HP Ilo 2 User Guide

							Advantagesanddisadvantagesofschema-freedirectoriesandHPschema
directory
Directoriesenhancesecurity,enablingyoutomanageaccessandrightsfromacentralizedlocation.
Directoriesalsoenableflexibleconfiguration.Somedirectoryconfigurationpracticesworkbetter
withiLO2thanothers.BeforeconfiguringiLO2fordirectories,youmustdecidewhethertouse
theschema-freedirectoryortheHPschemadirectoryintegrationmethods.Answerthefollowing
questionstohelpevaluateyourdirectoryintegrationrequirements:
1.Canyouapplyschemaextensionstoyourdirectory?
•No–AreyouusingMicrosoftActiveDirectory?
•No–Directoryintegrationmightnotfityourenvironment.Considerdeployingan
evaluationdirectoryservertoassessthebenefitsofdirectoryintegration.
•Yes–Usegroup-basedschema-freedirectoryintegration.
•Yes–Proceedtoquestion2.
2.Isyourconfigurationscalable?
•No–Deployaninstanceoftheschema-freedirectoryintegrationtoevaluatewhetheror
notthisdirectoryintegrationmethodmeetsyourpolicyandproceduralrequirements.If
necessary,youcandeployHPschemadirectoryintegrationlater.
•Yes–UseHPschemadirectoryintegration.
Thefollowingquestionscanhelpyoudetermineifyourconfigurationisscalable:
•Areyoulikelytochangestherightsorprivilegesforagroupofdirectoryusers?
•WillyouregularlyscriptiLO2changes?
•DoyouusemorethanfivegroupstocontroliLO2privileges?
Schema-freedirectoryintegration
Usingtheschema-freedirectoryintegrationmethod,usersandgroupmembershipsresideinthe
directory,butgroupprivilegesresideintheindividualiLO2.iLO2useslogincredentialstoread
theuserobjectinthedirectoryandretrievetheusergroupmemberships,whicharecomparedto
thosestorediniLO2.Ifthereisamatch,authorizationisgranted.Forexample:
Advantagesofusingschema-freedirectoryintegration:
•Thereisnoneedtoextendthedirectoryschema.
•WhenActiveXcontrolsareenabledinthebrowserandlogin,NetBIOSande-mailformats
aresupported.
•Littleornosetupisrequiredforusersinthedirectory.Ifthereisnosetup,thedirectoryuses
existingusersandgroupmembershipstoaccessiLO2.Forexample,ifyouhaveadomain
Advantagesanddisadvantagesofschema-freedirectoriesandHPschemadirectory131 
						

							adminnamedUser1;youcancopythedistinguishednameofthedomainadminsecurity
groupovertoiLO2andgiveitfullprivileges.User1wouldthenhaveaccesstoiLO2.
Disadvantagesofusingschema-freedirectoryintegration
•SupportsonlyMicrosoftActiveDirectory
•GroupprivilegesareadministeredoneachiLO2.However,thisdisadvantageisminimized
bygroupprivilegesrarelychanging,andthetaskofchanginggroupmembershipis
administeredinthedirectoryandnotoneachseparateiLO2.HPprovidestoolsthatenable
changestoalargenumberofiLO2tobemadeatthesametime.
SettingupSchema-freedirectoryintegration
BeforesettinguptheSchema-freeoption,yoursystemmustmeetalltheprerequisitesoutlinedin
“ActiveDirectorypreparation”(page132).
YoucansetupiLO2fordirectoriesinthreeways:
•Manuallyusingabrowser,see“Schema-freebrowser-basedsetup”(page133).
•Usingascript,see“Schema-freescriptedsetup”(page133).
•UsingHPLOMIG,see“Schema-freeHPLOMIG-basedsetup”(page134).
ActiveDirectorypreparation
Theschema-freeoptionissupportedonthefollowingoperatingsystems:
•MicrosoftActiveDirectory
•MicrosoftWindowsServer2003ActiveDirectory
SSLmustbeenabledatthedirectory.ToenableSSL,installacertificateforthedomaininActive
Directory.iLO2onlycommunicateswiththedirectoryoverasecureSSLconnection.Formore
information,refertotheMicrosoftKnowledgeBase,articlenumber247078:EnablingSSL
CommunicationoverLDAPforWindows2000DomainControllersontheMicrosoftwebsiteat
http://support.microsoft.com/.
Tovalidatethesetup,youmusthavethedirectorydistinguishednameforatleastoneuserand
thedistinguishednameofasecuritygrouptheuserisamemberof.
Introductiontocertificateservices
CertificateServicesareusedtoissuesigneddigitalcertificatestonetworkhosts.Thecertificates
areusedtoestablishSSLconnectionswiththehostandverifytheauthenticityofthehost.
InstallingCertificateServicesallowsActiveDirectorytoreceiveacertificatethatallowsLights-Out
processorstoconnecttothedirectoryservice.Withoutacertificate,iLO2cannotconnecttothe
directoryserver.
EachdirectoryserverthatyouwantiLO2toconnecttomustbeissuedacertificate.Ifyouinstall
anEnterpriseCertificateService,ActiveDirectorycanautomaticallyrequestandinstallcertificates
foralloftheActiveDirectorycontrollersonthenetwork.
Installingcertificateservices
1.SelectStart>Settings>ControlPanel.
2.Double-clickAdd/RemovePrograms.
3.ClickAdd/RemoveWindowsComponentstostarttheWindowsComponentswizard.
4.SelecttheCertificateServicescheckbox.ClickNext.
5.ClickOKatthewarningthattheservercannotberenamed.TheEnterpriserootCAoptionis
selectedbecausethereisnoCAregisteredintheactivedirectory.
6.Entertheinformationappropriateforyoursiteandorganization.Acceptthedefaulttime
periodoftwoyearsfortheValidforfield.ClickNext.
132Directoryservices 
						

							7.Acceptthedefaultlocationsofthecertificatedatabaseandthedatabaselog.ClickNext.
8.Browsetothec:\I386folderwhenpromptedfortheWindows2000AdvancedServerCD.
9.ClickFinishtoclosethewizard.
Verifyingcertificateservices
BecausemanagementprocessorscommunicatewithActiveDirectoryusingSSL,youmustcreate
acertificateorinstallCertificateServices.YoumustinstallanenterpriseCAbecauseyouareissuing
certificatestoobjectswithinyourorganizationaldomain.
Toverifythatcertificateservicesisinstalled,selectStart>Programs>AdministrativeTools>Certification
Authority.IfCertificateServicesisnotinstalledanerrormessageappears.
ConfiguringAutomaticCertificateRequest
Tospecifythatacertificatebeissuedtotheserver:
1.SelectStart>Run,andenterMMC.
2.ClickAdd.
3.SelectGroupPolicy,andclickAddtoaddthesnap-intotheMMC.
4.ClickBrowse,andselecttheDefaultDomainPolicyobject.ClickOK.
5.SelectFinish>Close>OK.
6.ExpandComputerConfiguration>WindowsSettings>SecuritySettings>PublicKeyPolicies.
7.Right-clickAutomaticCertificateRequestsSettings,andselectNew>AutomaticCertificate
Request.
8.ClickNextwhentheAutomaticCertificateRequestSetupwizardstarts.
9.SelecttheDomainControllertemplate,andclickNext.
10.Selectthecertificateauthoritylisted.(ItisthesameCAdefinedduringtheCertificateServices
installation.)ClickNext.
11.ClickFinishtoclosethewizard.
Schema-freebrowser-basedsetup
Schema-freecanbesetupusingtheiLO2browser-basedinterface.
1.LogontoiLO2usinganaccountthathastheConfigureiLO2Settingsprivilege.Click
Administration.
NOTE:OnlyuserswiththeConfigureiLO2Settingsprivilegecanchangethesesettings.
UsersthatdonothavetheConfigureiLO2Settingsprivilegecanonlyviewtheassigned
settings.
2.ClickDirectorySettings.
3.SelectUseDirectoryDefaultSchemaintheAuthenticationSettingssection.Formoreinformation,
see“Schema-freesetupoptions”(page134).
4.ClickApplySettings.
5.ClickTestSettings.
Schema-freescriptedsetup
Tosetuptheschema-freedirectoriesoptionusingRIBCLXMLscripting:
SettingupSchema-freedirectoryintegration133 
						

							1.Downloadandreviewthescriptingandcommandlineresourceguide
athttp://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?
contentType=SupportManual&lang=en&cc=us&docIndexId=64179&taskId=135&
prodTypeId=18964&prodSeriesId=1146658.
2.WriteascriptthatconfiguresiLO2forschema-freedirectoriessupportandrunit.Thefollowing
scriptcanbeusedasatemplate.

Schema-freeHPLOMIG-basedsetup
HPLOMIGistheeasiestwaytosetupalargenumberofLOMprocessorsfordirectories.Touse
HPLOMIG,downloadtheHPQLOMIGutilityandadditionaldocumentationfromtheHPwebsiteat
http://www.hp.com/servers/lights-out.HPrecommendsusingHPLOMIGwhenconfiguringmany
LOMprocessorsfordirectories.FormoreinformationonusingHPLOMIG,see“HPQLOMIGdirectory
migrationutility”(page162).
Schema-freesetupoptions
Setupoptionsarethesameregardlessofwhichmethod(browser,HPQLOMIG,orscript)youuse
toconfigurethedirectory.
AfterenablingdirectoriesandselectingtheSchema-freeoption,youhavethefollowingoptions.
MinimumLoginFlexibility
•Enterthedirectoryserver'sDNSnameorIPaddressandLDAPport.Typically,theLDAPport
foranSSLconnectionis636.
•Enterthedistinguishednameforatleastonegroup.Thisgroupcanbeasecuritygroup(for
example:CN=Administrators,CN=Builtin,DC=HP,DC=com)oranyothergroupas
longastheintendediLO2usersaremembersofthegroup.
Withaminimumconfiguration,youcanlogintoiLO2usingyourfulldistinguishedname
andpassword.YoumustbeamemberofagroupthatiLO2recognizes.
134Directoryservices 
						

							BetterLoginFlexibility
•Inadditiontotheminimumsettings,enteratleastonedirectoryusercontext.
Atlogintime,theloginnameandusercontextarecombinedtomaketheuser'sdistinguished
name.Forinstance,iftheuserlogsinasJOHN.SMITHandausercontextissetupas
CN=USERS,DC=HP,DC=COM,thenthedistinguishednamethatiLO2triesis
CN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM.
MaximumLoginFlexibility
•ConfigureiLO2asdescribed.
•ConfigureiLO2withaDNSname,notanIPaddressforthedirectoryserver'snetworkaddress.
TheDNSnamemustberesolvabletoanIPaddressfrombothiLO2andtheclientsystem.
•EnableActiveXcontrolsinyourbrowser.TheiLO2loginscriptwillattempttocallaWindows
controltoconverttheloginnametoadistinguishedname.
ConfiguringiLO2withmaximumloginflexibilityenablesyoutologinusingyourfull
distinguishednameandpassword,yournameasitappearsinthedirectory,NetBIOSformat
(domain/login_name),orthee-mailformat(login_name@domain).
NOTE:Yoursystemsecuritysettingsorinstalledsoftwaremightpreventtheloginscriptfrom
callingtheWindowsActiveXcontrol.Ifthishappens,yourbrowserdisplaysawarningmessage
inthestatusbar,messagebox,ormightstopresponding.Tohelpidentifywhatsoftwareor
settingiscausingtheissue,createanotherprofileandlogintothesystem.
Insomecases,itmightnotbepossibletogetthemaximumloginflexibilityoptiontowork.For
instance,iftheclientandiLO2areindifferentDNSdomains,oneofthetwomightnotbeable
toresolvethedirectoryservernametoanIPaddress.
Schema-freenestedgroups
Manyorganizationshaveusersandadministratorsarrangedintogroups.Havingthisarrangement
ofexistinggroupsisconvenientbecauseyoucanassociatethemwithoneormoreIntegrated
Lights-OutManagementroleobjects.Whenthedevicesareassociatedwiththeroleobjects,you
canusetheadministratorcontrolstoaccesstheLights-Outdevicesassociatedwiththeroleby
addingordeletingmembersfromthegroups.
WhenusingMicrosoftActiveDirectory,youcanplaceonegroupwithinanothergroup,creating
anestedgroup.Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.You
canaddtheexistingnestedgroupdirectlytotheroleandassigntheappropriaterightsand
restrictions.Newuserscanbeaddedtoeithertheexistinggrouportherole.
Inpreviousimplementations,onlyaschema-lessuserwhowasadirectmemberoftheprimary
groupwasallowedtologintoiLO2.Usingschema-freeintegration,userswhoareindirect
members(amemberofagroupwhichisanestedgroupoftheprimarygroup)areallowedtolog
intoiLO2.
NovelleDirectorydoesnotallownestedgroups.IneDirectory,anyuserthatcanreadaroleis
consideredamemberofthatrole.Whenaddinganexistinggroup,organizationalunitor
organizationtoarole,addtheobjectasareadtrusteeoftherole.Allthemembersoftheobject
areconsideredmembersoftherole.Newuserscanbeaddedtoeithertheexistingobjectorthe
role.
Whenusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmustbeable
toreadtheLOMobjectrepresentingtheLOMdevice.Someenvironmentsrequirethesametrustees
ofaroletoalsobereadtrusteesoftheLOMobjecttosuccessfullyauthenticateusers.
SettingupSchema-freedirectoryintegration135 
						

							SettingupHPschemadirectoryintegration
WhenusingtheHPschemadirectoryintegration,iLO2supportsbothActiveDirectoryand
eDirectory.However,thesedirectoryservicesrequiretheschemabeingextended.
FeaturessupportedbyHPschemadirectoryintegration
iLO2DirectoryServicesfunctionalityenablesyouto:
•Authenticateusersfromashared,consolidated,scalableuserdatabase.
•Controluserprivileges(authorization)usingthedirectoryservice.
•Userolesinthedirectoryserviceforgroup-leveladministrationofiLO2managementprocessors
andiLO2users.
ExtendingtheschemamustbecompletedbyaSchemaAdministrator.Thelocaluserdatabaseis
retained.Youcandecidenottousedirectories,touseacombinationofdirectoriesandlocal
accounts,ortousedirectoriesexclusivelyforauthentication.
NOTE:WhenconnectedthroughtheDiagnosticsPort,thedirectoryserverisnotavailable.You
canloginusingalocalaccountonly.
Settingupdirectoryservices
Tosuccessfullyenabledirectory-enabledmanagementonanyLights-Outmanagementprocessor:
1.Plan
Reviewthefollowingsections:
•“Directoryservices”(page130)
•“Directoryservicesschema”(page171)
•“Directory-enabledremotemanagement”(page156)
2.Install
a.DownloadtheHPLights-OutDirectoryPackagecontainingtheschemainstaller,the
managementsnap-ininstaller,andthemigrationsutilitiesfromtheHPwebsite(http://
www.hp.com/servers/lights-out).
b.Runtheschemainstalleroncetoextendtheschema.Formoreinformation,see“Schema
installer”(page138).
c.Runthemanagementsnap-ininstaller,andinstalltheappropriatesnap-inforyourdirectory
serviceononeormoremanagementworkstations.Formoreinformation,see“Management
snap-ininstaller”(page140).
3.Update
a.FlashtheROMontheLights-Outmanagementprocessorwiththedirectory-enabled
firmware.
b.Setdirectoryserversettingsandthedistinguishednameofthemanagementprocessor
objectsontheDirectorySettingspageintheiLO2GUI.Formoreinformation,see
“Directorysettings”(page50).
4.Manage
a.Createamanagementdeviceobjectandaroleobjectusingthesnap-in.Formore
information,see“Directoryservicesobjects”(page145).
b.Assignrightstotheroleobject,asnecessary,andassociatetherolewiththemanagement
deviceobject.
c.Adduserstotheroleobject.
136Directoryservices 
						

							Formoreinformationonmanagingthedirectoryservice,see“Directory-enabledremote
management”(page156).Examplesareavailablein“DirectoryservicesforActiveDirectory”
(page140)and“DirectoryservicesforeDirectory”(page149).
5.Handleexceptions
•Lights-OutmigrationutilitiesareeasiertousewithasingleLights-Outrole.Ifyouplanto
createmultiplerolesinthedirectory,youmightneedtousedirectoryscriptingutilities,
likeLDIFDEorVBscript,tocreatecomplexroleassociations.Formoreinformation,see
“Usingbulkimporttools”(page162).
•IfyouhaveiLO2orRILOEprocessorswitholdfirmware,youmightneedtomanually
updatethefirmwareusingabrowser.Minimumfirmwarerequirementsforremotefirmware
updateusingRIBCLanddirectorymigrationutilityare:
MinimumsupportedfirmwareLOMproduct
2.41RILOE
AllversionsRILOEII
1.4xiLO
1.1xiLO2
Aftertheschemahasbeenextended,youcancompletethedirectoryservicessetupbyusingHP
Lights-OutDirectoriesMigrationUtilities.Formoreinformation,see“HPQLOMIGdirectorymigration
utility”(page162).ThemigrationutilitiesareincludedintheHPLights-OutDirectoryPackage.
Version1.13oftheDirectoriesMigrationUtilityallowsLights-Outimportandexportandsupports
differentusercredentialsforeachLights-Outprocessor.
Schemadocumentation
Toassistwiththeplanningandapprovalprocess,HPprovidesdocumentationonthechanges
madetotheschemaduringtheschemasetupprocess.Toreviewthechangesmadetoyourexisting
schema,see“Directoryservicesschema”(page171).
Directoryservicessupport
UsingHPschemadirectoryintegration,iLO2supportsthefollowingdirectoryservices:
•MicrosoftActiveDirectory
•MicrosoftWindowsServer2003ActiveDirectory
•MicrosoftWindowsServer2008ActiveDirectory
•NovelleDirectory8.7.3
•NovelleDirectory8.7.1
iLO2softwareisdesignedtorunwithintheMicrosoftActiveDirectoryUsersandComputersand
NovellConsoleOnemanagementtools,enablingyoutomanageuseraccountsonMicrosoftActive
DirectoryorNovelleDirectory.ThissolutionmakesnodistinctionbetweeneDirectoryrunningon
NetWare,Linux,orWindows.SpawninganeDirectoryschemaextensionrequiresJava1.4.0or
laterforSSLauthentication.
iLO2supportsMicrosoftActiveDirectoryrunningononeofthefollowingoperatingsystems:
•WindowsServer2008
•WindowsServer2003
iLO2supportseDirectoryrunningonNovell.
SettingupHPschemadirectoryintegration137 
						

							Schemarequiredsoftware
iLO2requiresspecificsoftware,whichwillextendtheschemaandprovidesnap-instomanage
theiLO2network.AnHPSmartComponentisavailablefordownloadthatcontainstheschema
installerandthemanagementsnap-ininstaller.TheHPSmartComponentcanbedownloaded
fromtheHPwebsiteathttp://www.hp.com/servers/lights-out.
YoucannotruntheschemainstalleronadomaincontrollerthathostsWindowsServer2008Core.
WindowsServer2008CoredoesnotuseaGUI(forsecurityandperformancereasons).Touse
theschemainstaller,youmustinstallaGUIonthedomaincontrolleroruseadomaincontroller
thathostsanearlierversionofWindows.
Schemainstaller
Bundledwiththeschemainstallerareoneormore.xmlfiles.Thesefilescontaintheschemathat
willbeaddedtothedirectory.Typically,oneofthesefileswillcontaincoreschemathatiscommon
toallthesupporteddirectoryservices.Additionalfilescontainonlyproduct-specificschemas.The
schemainstallerrequirestheuseofthe.NETframework.
Theinstallerincludesthreeimportantscreens:
•SchemaPreview
•Setup
•Results
SchemaPreview
TheSchemaPreviewscreenenablestheusertoviewtheproposedextensionstotheschema.This
screenreadstheselectedschemafiles,parsestheXML,anddisplaysitasatreeview.Itlistsall
ofthedetailsoftheattributesandclassesthatwillbeinstalled.
Setup
TheSetupscreenisusedtoentertheappropriateinformationbeforeextendingtheschema.
TheDirectoryServersectionoftheSetupscreenenablesyoutoselectwhetheryouwillbeusing
ActiveDirectoryoreDirectory,andtosetthecomputernameandtheporttobeusedforLDAP
communications.
138Directoryservices 
						

							NOTE:ExtendingtheschemaonActiveDirectoryrequiresthattheuserbeanauthenticated
SchemaAdministrator,theschemaisnotwriteprotected,andthedirectoryistheFSMOroleowner
inthetree.TheinstallerwillattempttomakethetargetdirectoryservertheFSMOSchemaMaster
oftheforest.
TogetwriteaccesstotheschemaonWindows2000requiresachangetotheregistrysafety
interlock.IftheuserselectstheActiveDirectoryoption,theschemaextenderwillattempttomake
theregistrychange.Itwillonlysucceediftheuserhasrightstodothis.Writeaccesstotheschema
isautomaticallyenabledonWindowsServer2003.
TheDirectoryLoginsectionoftheSetupscreenenablesyoutoenteryourloginnameandpassword.
Thesemightberequiredtocompletetheschemaextension.TheUseSSLduringauthentication
optionsetstheformofsecureauthenticationtobeused.Ifselected,directoryauthenticationusing
SSLisused.IfnotselectedandActiveDirectoryisselected,WindowsNTauthenticationisused.
IfnotselectedandeDirectoryisselected,theadministratorauthenticationandtheschemaextension
willproceedusinganunencrypted(cleartext)connection.
Results
TheResultsscreendisplaystheresultsoftheinstallation,includingwhethertheschemacouldbe
extendedandwhatattributeswerechanged.
SettingupHPschemadirectoryintegration139 
						

							Managementsnap-ininstaller
Themanagementsnap-ininstallerinstallsthesnap-insrequiredtomanageiLO2objectsina
MicrosoftActiveDirectoryUsersandComputersdirectoryorNovellConsoleOnedirectory.
iLO2snap-insareusedtoperformthefollowingtasksincreatinganiLO2directory:
•CreatingandmanagingtheiLO2androleobjects(policyobjectswillbesupportedatalater
date).
•MakingtheassociationsbetweeniLO2objectsandtherole(orpolicy)objects.
DirectoryservicesforActiveDirectory
Thefollowingsectionsprovideinstallationprerequisites,preparation,andaworkingexampleof
DirectoryServicesforActiveDirectory.HPprovidesautilitytoautomatemuchofthedirectory
setupprocess.YoucandownloadtheHPDirectoriesSupportforManagementProcessorsonthe
HPwebsiteathttp://www.hp.com/servers/lights-out.
ActiveDirectoryinstallationprerequisites
•TheActiveDirectorymusthaveadigitalcertificateinstalledtoallowiLO2toconnectsecurely
overthenetwork.
•TheActiveDirectorymusthavetheschemaextendedtodescribeLights-Outobjectclassesand
properties.
•ThefirmwareversionmustbeiLOv1.40orlater,oriLOv1.00orlater.
•iLO2advancedfeaturesmustbelicensed.
YoucanevaluateiLOAdvancedwithanevaluationlicensekeythatyoucandownloadfrom
theHPwebsiteathttp://h10018.www1.hp.com/wwsolutions/ilo/iloeval.html.
DirectoryServicesforiLO2usesLDAPoverSSLtocommunicatewiththedirectoryservers.Before
installingsnap-insandschemaforActiveDirectory,readandhaveavailablethefollowing
documentation:
140Directoryservices