HP Ilo 2 User Guide

							3.CreateHPRoleobjectsintherolesorganizationalunitusingtheHPprovidedConsoleOne
snap-instool.
a.Right-clicktherolesorganizationalunitfoundintheregion2organizationalunit,and
selectNew>Object.
b.SelecthpqRolefromthelistofclasses,andclickOK.
c.EnteranappropriatenameontheNewhpqRolepage.Inthisexample,therolewill
containuserstrustedforremoteserveradministrationandwillbenamedremoteAdmins.
ClickOK.TheSelectObjectSubtypepageappears.
d.BecausethisrolemanagestherightstoLights-OutManagementdevices,selectLightsOut
ManagementDevicesfromthelist,andclickOK.
e.Repeattheprocess,creatingaroleforremoteservermonitors,namedremoteMonitors,
inrolesinregion1,andaremoteAdminsandaremoteMonitorsroleinrolesinregion2.
4.AssignrightstotheroleandassociatetheroleswithusersanddevicesusingtheHPprovided
ConsoleOnesnap-instool.
a.Right-clicktheremoteAdminsroleintherolesorganizationalunitintheregion1
organizationalunit,andselectProperties.
b.SelecttheRoleManagedDevicestaboftheHPManagementoptionandclickAdd.
c.UsingtheSelectObjectspage,browsetothehp devicesorganizationalunitinthe
region1organizationalunit.SelectthethreeLOMobjectscreatedinstep2.Click
OK>Apply.
d.ClicktheMemberstab,andadduserstotherolebyclickingAddontheSelectObject
page.Devicesandusersarenowassociated.
e.SettherightsfortheroleusingtheLightsOutManagementDeviceRightsoptiononthe
HPManagementtab.Alluserswithintherolehavetherightsassignedtotheroleonall
oftheiLO2devicesmanagedbytherole.Inthisexample,theusersintheremoteAdmins
rolearegivenfullaccesstotheiLO2functionality.Selectthecheckboxesnexttoeach
right,andclickApply.Toclosethepropertysheet,clickClose.
SettingupHPschemadirectoryintegration151 
						

							5.Usingthesameprocedureasinstep4,editthepropertiesoftheremoteMonitorsrole:
a.AddthethreeiLO2deviceswithinhpdevicesunderregion1totheManagedDevices
listontheRoleManagedDevicesoptionoftheHPManagementtab.
b.AdduserstotheremoteMonitorsroleusingtheMemberstab.
c.SelecttheLogincheck-box,andclickApply>Close.UsingtheLightsOutManagement
DeviceRightsoptionoftheHPManagementtab,membersoftheremoteMonitorsrole
canauthenticateandviewtheserverstatus.
UserrightstoanyLOMdevicearecalculatedasthesumofalltherightsassignedbyalltheroles
inwhichtheuserisamember,andinwhichtheLOMdeviceisamanageddevice.Followingthe
precedingexamples,ifauserisinboththeremoteAdminsandremoteMonitorsroles,theywill
havealltherights,becausetheremoteAdminsrolehasthoserights.
ToconfigureaLOMdeviceandassociateitwithaLOMobjectusedinthisexample,usesettings
similartothefollowingontheDirectorySettingspage.
NOTE:Commas,notperiods,areusedinLDAPdistinguishednamestoseparateeachcomponent.
RIB Object DN = cn=rib-email-server,ou=hp devices,ou=region1,o=samplecorp 
Directory User Context 1 = ou=users,o=samplecorp
Forexample,userCSmith,locatedintheusersorganizationalunitwithinthesamplecorp
organization,whoisalsoamemberofoneoftheremoteAdminsorremoteMonitorsroles,would
beallowedtologintotheiLO2.Theuserenterscsmith(caseinsensitive)intheLoginName
fieldoftheiLO2loginscreenandusestheeDirectorypasswordinthePasswordfieldofthatscreen
togainaccess.
DirectoryServicesobjectsforeDirectory
DirectoryServicesobjectsenablevirtualizationofthemanageddevicesandtherelationships
betweenthemanageddeviceanduserorgroupsalreadycontainedwithinthedirectoryservice.
Rolemanageddevices
TheRoleManagedDevicessubtabundertheHPManagementtabisusedtoaddtheHPdevices
tobemanagedwithinarole.ClickingAddenablesyoutobrowsetothespecificHPdeviceand
additasamanageddevice.
152Directoryservices 
						

							Members
Afteruserobjectsarecreated,theMemberstaballowsyoutomanagetheuserswithintherole.
ClickingAddenablesyoutobrowsetothespecificuseryouwanttoadd.Highlightinganexisting
userandclickingDeleteremovestheuserfromthelistofvalidmembers.
SettingupHPschemadirectoryintegration153 
						

							eDirectoryRoleRestrictions
TheRoleRestrictionssubtabenablesyoutosetloginrestrictionsfortherole.Theserestrictions
include:
•Timerestrictions
•IPnetworkaddressrestrictions
IP/mask—
—IPrange
•DNSname
Timerestrictions
Youcanmanagethehoursavailableforlogonbymembersoftherolebyusingthetimegrid
displayedintheRoleRestrictionssubtab.Youcanselectthetimesavailableforlogonforeachday
oftheweekinhalf-hourincrements.Youcanchangeasinglesquarebyclickingit,orasectionof
squaresbyclickingandholdingthemousebutton,draggingthecursoracrossthesquarestobe
changed,andreleasingthemousebutton.Thedefaultsettingistoallowaccessatalltimes.
EnforcedclientIPaddressorDNSnameaccess
AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSnames.
1.IntheByDefaultdropdownmenu,selectwhethertoAlloworDenyaccessfromalladdresses,
exceptthespecifiedIPaddresses,IPaddressranges,andDNSnames.
2.Selecttheaddressestobeadded,selectthetypeofrestriction,andclickAdd.
3.IntheAddNewRestrictionpop-upwindow,entertheinformationandclickOK.TheAddNew
Restrictionpop-upfortheIP/Maskoptionisshown.
TheDNSNameoptionallowsyoutorestrictaccessbasedonasingleDNSnameora
subdomain,enteredintheformofhost.company.comor*.domain.company.com.
4.ClickApplytosavethechanges.
Toremoveanyoftheentries,highlighttheentryinthedisplayfieldandclickDelete.
154Directoryservices 
						

							eDirectoryLights-OutManagement
Afteraroleiscreated,rightsfortherolecanbeselected.Usersandgroupobjectscannowbe
mademembersoftherole,givingtheusersorgroupofuserstherightsgrantedbytherole.Rights
aremanagedontheLightsOutManagementDeviceRightssubtaboftheHPManagementtab.
Theavailablerightsare:
•Login–Thisoptioncontrolswhetheruserscanlogintotheassociateddevices.
Loginaccesscanbeusedtocreateauserwhoisaserviceproviderandwhoreceivesalerts
fromiLO2butdoesnothaveloginaccesstoiLO2.
•RemoteConsole–ThisoptionallowstheuseraccesstotheRemoteConsole.
•VirtualMedia–ThisoptionallowstheuseraccesstotheiLO2VirtualFloppyandVirtual
Mediafunctionality.
SettingupHPschemadirectoryintegration155 
						

							•ServerResetandPower–Thisoptionallowstheusertoremotelyresettheserverorpowerit
down.
•AdministerLocalUserAccounts–Thisoptionallowstheusertoadministeraccounts.Theuser
canmodifytheiraccountsettings,modifyotheruseraccountsettings,addusers,anddelete
users.
•AdministerLocalDeviceSettings–ThisoptionallowstheusertoconfigureiLO2settings.
ThesesettingsincludetheoptionsavailableontheGlobalSettings,NetworkSettings,SNMP
Settings,andDirectorySettingsscreensoftheiLO2browser.
Userloginusingdirectoryservices
TheiLO2loginpageLoginNamefieldacceptsallofthefollowing:
•Directoryusers
•LDAPFullyDistinguishedNames
Example:CN=John Smith,CN=Users,DC=HP,DC=COM, or @HP.com
NOTE:Theshortformoftheloginnamebyitselfdoesnottellthedirectorywhichdomain
youaretryingtoaccess.YoumustprovidethedomainnameorusetheLDAPdistinguished
nameofyouraccount.
•DOMAIN\user nameform(ActiveDirectoryOnly)
Example:HP\jsmith
•username@domain form(ActiveDirectoryOnly)
Example:[email protected]
NOTE:Directoryusersspecifiedusingthe@searchableformcanbelocatedinoneofthree
searchablecontexts,whichareconfiguredwithinDirectorySettings.
•User nameform
Example:John Smith
NOTE:Directoryusersspecifiedusingtheusernameformcanbelocatedinoneofthree
searchablecontexts,whichareconfiguredwithinDirectorySettings.
•Localusers–Login-ID
NOTE:OntheiLO2loginpage,themaximumlengthoftheloginnameis39characters
forlocalusers.ForDirectoryServicesusers,themaximumlengthoftheloginnameis256
characters.
Directory-enabledremotemanagement
Introduction
ThissectionisforadministratorswhoarefamiliarwithdirectoryservicesandtheiLO2product
andwanttousetheHPschemadirectoryintegrationoptionforiLO2.Youmustbefamiliarwith
“Directoryservices”(page130)andcomfortablewithsettingupandunderstandingtheexamples.
Directory-enabledremotemanagementenablesyouto:
•CreateLights-OutManagementObjects
YoumustcreateoneLOMdeviceobjecttorepresenteachdevicethatwillusethedirectory
servicetoauthenticateandauthorizeusers.ForadditionalinformationoncreatingLOMdevice
objectsforActiveDirectory,see“Directoryservices”(page130),“DirectoryservicesforActive
156Directoryservices 
						

							Directory”(page140),and“DirectoryservicesforeDirectory”(page149).Ingeneral,youcan
usetheHPprovidedsnap-instocreateobjects.ItisusefultogivetheLOMdeviceobjects
meaningfulnames,suchasthedevicenetworkaddress,DNSname,hostservername,or
serialnumber.
•ConfiguretheLights-Outmanagementdevices
EveryLOMdevicethatusesthedirectoryservicetoauthenticateandauthorizeusersmustbe
configuredwiththeappropriatedirectorysettings.Fordetailsonthespecificdirectorysettings,
see“Configuringdirectorysettings”(page51).Ingeneral,youcanconfigureeachdevice
withtheappropriatedirectoryserveraddress,LOMobjectdistinguishedname,andanyuser
contexts.TheserveraddressiseithertheIPaddressorDNSnameofalocaldirectoryserver
or,formoreredundancy,amulti-hostDNSname.
Creatingrolestofolloworganizationalstructure
Often,theadministratorswithinanorganizationareplacedintoahierarchyinwhichsubordinate
administratorsmustassignrightsindependentlyofrankingadministrators.Inthiscase,itisuseful
tohaveonerolethatrepresentstherightsassignedbyhigher-leveladministratorsandtoallowthe
subordinateadministratorstocreateandmanagetheirownroles.
Usingexistinggroups
Manyorganizationshaveusersandadministratorsarrangedintogroups.Inmanycases,the
organizationscanusetheexistinggroupsandassociatethegroupswithoneormoreLights-Out
Managementroleobjects.Whenthedevicesareassociatedwiththeroleobjects,theadministrator
controlsaccesstotheLights-Outdevicesassociatedwiththerolebyaddingordeletingmembers
fromthegroups.
WhenusingMicrosoftActiveDirectory,itispossibletoplaceonegroupwithinanotherornested
groups.Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Addtheexisting
nestedgroupdirectlytotherole,andassigntheappropriaterightsandrestrictions.Newusers
canbeaddedtoeithertheexistinggrouportherole.
NovelleDirectorydoesnotallownestedgroups.IneDirectory,anyuserthatcanreadaroleis
consideredamemberofthatrole.Whenaddinganexistinggroup,organizationalunitor
organizationtoarole,addtheobjectasareadtrusteeoftherole.Allthemembersoftheobject
areconsideredmembersoftherole.Newuserscanbeaddedtoeithertheexistingobjectorthe
role.
Whenusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmustbeable
toreadtheLOMobjectrepresentingtheLOMdevice.Someenvironmentsrequirethesametrustees
ofaroletoalsobereadtrusteesoftheLOMobjecttosuccessfullyauthenticateusers.
Usingmultipleroles
Mostdeploymentsdonotrequirethesameusertobeinmultiplerolesmanagingthesamedevice.
However,theseconfigurationsareusefulforbuildingcomplexrightsrelationships.Whenbuilding
multiple-rolerelationships,usersreceivealltherightsassignedbyeveryapplicablerole.Rolescan
onlygrantrights,neverrevokethem.Ifonerolegrantsauseraright,thentheuserhastheright,
eveniftheuserisinanotherrolethatdoesnotgrantthatright.
Typically,adirectoryadministratorcreatesabaserolewiththeminimumnumberofrightsassigned
andthencreatesadditionalrolestoaddadditionalrights.Theseadditionalrightsareaddedunder
specificcircumstancesortoaspecificsubsetofthebaseroleusers.
Forexample,anorganizationcanhavetwotypesofusers,administratorsoftheLOMdeviceor
hostserverandusersoftheLOMdevice.Inthissituation,itmakessensetocreatetworoles,one
fortheadministratorsandonefortheusers.Bothrolesincludesomeofthesamedevicesbutgrant
differentrights.Sometimes,itisusefultoassigngenericrightstothelesserroleandincludethe
LOMadministratorsinthatrole,aswellastheadministrativerole.
Directory-enabledremotemanagement157 
						

							Anadminusergainstheloginrightfromtheregularusergroup.Moreadvancedrightsareassigned
throughtheAdminrole,whichassignsadditionalrights–ServerResetandRemoteConsole.
TheAdminroleassignsalladminrightsServerReset,RemoteConsole,andLogin.
Howdirectoryloginrestrictionsareenforced
Twosetsofrestrictionspotentiallylimitadirectoryuser'saccesstoLOMdevices.Useraccess
restrictionslimitauser'saccesstoauthenticatetothedirectory.Roleaccessrestrictionslimitan
authenticateduser'sabilitytoreceiveLOMprivilegesbasedonrightsspecifiedinoneormore
Roles.
Restrictingroles
Restrictionsallowadministratorstolimitthescopeofarole.Aroleonlygrantsrightstothoseusers
thatsatisfytherole'srestrictions.Usingrestrictedrolesresultsinuserswithdynamicrightsthatcan
changebasedonthetimeofdayornetworkaddressoftheclient.
158Directoryservices 
						

							NOTE:Whendirectoriesareenabled,accesstoaparticulariLO2isbasedonwhethertheuser
hasreadaccesstoaRoleobjectthatcontainsthecorrespondingiLO2object.Thisincludesbut
isnotlimitedtothememberslistedintheroleobject.IftheRoleissetuptoallowinheritable
permissionstopropagatefromaparent,thenmembersoftheparentwhichhavereadaccess
privilegeswillalsohaveaccesstoiLO2.Toviewtheaccesscontrollist,navigatetoUsersand
Computers,openthepropertiesscreenfortheRoleobjectandselecttheSecuritytab.
Forstep-by-stepinstructionsonhowtocreatenetworkandtimerestrictionsonarole,see“Active
Directoryrolerestrictions”(page147)or“eDirectoryRoleRestrictions”(page154).
Roletimerestrictions
AdministratorscanplacetimerestrictionsonLOMroles.Usersaregrantedtherightsspecifiedfor
theLOMdeviceslistedintherole,onlyiftheyaremembersoftheroleandmeetthetimerestrictions
forthatrole.
LOMdevicesuselocalhosttimetoenforcetimerestrictions.IftheLOMdeviceclockisnotset,the
roletimerestrictionfailsunlessnotimerestrictionsarespecifiedontherole.
Role-basedtimerestrictionscanonlybesatisfiedifthetimeissetontheLOMdevice.Thetimeis
normallysetwhenthehostisbooted,anditismaintainedbyrunningtheagentsinthehostoperating
system,whichallowstheLOMdevicetocompensateforleapyearandminimizeclockdriftwith
respecttothehost.Events,suchasunexpectedpowerlossorflashingLOMfirmware,cancause
theLOMdeviceclocktonotbeset.Also,thehosttimemustbecorrectfortheLOMdeviceto
preservetimeacrossfirmwareflashes.
Roleaddressrestrictions
RoleaddressrestrictionsareenforcedbytheLOMfirmware,basedontheclient'sIPnetwork
address.Whentheaddressrestrictionsaremetforarole,therightsgrantedbytheroleapply.
Addressrestrictionscanbedifficulttomanageifaccessisattemptedacrossfirewallsorthrough
networkproxies.Eitherofthesemechanismscanchangetheapparentnetworkaddressofthe
client,causingtheaddressrestrictionstobeenforcedinanunexpectedmanner.
Userrestrictions
Youcanrestrictaccessusingaddressortimerestrictions.
Useraddressrestrictions
Administratorscanplacenetworkaddressrestrictionsonadirectoryuseraccount,andthese
restrictionsareenforcedbythedirectoryserver.Refertothedirectoryservicedocumentationfor
detailsontheenforcementofaddressrestrictionsonLDAPclients,suchasauserloggingintoa
LOMdevice.
Networkaddressrestrictionsplacedontheuserinthedirectorymightnotbeenforcedinthe
expectedmannerifthedirectoryuserlogsinthroughaproxyserver.Whenauserlogsintoa
LOMdeviceasadirectoryuser,theLOMdeviceattemptsauthenticationtothedirectoryasthat
user,whichmeansthataddressrestrictionsplacedontheuseraccountapplywhenaccessingthe
LOMdevice.However,becausetheuserisproxiedattheLOMdevice,thenetworkaddressof
theauthenticationattemptisthatoftheLOMdevice,notthatoftheclientworkstation.
IPaddressrangerestrictions
IPaddressrangerestrictionsenabletheadministratortospecifynetworkaddressesthataregranted
ordeniedaccessbytherestriction.Theaddressrangeistypicallyspecifiedinalow-to-highrange
format.Anaddressrangecanbespecifiedtograntordenyaccesstoasingleaddress.Addresses
thatfallwithinthelowtohighIPaddressrangemeettheIPaddressrestriction.
Directory-enabledremotemanagement159 
						

							IPaddressandsubnetmaskrestrictions
IPaddressandsubnetmaskrestrictionsenabletheadministratortospecifyarangeofaddresses
thataregrantedordeniedaccessbytherestriction.ThisformathassimilarcapabilitiesasanIP
addressrangebutmightbemorenativetoyournetworkingenvironment.AnIPaddressandsubnet
maskrangeistypicallyspecifiedusingasubnetaddressandaddressbitmaskthatidentifies
addressesthatareonthesamelogicalnetwork.
Inbinarymath,ifthebitsofaclientmachineaddress,addedwiththebitsofthesubnetmask,
matchtherestrictionsubnetaddress,thentheclientmachinemeetstherestriction.
DNS-basedrestrictions
DNS-basedrestrictionsusethenetworknamingservicetoexaminethelogicalnameoftheclient
machinebylookingupmachinenamesassignedtotheclientIPaddresses.DNSrestrictionsrequire
afunctionalnameserver.Ifthenameservicegoesdownorcannotbereached,DNSrestrictions
cannotbematchedandwillfail.
DNS-basedrestrictionscanlimitaccesstoasingle,specificmachinenameortomachinessharing
acommondomainsuffix.Forexample,theDNSrestriction,www.hp.com,matcheshoststhatare
assignedthedomainnamewww.hp.com.However,theDNSrestriction,*.hp.com,matches
anymachineoriginatingfromHP.
DNSrestrictionscancausesomeambiguitybecauseahostcanbemulti-homed.DNSrestrictions
donotnecessarilymatchone-to-onewithasinglesystem.
UsingDNS-basedrestrictionscancreatesomesecuritycomplications.Nameserviceprotocolsare
insecure.AnyindividualwithmaliciousintentandaccesstothenetworkcanplacearogueDNS
serviceonthenetworkcreatingfakeaddressrestrictioncriteria.Organizationalsecuritypolicies
mustbetakenintoconsiderationwhenimplementingDNS-basedaddressrestrictions.
Howusertimerestrictionsareenforced
Administratorscanplaceatimerestrictionondirectoryuseraccounts.Timerestrictionslimitthe
abilityoftheusertologin(authenticate)tothedirectory.Typically,timerestrictionsareenforced
usingthetimeatthedirectoryserver,butifthedirectoryserverislocatedinadifferenttimezone
orareplicainadifferenttimezoneisaccessed,thentimezoneinformationfromthemanaged
objectcanbeusedtoadjustforrelativetime.
Thedirectoryserverevaluatesusertimerestrictions,butthedeterminationcanbecomplicatedby
timezonechangesorauthenticationmechanism.
160Directoryservices