Configuring RADIUS or LDAP on Supermicro (ATEN) IPMI

authentication ldap ipmi supermicro radius

Solution 1:

Here are the magic numbers, which I have no idea of the meaning, that I got (a while ago) from Supermicro (via our vendor, Silicon Mechanics):

#vi /etc/raddb/users

Example:
    myuser          Auth-Type   :=Local, User-Password == “123456”
                    Vendor-Specific = “H=4, I=4”

    testuser        Auth-Type   :=Local, User-Password == “654321”
                    Vendor-Specific = “H=3, I=3”

So, obviously H= and I= mean something, and at least 3 and 4 are valid values (and I don't believe the syntax is even allowed by the RFCs, but whatever). I replied asking what those mean, and haven't heard back. I just sent a followup...

edit

Got a reply: >

Those setting match the user account type in IPMI Web GUI.

CallBack (H=1, I=1) = No Access
Basically, this type of account will be rejected by IPMI. It can be used to temporarily disable an account.

User (H=2, I=2) = User
This type of the account is only allowed to check the system status.

Operator (H=3, I=3) = Operator
This type of the account is allowed to do the remote control & check the system statsus, but can't change the configuration.

Administrator (H=4, I=4) = Administrator
The type of accout is allowed to do everything.

There is no other privilege.

edit 2

Reply to the two different field meanings.

This is the info SuperMicro got from ATEN:

"H" means if for the user privilege. IPMI spec 2.0 defines the following channel privilege levels. We don't use the OEM Proprietary level for special privilege.

Channel Privilege Level Limit:
      0h = reserved
      1h = CALLBACK level
      2h = USER level
      3h = OPERATOR level
      4h = ADMINISTRATOR level
      5h = OEM Proprietary level

"I" is for debug purpose and it is reserved option. Please ignore it.

Below is the definition of the Channel Privilege Levels from IPMI spec 2.0:

Callback
This may be considered the lowest privilege level. Only commands necessary to support initiating a Callback are allowed.

User
Only 'benign' commands are allowed. These are primarily commands that read data structures and retrieve status. Commands that can be used to alter BMC configuration, write data to the BMC or other management controllers, or perform system actions such as resets, power on/off, and watchdog activation are disallowed.

Operator
All BMC commands are allowed, except for configuration commands that can change the behavior of the out-of band interfaces. For example, Operator privilege does not allow the capability to disable individual channels, or change user access privileges.

Administrator
All BMC commands are allowed, including configuration commands. An Adminstrator can even execute configuration commands that would disable the channel that the Administrator is communicating over.

Related

What is preventing me from piping from a '600' file into mail within launchd?
Access control to 100's of LAMP box via LDAP
lastb: /var/log/btmp empty
Cannot get IIS7 to send cookies to IE
One Wordpress install (multisite) or multiple installs?
limit bandwidth and space usage of each Virtual Host?
Why is my MPIO connection to the SAN capped at 1 Gbps when using Linux?
Best choice for a Linux temporary files server?
Windows server administration resources for Linux administrators?
Weird access log on my server
What is Memory Operating Mode?
Setting up array of SSDs for Oracle Database, recommendations?