iLO Login check script

We recently changed the iLO local account logins in favor of LDAP authentication against our AD, which is cool but raised the issue that sometimes logins seemed to work with my AD account and sometimes not, because not every system was configured for LDAP authentication properly.

Instead of checking logins on dozens of servers manually (with the nice iLO failed login delay), I took a stab at analyzing the login procedures and scripting the logins myself.
So I came up with this horrible piece of bash script doing exactly that. I checked this script with all known iLO versions 1, 2, 3 and 4, and it worked with all of them (the login procedure for versions 1/2 and 3/4 are identical). Running it requires an argument pointing to a file containing the iLO hostnames or IPs to connect to.
Here’s the script on pastebin with formatting:

Update: I have moved my scripts to GitHub and updated some of them a bit. You can find the current version of this particular script here.


if [ $# -eq 0 ]
        echo "No arguments supplied. Expecting a file with a list of ILO-IPs/DNS names to connect to. E.g. run ./ /tmp/ilo-list"
        exit 1

echo "Enter FULL AD-Account DN (required for ILO1/2) or local account name: (EX: CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local)"
read -e userdn
userdn64=$( echo -n $userdn | base64 -w 0 )
echo "Enter password:"
read -es pw
pw64=$( echo -n $pw | base64 -w 0 )

cat $@ | sort | while read ilo
        echo -e "\nChecking ILO Interface on $ilourl..."
        curl -ks "$ilourl" | if grep -Pq "HP Integrated Lights-Out( 2)? Login"
                echo "$ilourl is an ILO2 or ILO1 System"
                curl -ks "$ilourl/login.htm" | grep -A1 "sessionkey=" | grep -Po '\w[^\"]+' > /tmp/ilotemp
                sessionkey=$( awk 'FNR == 2 {print}' /tmp/ilotemp )
                sessionindex=$( awk 'FNR == 4 {print}' /tmp/ilotemp )
                curl -ks "$ilourl/index.htm" --header "Cookie: hp-iLO-Login=$sessionindex:$userdn64:$pw64:$sessionkey" --header "Referer: $ilourl/login.htm" | if grep -q "has detected a failed login attempt"
                        echo "Login on $ilourl NOT successful."
                        echo "Login on $ilourl successful."

                curl -ks "$ilourl" | if grep -Pq "iLO [34]"
                        echo "$ilourl is an ILO3 or ILO4 System"
                        curl -ks "$ilourl/json/login_session" -X POST --data "{\"method\":\"login\",\"user_login\":\"$userdn\",\"password\":\"$pw\"}" | if grep -q "JS_ERR_NO_PRIV"
                                echo "Login on $ilourl NOT successful."
                                echo "Login on $ilourl successful."
                        echo "ILO Interface of $ilourl unreachable or not found"

Example script run:

$ ./ ilos.txt
Enter FULL AD-Account DN (required for ILO1/2) or local account name: (EX: CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local)
Enter password:

Checking ILO Interface on is an ILO2 or ILO1 System
Login on successful.

Checking ILO Interface on is an ILO3 or ILO4 System
Login on successful.

Checking ILO Interface on https://ilo-server74.ilo.local...
https://server74.ilo.local is an ILO3 or ILO4 System
Login on https://server74.ilo.local NOT successful

Checking ILO Interface on https://ilo-server94.ilo.local...
https://ilo-server94.ilo.local is an ILO2 or ILO1 System
Login on https://ilo-server94.ilo.local NOT successful.

Whether you want to check local iLO or LDAP/AD accounts actually doesn’t matter, it will work with both. But be aware that LDAP authentication on iLO 1 and 2 requires you to specify the full Distinguished Name of your account on the iLO login page or in this script, e.g. something like “CN=adminuser,OU=departmen1,OU=top,DC=domain,DC=local”.
You need to enter that if you want to connect to iLO1/2 with Firefox for example too, but not with IE as an Active-X plugin there actually takes care of transforming your short user name to the DN.

Here’s a few interesting points I dug up during this:
The iLO1 and iLO2 login mechanism seems a bit dumb and clumsy. It wants you to connect to /login.htm, where a Javascript will generate a cookie with a sessionkey and sessionindex attribute. The actual Login form then sends this cookie including your base64’d username and password to /index.htm via an HTTP GET. This GET also MUST contain a Referer-header from the login URL (e.g. “Referer:“) or it won’t accept your login.

iLO3 and iLO4 use proper HTTP POSTs here, but seem to lack proper dynamic attributes on the login form to prevent XSRF.

During testing I stumbled among a few “Directory connection limit reached” errors, which were caused because I don’t end the sessions properly again (I could include that in the script as well, maybe another time). You need to wait a while for it to timeout if you open too many sessions to one iLO.


2 thoughts on “iLO Login check script

  1. とても役に立ちました。ありがとうございました。将来試してみたいな~と思っている人にとって、もうすでに使ってみた人の意見はなにより参考になります。





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s