Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory111 Configuring the DRAC 5 With Standard Schema Active Directory and RACADM Using the following commands to configure the DRAC 5 Active Directory Feature with Standard Schema using the RACADM CLI instead of the Web-based interface. 1 Open a command prompt and type the following racadm commands: racadm config -g cfgActiveDirectory -o cfgADEnable 1 racadm config -g cfgActiveDirectory -o cfgADType 2 racadm config -g cfgActiveDirectory -o cfgADRootDomain < fully qualified root domain name> racadm config -g cfgStandardSchema -i -o cfgSSADRoleGroupName < common name of the role group> racadm config -g cfgStandardSchema -i -o cfgSSADRoleGroupDomain < fully qualified domain name> racadm config -g cfgStandardSchema -i -o cfgSSADRoleGroupPrivilege racadm sslcertupload -t 0x2 -f < ADS root CA certificate > racadm sslcertdownload -t 0x1 -f < RAC SSL certificate > NOTE: For Bit Mask number values, see Table B-4. 2If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm commands: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1 3 If DHCP is disabled on the DRAC 5 or you want manually to input your DNS IP address, type the following racadm commands: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0 racadm config -g cfgLanNetworking -o cfgDNSServer1 < primary DNS IP address> racadm config -g cfgLanNetworking -o cfgDNSServer2 < secondary DNS IP address>
112Using the DRAC 5 With Microsoft Active Directory Instead of DRAC 5 searching for Active Directory servers, you can specify the servers DRAC 5 needs to connect to, to authenticate the user. See Specify Server for Active Directory Configuration on page 131 for information on RACADM commands to specify servers. Extended Schema Active Directory Overview There are two ways to enable Extended Schema Active Directory: • With the DRAC 5 web-based user interface. See Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface on page 126. • With the RACADM CLI tool. See Configuring the DRAC 5 With Extended Schema Active Directory and RACADM on page 128. Active Directory Schema Extensions The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user’s first name, last name, phone number, and so on. Companies can extend the Active Directory database by adding their own unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization. Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID. To maintain unique IDs across the industry, Microsoft maintains a database of Active Directory Object Identifiers (OIDs) so that when companies add extensions to the schema, they can be guaranteed to be unique and not to conflict with each other. To extend the schema in Microsofts Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for our attributes and classes that are added into the directory service. Dell extension is: dell Dell base OID is: 1.2.840.113556.1.8000.1280 RAC LinkID range is:12070 to 12079
Using the DRAC 5 With Microsoft Active Directory113 The Active Directory OID database maintained by Microsoft can be viewed at http://msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension Dell. Overview of the RAC Schema Extensions To provide the greatest flexibility in the multitude of customer environments, Dell provides a group of properties that can be configured by the user depending on the desired results. Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link together the users or groups with a specific set of privileges to one or more RAC devices. This model provides an Administrator maximum flexibility over the different combinations of users, RAC privileges, and RAC devices on the network without adding too much complexity. Active Directory Object Overview For each of the physical RACs on the network that you want to integrate with Active Directory for Authentication and Authorization, create at least one Association Object and one RAC Device Object. You can create multiple Association Objects, and each Association Object can be linked to as many users, groups of users, or RAC Device Objects as required. The users and RAC Device Objects can be members of any domain in the enterprise. However, each Association Object can be linked (or, may link users, groups of users, or RAC Device Objects) to only one Privilege Object. This example allows an Administrator to control each user’s privileges on specific RACs. The RAC Device object is the link to the RAC firmware for querying Active Directory for authentication and authorization. When a RAC is added to the network, the Administrator must configure the RAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the RAC to at least one Association Object in order for users to authenticate. Figure 6-2 illustrates that the Association Object provides the connection that is needed for all of the Authentication and Authorization.
114Using the DRAC 5 With Microsoft Active Directory Figure 6-2. Typical Setup for Active Directory Objects NOTE: The RAC privilege object applies to both DRAC 4 and DRAC 5. You can create as many or as few association objects as required. However, you must create at least one Association Object, and you must have one RAC Device Object for each RAC (DRAC 5) on the network that you want to integrate with Active Directory for Authentication and Authorization with the RAC (DRAC 5). The Association Object allows for as many or as few users and/or groups as well as RAC Device Objects. However, the Association Object only includes one Privilege Object per Association Object. The Association Object connects the Users who have Privileges on the RACs (DRAC 5s). Additionally, you can configure Active Directory objects in a single domain or in multiple domains. For example, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). You want to give user1 and user2 an administrator privilege to both DRAC 5 cards and give user3 a login privilege to the RAC2 card. Figure 6-3 shows how you set up the Active Directory objects in this scenario. Association Object User(s) Group(s)Privilege ObjectRAC Device Object(s) RAC4 Privilege Object
Using the DRAC 5 With Microsoft Active Directory115 When adding Universal Groups from separate domains, create an Association Object with Universal Scope. The Default Association objects created by the Dell Schema Extender Utility are Domain Local Groups and will not work with Universal Groups from other domains. Figure 6-3. Setting Up Active Directory Objects in a Single Domain To configure the objects for the single domain scenario, perform the following tasks: 1 Create two Association Objects. 2Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards. 3Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges. 4Group user1 and user2 into Group1. 5Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1. 6Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2. AO1 AO2 Priv2 Priv1 Group1 RAC2 RAC1 User3 User2 User1
116Using the DRAC 5 With Microsoft Active Directory See Adding DRAC 5 Users and Privileges to Active Directory on page 124 for detailed instructions. Figure 6-4 provides an example of Active Directory objects in multiple domains. In this scenario, you have two DRAC 5 cards (RAC1 and RAC2) and three existing Active Directory users (user1, user2, and user3). User1 is in Domain1, and user2 and user 3 are in Domain2. In this scenario, configure user1 and user 2 with administrator privileges to both DRAC 5 cards and configure user3 with login privileges to the RAC2 card. Figure 6-4. Setting Up Active Directory Objects in Multiple Domains To configure the objects for the multiple domain scenario, perform the following tasks: 1 Ensure that the domain forest function is in Native or Windows 2003 mode. 2Create two Association Objects, AO1 (of Universal scope) and AO2, in any domain. Figure 6-4 shows the objects in Domain2. 3Create two RAC Device Objects, RAC1 and RAC2, to represent the two DRAC 5 cards. AO1 AO2 Priv2 Priv1 Group1 RAC2 RAC1 User3 User2 User1Domain2 Domain1
Using the DRAC 5 With Microsoft Active Directory117 4Create two Privilege Objects, Priv1 and Priv2, in which Priv1 has all privileges (administrator) and Priv2 has login privileges. 5Group user1 and user2 into Group1. The group scope of Group1 must be Universal. 6Add Group1 as Members in Association Object 1 (AO1), Priv1 as Privilege Objects in AO1, and RAC1, RAC2 as RAC Devices in AO1. 7Add User3 as Members in Association Object 2 (AO2), Priv2 as Privilege Objects in AO2, and RAC2 as RAC Devices in AO2. Configuring Extended Schema Active Directory to Access Your DRAC 5 Before using Active Directory to access your DRAC 5, configure the Active Directory software and the DRAC 5 by performing the following steps in order: 1 Extend the Active Directory schema (see Extending the Active Directory Schema on page 117). 2Extend the Active Directory Users and Computers Snap-in (see Installing the Dell Extension to the Active Directory Users and Computers Snap-In on page 123). 3Add DRAC 5 users and their privileges to Active Directory (see Adding DRAC 5 Users and Privileges to Active Directory on page 124). 4Enable SSL on each of your domain controllers (see Enabling SSL on a Domain Controller on page 138). 5Configure the DRAC 5 Active Directory properties using either the DRAC 5 Web-based interface or the RACADM (see Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface on page 126 or Configuring the DRAC 5 With Extended Schema Active Directory and RACADM on page 128). Extending the Active Directory Schema Extending your Active Directory schema adds a Dell organizational unit, schema classes and attributes, and example privileges and association objects to the Active Directory schema. Before you extend the schema, ensure that you have Schema Admin privileges on the Schema Master Flexible Single Master Operation (FSMO) Role Owner of the domain forest.
118Using the DRAC 5 With Microsoft Active Directory You can extend your schema using one of the following methods: • Dell Schema Extender utility • LDIF script file If you use the LDIF script file, the Dell organizational unit will not be added to the schema. The LDIF files and Dell Schema Extender are located on your Dell Systems Management Tools and Documentation DVD in the following respective directories: •DVD drive:\support\OMActiveDirectory Tools\RAC4-5\LDIF_Files •DVD drive:\support\OMActiveDirectory Tools\RAC4- 5\Schema_Extender To use the LDIF files, see the instructions in the readme included in the LDIF_Files directory. To use the Dell Schema Extender to extend the Active Directory Schema, see Using the Dell Schema Extender on page 118. You can copy and run the Schema Extender or LDIF files from any location. Using the Dell Schema Extender CAUTION: The Dell Schema Extender uses the SchemaExtenderOem.ini file. To ensure that the Dell Schema Extender utility functions properly, do not modify the name of this file. 1In the We l c o m e screen, click Next. 2Read and understand the warning and click Next. 3Select Use Current Log In Credentials or enter a user name and password with schema administrator rights. 4Click Next to run the Dell Schema Extender. 5Click Finish. The schema is extended. To verify the schema extension, use the Microsoft Management Console (MMC) and the Active Directory Schema snap-in to verify that the following exist: • Classes (see Table 6-2 through Table 6-7) • Attributes (Table 6-8) See your Microsoft documentation for more information on how to enable and use the Active Directory Schema snap-in the MMC.
Using the DRAC 5 With Microsoft Active Directory119 Table 6-2. Class Definitions for Classes Added to the Active Directory Schema Class Name Assigned Object Identification Number (OID) dellRacDevice1.2.840.113556.1.8000.1280.1.1.1.1 dellAssociationObject1.2.840.113556.1.8000.1280.1.1.1.2 dellRACPrivileges1.2.840.113556.1.8000.1280.1.1.1.3 dellPrivileges1.2.840.113556.1.8000.1280.1.1.1.4 dellProduct1.2.840.113556.1.8000.1280.1.1.1.5 Table 6-3. dellRacDevice Class OID 1.2.840.113556.1.8000.1280.1.1.1.1 Description Represents the Dell RAC device. The RAC device must be configured as dellRacDevice in Active Directory. This configuration enables the DRAC 5 to send Lightweight Directory Access Protocol (LDAP) queries to Active Directory. Class Type Structural Class SuperClasses dellProduct AttributesdellSchemaVersion dellRacType Table 6-4. dellAssociationObject Class OID 1.2.840.113556.1.8000.1280.1.1.1.2 Description Represents the Dell Association Object. The Association Object provides the connection between the users and the devices. Class Type Structural Class SuperClasses Group AttributesdellProductMembers dellPrivilegeMember
120Using the DRAC 5 With Microsoft Active Directory Table 6-5. dellRAC4Privileges Class OID 1.2.840.113556.1.8000.1280.1.1.1.3 Description Used to define the privileges (Authorization Rights) for the DRAC 5 device. Class Type Auxiliary Class SuperClasses None AttributesdellIsLoginUser dellIsCardConfigAdmin dellIsUserConfigAdmin dellIsLogClearAdmin dellIsServerResetUser dellIsConsoleRedirectUser dellIsVirtualMediaUser dellIsTestAlertUser dellIsDebugCommandAdmin Table 6-6. dellPrivileges Class OID 1.2.840.113556.1.8000.1280.1.1.1.4 Description Used as a container Class for the Dell Privileges (Authorization Rights). Class Type Structural Class SuperClasses User AttributesdellRAC4Privileges Table 6-7. dellProduct Class OID 1.2.840.113556.1.8000.1280.1.1.1.5 Description The main class from which all Dell products are derived. Class Type Structural Class SuperClasses Computer AttributesdellAssociationMembers