iLO Login check script

We recently changed the iLO local account logins in favor of LDAP authentication against our AD, which is cool but raised the issue that sometimes logins seemed to work with my AD account and sometimes not, because not every system was configured for LDAP authentication properly.

Instead of checking logins on dozens of servers manually (with the nice iLO failed login delay), I took a stab at analyzing the login procedures and scripting the logins myself.
So I came up with this horrible piece of bash script doing exactly that. I checked this script with all known iLO versions 1, 2, 3 and 4, and it worked with all of them (the login procedure for versions 1/2 and 3/4 are identical). Running it requires an argument pointing to a file containing the iLO hostnames or IPs to connect to.
Here’s the script on pastebin with formatting: http://pastebin.com/i2Y0xSTQ:

Update: I have moved my scripts to GitHub and updated some of them a bit. You can find the current version of this particular script here.

#!/bin/bash

if [ $# -eq 0 ]
then
        echo "No arguments supplied. Expecting a file with a list of ILO-IPs/DNS names to connect to. E.g. run ./ilocheck.sh /tmp/ilo-list"
        exit 1
fi

echo "Enter FULL AD-Account DN (required for ILO1/2) or local account name: (EX: CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local)"
read -e userdn
userdn64=$( echo -n $userdn | base64 -w 0 )
echo "Enter password:"
read -es pw
pw64=$( echo -n $pw | base64 -w 0 )

cat $@ | sort | while read ilo
do
        ilourl="https://$ilo"
        echo -e "\nChecking ILO Interface on $ilourl..."
        curl -ks "$ilourl" | if grep -Pq "HP Integrated Lights-Out( 2)? Login"
        then
                echo "$ilourl is an ILO2 or ILO1 System"
                curl -ks "$ilourl/login.htm" | grep -A1 "sessionkey=" | grep -Po '\w[^\"]+' > /tmp/ilotemp
                sessionkey=$( awk 'FNR == 2 {print}' /tmp/ilotemp )
                sessionindex=$( awk 'FNR == 4 {print}' /tmp/ilotemp )
                curl -ks "$ilourl/index.htm" --header "Cookie: hp-iLO-Login=$sessionindex:$userdn64:$pw64:$sessionkey" --header "Referer: $ilourl/login.htm" | if grep -q "has detected a failed login attempt"
                then
                        echo "Login on $ilourl NOT successful."
                else
                        echo "Login on $ilourl successful."
                fi

        else
                curl -ks "$ilourl" | if grep -Pq "iLO [34]"
                then
                        echo "$ilourl is an ILO3 or ILO4 System"
                        curl -ks "$ilourl/json/login_session" -X POST --data "{\"method\":\"login\",\"user_login\":\"$userdn\",\"password\":\"$pw\"}" | if grep -q "JS_ERR_NO_PRIV"
                        then
                                echo "Login on $ilourl NOT successful."
                        else
                                echo "Login on $ilourl successful."
                        fi
                else
                        echo "ILO Interface of $ilourl unreachable or not found"
                fi
        fi
done

Example script run:

$ ./ilo.sh ilos.txt
Enter FULL AD-Account DN (required for ILO1/2) or local account name: (EX: CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local)
CN=myusername,OU=departmen1,OU=top,DC=domain,DC=local
Enter password:

Checking ILO Interface on https://10.88.1.13...
https://10.88.1.13 is an ILO2 or ILO1 System
Login on https://10.88.1.13 successful.

Checking ILO Interface on https://10.89.4.46...
https://10.89.4.46 is an ILO3 or ILO4 System
Login on https://10.89.4.46 successful.

Checking ILO Interface on https://ilo-server74.ilo.local...
https://server74.ilo.local is an ILO3 or ILO4 System
Login on https://server74.ilo.local NOT successful

Checking ILO Interface on https://ilo-server94.ilo.local...
https://ilo-server94.ilo.local is an ILO2 or ILO1 System
Login on https://ilo-server94.ilo.local NOT successful.

Whether you want to check local iLO or LDAP/AD accounts actually doesn’t matter, it will work with both. But be aware that LDAP authentication on iLO 1 and 2 requires you to specify the full Distinguished Name of your account on the iLO login page or in this script, e.g. something like “CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local”.
You need to enter that if you want to connect to iLO1/2 with Firefox for example too, but not with IE as an Active-X plugin there actually takes care of transforming your short user name to the DN.

Here’s a few interesting points I dug up during this:
The iLO1 and iLO2 login mechanism seems a bit dumb and clumsy. It wants you to connect to /login.htm, where a Javascript will generate a cookie with a sessionkey and sessionindex attribute. The actual Login form then sends this cookie including your base64’d username and password to /index.htm via an HTTP GET. This GET also MUST contain a Referer-header from the login URL (e.g. “Referer: https://ilo.host/login.htm“) or it won’t accept your login.

iLO3 and iLO4 use proper HTTP POSTs here, but seem to lack proper dynamic attributes on the login form to prevent XSRF.

During testing I stumbled among a few “Directory connection limit reached” errors, which were caused because I don’t end the sessions properly again (I could include that in the script as well, maybe another time). You need to wait a while for it to timeout if you open too many sessions to one iLO.

CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local
Advertisements

One thought on “iLO Login check script

  1. とても役に立ちました。ありがとうございました。将来試してみたいな~と思っている人にとって、もうすでに使ってみた人の意見はなにより参考になります。

    買って損した。買わなきゃ良かった。という経験はしたくありませんからね。そんなレビューをふんだんに徹底的に調べぬいてまとめたサイトがありましたので、ご紹介しておきたいと思います。

    こちらです。このサイトでは雲のやすらぎの意見データが統計データとしてまとまっています。

    腰痛に作用があるのか?買うならどこが損しないか?そういったことを詳しく調査してあり、大変参考になりました。

    スキマ時間でも良いので10分もあれば見終わることが出来るのでおすすめです。

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s