GET – Account Service
Request
This resource shall be used to represent a management account service for a Redfish implementation. Allows users to create multiple accounts with different roles and privileges.
The maximum limit for accounts is 14.
GET https://{{ip}}/redfish/v1/AccountService
Content-Type: application/json
Response
The response to the request will be in JSON format. The properties are mentioned in the following table.
Name | Type | Read -only | Description | |||
(OData Attributes) | Refer to OData Support | |||||
Id(M) | String | True | Refer to Resource Type Definitions. | |||
Name(M) | String | True | ||||
Description | String | True | ||||
Oem | Object | Specifies the AMI Oem Properties. Note This property will be a part of JSON response only if an OEM property is implemented. | ||||
Name | Type | Read only | Description | |||
@odata.type | String | True | Refer to OData Support | |||
Configuration | Object | True | Refer AccountService Configuration | |||
H5ViewerToken | String | True | Lenovo OEM to get H5 Viewer token to open KVM | |||
Status | Object | True | Refer toResource Properties. | |||
ServiceEnabled | Boolean | False | This indicates whether this service is enabled. The default value for this property is True. If the value for this property is false, then service is disabled and Redfish. Users cannot be created, deleted, or modified, and new sessions cannot be created. However, established sessions may still continue to run. This does not affect any Authentication connections. | |||
AuthFailureLoggingThreshold | Number | False | This is the number of authorization failures that need to occur before the failure attempt is logged into the manager log. This represents a modulo function value, thus the failure shall be logged every (n+1)th occurrence where n represents the value of this property. Minimum Value : 0. Note
| |||
MinPasswordLength(C) | Number | True | This property shall reference the minimum password length that the implementation will allow a password to be set to. Minimum Value : 0. | |||
MaxPasswordLength(C) | Number | True | This property shall reference the maximum password length that the implementation will allow a password to be set to. Minimum Value : 0. | |||
AccountLockoutThreshold(C) | Number | False | The number of failed login attempts before a user account is locked for a specified duration. (0=never locked) Minimum Value : 0. Default value is 5. Note The maximum value allowed is 100. | |||
AccountLockoutDuration(C) | Number | False | This property shall reference the period of time in seconds that an account is locked after the number of failed login attempts reaches the threshold referenced by Account Lockout Threshold, within the window of time referenced by Account Lockout Counter Reset After. The value shall be greater than or equal to the value of Account Lockout Reset After. If set to 0, no lockout shall occur. Minimum Value: 0. Note Maximum value allowed is 10000. Account Lockout feature is applicable only for redfish defined accounts not for remote accounts like LDAP, AD, RADIUS, etc. | |||
AccountLockoutCounterResetAfter(C) | Number | False | This property shall reference the threshold of time in seconds from the last failed login attempt at which point the Account Lockout Threshold counter (that counts the number of failed login attempts) is reset back to zero (at which point Account Lockout Threshold failures would be required before the account is locked). This value shall be less than or equal to Account Lockout Duration. The threshold counter also resets to zero after each successful login. Minimum Value: 0. Note The maximum value allowed is 10000. Account Lockout feature is applicable only for redfish defined account not for remote accounts like LDAP, AD, RADIUS etc. | |||
Accounts | Object | True | This property shall contain the link to a collection of type ManagerAccountCollection. | |||
Roles | Object | True | This property shall contain the link to a collection of type RoleCollection. | |||
PrivilegeMap | Object | True | This property shall contain the link to the Priviledge Registry property. | |||
Actions | Object | True | This object will contain the actions for this resource under Oem property if any. | |||
LocalAccountAuth | String | False | This property shall govern how the service uses the Accounts collection within this AccountService as part of authentication. Details about each of the modes are found in the description of the enum values. Note
| |||
AccountLockoutCounterResetEnabled | Boolean | False | This property shall indicate whether the threshold counter will be reset after the AccountLockoutCounterResetAfter has expired. Setting the value to false shall indicate that only a successful login will reset the threshold counter. In addition, if the user reaches the limit specified in AccountLockoutThreshold, the account shall be locked out indefinitely and only a reset by the administrator will clear the threshold counter. If this property is absent the value shall be assumed to be true. Note There are two conditions used to restrict account lockout.
| |||
LDAP | Object | False | Refer to LDAP Properties. | |||
ActiveDirectory | Object | False | Refer to Active Directory Properties. | |||
AdditionalExternalAccountProviders | Object | True | This property shall contain the additional external account providers that this Account Service uses. | |||
Name | Description |
Enabled | The service authenticates users based on the Account Service-defined accounts collection. |
Disabled |
|
Fallback | The service authenticates users based on the Account Service-defined accounts collection only if any external account providers are currently unreachable. |
LocalFirst | The service first authenticates users based on the Account Service-defined accounts collection. If authentication fails, the Service authenticates by using external account providers. |
Name | Type | Read only | Description |
BaseDistinguishedNames | Array | False | The value of this property shall be a collection of base distinguished names to use when searching the LDAP service. Note If the user gives multiple values in the patch request, only the first value of the array will be set in BMC, as BMC currently supports only one BaseDistinguishedNames. |
GroupNameAttribute | String | False | The value of this property shall be the attribute name that contains the name of the Group. |
GroupsAttribute | String | False | The value of this property shall be the attribute name that contains the Groups for a user. |
UsernameAttribute | String | False | The value of this property shall be the attribute name that contains the Username. |
Name | Type | Read only | Description | |||
Authentication | Object | False | LDAP properties containing authentication details | |||
Name | Type | Read only | Description | |||
AuthenticationType | String | True | The type of authentication used to connect to the external account provider. Note Value is "Username AndPassword" for LDAP only. | |||
Oem | Object | True | OEM extension object | |||
Username | String | False | The user name for the Service. | |||
Password | String | False | The password for this Service. A PATCH request writes the password. This property is `null` in responses. | |||
LDAPService | Object | False | ||||
RemoteRoleMapping | Array | False | ||||
ServiceAddresses | Array | False | The addresses of the user account providers to which this external account provider links. The format of this field depends on the type of external account provider. Note If the user gives multiple values in the patch request, only the first value of the array will be set in BMC, as BMC currently supports only one ServiceAddres. If the user provides ipv6 ServiceAddress, it is mandatory to provide the port number in the end. | |||
ServiceEnabled | Boolean | True | An indication of whether this service is enabled. | |||
Name | Type | Read only | Description |
SearchSettings | Object | False | The required settings to search an external LDAP service. |
Oem | Object | False |
Name | Type | Read only | Description | |||
RemoteRoleMapping | Array | False | The mapping rules to convert the external account provide account information to the local Redfish Role. | |||
Name | Type | Read only | Description | |||
LocalRole | String | False | The name of the local Redfish Role to which to map the remote user or group. | |||
RemoteGroup | String | False | The name of the remote group, or the remote role in the case of a Redfish Service, maps to the local Redfish Role to which this entity links. Remote Group is a string maximum of 64 alphanumeric characters are allowed. Special symbols hyphen(-) and underscore(_) are allowed. | |||
RemoteUser | String | False | The name of the remote user that maps to the local Redfish Role to which this entity links. Remote User is string with maximum 64 alphanumeric characters and special symbols hyphen(-),dot( . ) and underscore(_) are allowed. | |||
Name | Type | Read only | Description |
@odata.type | String | True | Refer to OData Support |
EncryptionType | String | False | Indicates the EncryptionType used for UsernameandPassword encryption. Allowable Enums are:-“NoEncryption”, “SSL”, and ”StartTLS”. Note Uploading root CA certificate is needed for “SSL” or “StartTLS” encryption type. |
CommonNameType | String | False | It represents the Server name. It contains 2 allowable values : “IPAddress”,”FQDN” Note FQDN can be patched only when the EncryptionType is “StartTLS” |
Name | Type | Read only | Description | |||
Authentication | Object | False | Active Directory properties containing authentication details. | |||
Name | Type | Read only | Description | |||
Username | String | False | The username for the Service. Username should be String with Minimum length = 1 and Maximum length = 64 of alpha-numeric characters. Username must start with an alphabetical character. Note This property will not allow whitespaces and special characters. | |||
Password | String | False | The password for this Service. The password length must be at least 6 characters long and whitespaces are not allowed. A PATCH or PUT request writes the password. This property is `null` in responses. Note This property will not allow more than 127 characters. | |||
Oem | Object | False | OEM extension object | |||
Name | Type | Read only | Description |
@odata.type | String | True | Refer to OData Support |
DomainName | String | False | Specify the Domain Name for the user. |
DomainControllerServerAddr1 | String | False | IP address of Active Directory server. At least one Domain Controller Server Address must be configured. The following address formats are supported: IPv4 Address format. IPv6 Address format. |
DomainControllerServerAddr2 | String | False | |
DomainControllerServerAddr3 | String | False | |
GroupID | String | False | GroupID of the five available roles in RoleMapping. |
KVMAccess | String | False | Status of KVM access of the particular role in RoleMapping. |
VMediaAccess | String | False | Status of VMedia access of the particular role in RoleMapping. |