iDRAC-Redfish-Scripting icon indicating copy to clipboard operation
iDRAC-Redfish-Scripting copied to clipboard
verified publisher icon dell

Redfish in iDRAC 9 is ignoring Lan_Privilege_Limit=Administrator for users

Open r00ta opened this issue 5 months ago • 4 comments

Hi there,

We are creating new users with

ipmi-config --commit --key-pair=User3:Username=maas
ipmi-config --commit --key-pair=User3:Password=REDACTED
ipmi-config --commit --key-pair=User3:Enable_User=Yes
ipmi-config --commit --key pair=User3:Lan_Privilege_Limit=Administrator
ipmi-config --commit --key-pair=User3:Lan_Enable_IPMI_Msgs=Yes
ipmi-config --commit --key-pair=User3:Lan_Enable_Link_Auth=Yes
ipmi-config --commit --key-pair=User3:SOL_Payload_Access=Yes
ipmi-config --commit --key-pair=User3:Serial_Enable_Link_Auth=Yes

And in the UI it looks like

Image

This works fine until we use IPMI. However, when we use redfish we get 401. After changing the UserRole to Administrator using the UI it works fine.

Apparently iDRAC 9 redfish relies on the User Role instead of Lan_Privilege_Limit.

r00ta avatar Jul 31 '25 12:07 r00ta

I am also having this same issue. It was reported by the community users here as well: https://bugs.launchpad.net/maas/+bug/2114942 affecting iDRAC9 users.

alanbach avatar Jul 31 '25 14:07 alanbach

Hi @r00ta @alanbach

Currently not supported by iDRAC to configure user privilege role using IPMI but will escalate this concern to iDRAC internal teams at Dell to see if support can be implemented in a future release.

Note there are extended IPMI commands, which are very difficult (awkward) to use that support configuring the RAC privilege by using the “raw” option in ipmitool but not recommended to use and we don't document.

Thanks Tex

texroemer avatar Aug 01 '25 21:08 texroemer

Where would one find or discover what raw options are available - is there even a way to extract a list of options, is the idrac code public/private to use as a reference? I could see many customers would be willing to attempt a scripted solution even if it only works some of the time ; large enterprises are unlikely to apply the latest idrac release and it's common customers will stick on a "known good" BIOS or iDRAC version for a while. This would enable folks using earlier idrac versions to use Redfish with MAAS and similar tech.

lurkingsystemsdude avatar Aug 12 '25 02:08 lurkingsystemsdude

Sorry about the late reply, missed responding here after discussing with internal teams. Dell does not document raw IPMI commands and we recommend to instead use tools RACADM or Redfish to create iDRAC users in-band.

Thanks Tex

texroemer avatar Sep 17 '25 14:09 texroemer