Users Guide
• The Group Name and Group Domain Name matches the Active Directory conguration if you are using standard schema.
• If the user and the iDRAC object is in dierent domain, then do not select the User Domain from Login option. Instead select
Specify a Domain option and enter the domain name where the iDRAC object resides.
• Check the domain controller SSL certicates to make sure that the iDRAC time is within the valid period of the certicate.
Active Directory login fails even if certicate validation is enabled. The test results display the following error message. Why does this
occur and how to resolve this?
ERROR: Can't contact LDAP server, error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed: Please check the correct
Certificate Authority (CA) certificate has been uploaded to iDRAC. Please also check if the
iDRAC date is within the valid period of the certificates and if the Domain Controller Address
configured in iDRAC matches the subject of the Directory Server Certificate.
If certicate validation is enabled, when iDRAC establishes the SSL connection with the directory server, iDRAC uses the uploaded CA
certicate to verify the directory server certicate. The most common reasons for failing certication validation are:
• iDRAC date is not within the validity period of the server certicate or CA certicate. Check the iDRAC time and the validity period of
your certicate.
• The domain controller addresses congured in iDRAC does not match the Subject or Subject Alternative Name of the directory server
certicate. If you are using an IP address, read the next question. If you are using FQDN, make sure you are using the FQDN of the
domain controller and not the domain. For example, servername.example.com instead of example.com.
Certicate validation fails even if IP address is used as the domain controller address. How to resolve this?
Check the Subject or Subject Alternative Name eld of your domain controller certicate. Normally, Active Directory uses the host name
and not the IP address of the domain controller in the Subject or Subject Alternative Name eld of the domain controller certicate. To
resolve this, do any of the following:
• Congure the host name (FQDN) of the domain controller as the domain controller address(es) on iDRAC to match the Subject or
Subject Alternative Name of the server certicate.
• Reissue the server certicate to use an IP address in the Subject or Subject Alternative Name eld, so that it matches the IP address
congured in iDRAC.
• Disable certicate validation if you choose to trust this domain controller without certicate validation during the SSL handshake.
How to congure the domain controller address(es) when using extended schema in a multiple domain environment?
This must be the host name (FQDN) or the IP address of the domain controller(s) that serves the domain in which the iDRAC object
resides.
When to congure Global Catalog Address(es)?
If you are using standard schema and the users and role groups are from dierent domains, Global Catalog Address(es) are required. In this
case, you can use only Universal Group.
If you are using standard schema and all the users and role groups are in the same domain, Global Catalog Address(es) are not required.
If you are using extended schema, the Global Catalog Address is not used.
How does standard schema query work?
iDRAC connects to the congured domain controller address(es) rst. If the user and role groups are in that domain, the privileges are
saved.
If Global Controller Address(es) is congured, iDRAC continues to query the Global Catalog. If additional privileges are retrieved from the
Global Catalog, these privileges are accumulated.
Does iDRAC always use LDAP over SSL?
Frequently asked questions
317