix G SPARC M12-1/M10-1 XSCF Startup Mode Function
    1. Click G.1 Function Overview
    2. Click G.2 Restrictions and Notes
    3.  G.3 Configuration Procedure
  27. Appendix H OpenBoot PROM Environment Variables and Commands
    1.  H.1 SCSI Device Display
    2.  H.2 Unsupported OpenBoot PROM Environment Variables
    3.  H.3 Unsupported OpenBoot PROM Commands
    4.  H.4 Behavior With the Security Mode Enabled
  28. Appendix I How to Specify the Boot Device
    1.  I.1 Device Path of the Internal Storage
    2.  I.2 Method of Specification With a PHY Number
    3.  I.3 Method of Specification With a Target ID
    4.  I.4 Method of Specification With an SAS Address
    5.  I.5 Method of Specification With a Volume Device Name
    6.  I.6 Notes About the Device Alias net of the SPARC M12 Without On-Board LAN
  29. Appendix J Lists of DVD Drive Aliases
    1. Click J.1 External DVD Drive Aliases
    2. Click J.2 Remote Storage DVD Drive Aliases
  30. Appendix K CPU Activation Interim Permit
    1.  K.1 What is the CPU Activation Interim Permit?
    2.  K.2 Terms of Use of the CPU Activation Interim Permit and Precautions
    3. Click K.3 Related Commands
    4. Click K.4 Flows and Procedures for Using a CPU Activation Interim Permit
    5. Click K.5 Event Notification of the CPU Activation Interim Permit
    6. Click K.6 Other Important Notes

3.5.12 Managing XSCF User Accounts Using LDAP


3.5.12 Managing XSCF User Accounts Using LDAP
Lightweight Directory Access Protocol (LDAP) is a protocol that is used to access a directory service on a network. Normally, user authentication and user privilege of an XSCF user account on SPARC M12/M10 systems are managed by the local master XSCF. However, by using LDAP, they can be managed by a directory service (LDAP server) on a network. In addition, if multiple SPARC M12/M10 systems are installed, the XSCF user account common to all systems can be used with LDAP.
To manage the XSCF user account settings, such as user authentication and user privileges, using LDAP, configure the XSCF as an LDAP client.
This section describes how to manage the XSCF user account settings through a directory service on a network using LDAP.
The available characters for a user account name for XSCF login are lowercase alphabetic characters, numbers, the hyphen (-), the underscore (_), and the period (.). The name is a combination of up to 31 characters. Uppercase alphabetic characters cannot be used. The first character of the name must be a lowercase alphabetic character.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
Note - This section does not describe the configuration and management of the LDAP server. An administrator who is familiar with the LDAP server should design the LDAP server.
Note - For the XCP firmware version that supports LDAP, see the latest Product Notes for your server.
In the LDAP settings, items related to an LDAP client are set. The settings cover the LDAP Server, bind ID, password, search base, and so on. In the LDAP server, the XSCF user information is managed.

Table 3-11 lists terms related to the LDAP settings.
Table 3-11  Terms Related to LDAP
Term Description
LDAP Abbreviation for Lightweight Directory Access Protocol.
LDAP is a protocol used to access a directory service on a network.
baseDN Abbreviation for base Distinguished name.
Under LDAP, directory information is organized in a hierarchical structure. To perform a search, specify the subtree to be searched in the hierarchical structure. At this time, specify the distinguished name (DN) of the top of the target subtree. This DN is referred to as the search base (baseDN).
Certificate chain List of certificates, including a user certificate and certification authority certificate. OpenSSL and TLS certificates must be downloaded in advance.
TLS Abbreviation for Transport Layer Security.
This is a protocol for encrypting information for transmission/reception via the Internet.
LDAP setting flow
This section describes the flow to configure the XSCF as an LDAP client.
  1. Enable LDAP.
  2. Enter the configuration information of the LDAP server.
    - The IP address or the host name and port number of the primary LDAP directory

    - Option: Up to two IP addresses or the host name and port of alternate LDAP directories

    - The search base distinguished name (DN) for reference

    - Whether or not to use the Transport Layer Security (TLS)
  3. Check whether or not the LDAP operates normally.
Settings required on LDAP server
  1. Add descriptions related to user privileges to an LDAP schema file.
    To configure the XSCF as an LDAP client, create an LDAP schema related to the user privileges of the XSCF on an LDAP server. Add the following descriptions to the schema file.
attributetype ( 1.3.6.1.1.1.1.40 NAME 'spPrivileges'
DESC 'Service Processor privileges'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
objectclass ( 1.3.6.1.1.1.2.13 NAME 'serviceProcessorUser' SUP top
AUXILIARY
DESC 'Service Processor user'
MAY spPrivileges )
  1. Add attributes required for users to an LDIF file.
    Add the following attributes that are required for each user to an LDIF (LDAP Data Interchange Format) file on an LDAP server.
Table 3-12  Required Attributes for an LDIF File
Field Name Description
spPrivileges User privilege that is valid on the XSCF
uidNumber User ID number that is valid on the XSCF
uidNumber must be a numeric value larger than 100. Use the showuser command to display a UID.
  1. The following shows an input example of an LDAP schema file.
spPrivileges: platadm
uidNumber: 150
User authentication mechanism when configuring the XSCF as an LDAP client
If LDAP clients are configured on the XSCF and enabled, the user authentication is first performed locally and then on the LDAP server. If the setprivileges command is executed without specifying a privilege to the user, all local privilege data of the user is deleted. After that, if the privilege reference is enabled in LDAP, then the user privilege is referenced in LDAP. When none is specified for the user privilege, the user does not have user privilege even if there is privilege data on LDAP.
The following commands are used to manage LDAP on the XSCF.
- setlookup

- setldap

Unix crypt or MD5 encryption method is used for the passwords saved in the LDAP repository.
Once you have configured the XSCF to use LDAP, it requires no day-to-day management.
LDAP setting items and shell commands to be used
Table 3-13 lists the LDAP setting items and the corresponding shell commands.
Table 3-13  LDAP Setting Items and Commands to be Used
Setting Item Function Description Shell Command Remarks
LDAP usage display Displays the status regarding whether an LDAP server is used for authentication and user privilege lookup. showlookup  
LDAP usage enable/disable Enables or disables the use of an LDAP server for authentication and user privilege lookup. setlookup If this specifies that authentication data and user privilege data be placed on an LDAP server, the system first searches the local area. If the target data is not found locally, then it searches the LDAP server.
Client display Displays LDAP client setting information. showldap  
Bind ID Registers an ID for connecting to (bind: authenticate) an LDAP server. setldap The maximum length of a bind ID is 128 characters.
Password Sets a password used to connect to an LDAP server. A password can consist of 8 to 16 characters.
Search base Sets an LDAP tree search base (baseDN).
- If this item is omitted, the command searches the tree, beginning from the top.

- The maximum length allowed for the search base is 128 characters.
Certificate chain Imports the certificate chain of an LDAP server.
Imports the certificate chain from a remote file by using a secure copy (scp).
- The certificate chain must be in the PEM format. (*1)

- A password may need to be entered to import the certificate from a remote file by using scp.
LDAP server/port Specifies the IP addresses and port numbers of the primary and secondary LDAP servers.
Specifies IP addresses or host names for the addresses.
When specifying both the primary and secondary LDAP servers, specify them in either format without mixing ldaps and ldap.
(Example 1: ldap://10.8.31.14:389)
(Example 2: ldaps://foobar.east:636)
(Example 3: ldap://10.8.31.14:389, ldap://10.8.31.15:389)		 The default LDAP port number is 636 for ldaps:// and 389 for ldap:// when the port number is not specified.
Timeout Sets the maximum time (seconds) allowed for an LDAP search.  
LDAP test Tests the connection to an LDAP server.  
*1 PEM: Abbreviation for Privacy Enhanced Mail. Mail to be sent is encrypted for increased privacy.
Enabling or Disabling the use of an LDAP Server
  1. Execute the showlookup command to display the lookup method of authentication and user privileges.
    In the following example, lookup is executed only for the XSCF server for user authentication, and XSCF and LDAP servers for user privileges.
XSCF> showlookup
Privileges lookup: Local only
Authentication lookup: Local and LDAP
  1. Execute the setlookup command to enable/disable the use of an LDAP server.
    In the following example, an LDAP server is enabled for both user authentication and user privileges.
XSCF> setlookup -a ldap
XSCF> setlookup -p ldap
  1. Execute the showlookup command, and confirm the lookup method.
XSCF> showlookup
Privileges lookup: Local and LDAP
Authentication lookup: Local and LDAP
Setting LDAP server, port number, bind ID, bind password, search base (baseDN), and search time (timeout period)
  1. Execute the showldap command to display LDAP client settings.
XSCF> showldap
Bind Name: Not set
Base Distinguished Name: Not set
LDAP Search Timeout: 0
Bind Password: Not set
LDAP Servers: Not set
CERTS: None
  1. Execute the setldap command to configure LDAP client settings.
    In the following example, a bind ID and search base (baseDN) are specified.
XSCF> setldap -b "cn=Directory Manager" -B "ou=People,dc=users,dc=apl,dc=com,o=isp"
  1. In the following example, a bind password is specified.
XSCF> setldap -p
Password:xxxxxxxx
  1. In the following example, the primary and secondary LDAP servers and port numbers are specified.
XSCF> setldap -s ldaps://onibamboo:636,ldaps://company2.com:636
  1. In the following example, the timeout time for the LDAP search is specified.
XSCF> setldap -T 60
  1. Execute the showldap command, and confirm the setting.
XSCF> showldap
Bind Name: cn=Directory Manager
Base Distinguished Name: ou=People,dc=users,dc=apl,dc=com,o=isp
LDAP Search Timeout: 60
Bind Password: Set
LDAP Servers: ldaps://onibamboo:636 ldaps://company2.com:636
CERTS: None
Installing the certificate chain of an LDAP server
  1. Execute the showldap command to display the LDAP settings.
XSCF> showldap
Bind Name: cn=Directory Manager
Base Distinguished Name: ou=People,dc=users,dc=apl,dc=com,o=isp
LDAP Search Timeout: 60
Bind Password: Set
LDAP Servers: ldaps://onibamboo:636 ldaps://company2.com:636
CERTS: None
  1. Execute the setldap command to import the certificate chain.
XSCF> setldap -c hhhh@example.com:Cert.pem
  1. Execute the showldap command, and confirm that the certificate chain has been imported.
XSCF> showldap
Bind Name: cn=Directory Manager
Base Distinguished Name: ou=People,dc=users,dc=apl,dc=com,o=isp
LDAP Search Timeout: 60
Bind Password: Set
LDAP Servers: ldaps://onibamboo:636,ldaps://company2.com:636
CERTS: Exists
Testing a connection to an LDAP server
  1. Execute the setldap command to perform the test.
XSCF> setldap -t sysadmin
onibamboo:636 PASSED
  1. Log in as the user registered to the LDAP server. Confirm the authentication using the entered password.
login: sysadmin
Password:xxxxxxxx
  1. Execute the showuser command, and check whether the displayed user privilege is the same as the one created in the LDAP server.
XSCF> showuser
User Name: sysadmin (nonlocal)
UID: 110
Privileges: platadm

Top of Page