HP Ilo 3 User Guide
Have a look at the manual HP Ilo 3 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
2.Isyourconfigurationscalable? •No—Deployaninstanceoftheschema-freedirectoryintegrationtoevaluatewhetherthis methodmeetsyourpolicyandproceduralrequirements.Ifnecessary,youcandeployHP schemadirectoryintegrationlater.Formoreinformation,see“Schema-freedirectory integration”(page166). •Yes—UseHPschemadirectoryintegration.Formoreinformation,see“SettingupHP extendedschemadirectoryintegration”(page170). Thefollowingquestionscanhelpyoudeterminewhetheryourconfigurationisscalable: •Areyoulikelytochangetherightsorprivilegesforagroupofdirectoryusers? •WillyouregularlyscriptiLOchanges? •DoyouusemorethanfivegroupstocontroliLOprivileges? Formoreinformation,seethecomprehensivelistofbenefitsin“Directoryintegrationbenefits” (page160).“Directory-enabledremotemanagement”(page190)explainshowroles,groups,and securityareenabledandenforcedthroughdirectories. Kerberossupport KerberossupportenablesausertologintoiLOwithoutsupplyingausernameandpasswordif theclientworkstationisloggedintothedomainandtheuserisamemberofadirectorygroup forwhichiLOisconfigured.Iftheworkstationisnotloggedintothedomain,theusercanalso logintoiLObyusingtheKerberosusernameanddomainpassword.Kerberossupportcanbe configuredthroughthewebinterface,XML(RIBCL),orSSH(partialsupportforCLI). BecauseatrustrelationshipbetweeniLOandthedomainisestablishedbyasystemadministrator beforeusersign-on,anyformofauthentication(includingtwo-factorauthentication)issupported. Forinstructionsonconfiguringausertosupporttwo-factorauthentication,seetheserveroperating systemdocumentation. Domaincontrollerpreparation InaWindowsServerenvironment,Kerberossupportispartofthedomaincontroller. Realmnames TheKerberosrealmnameforaDNSdomainisusuallythedomainnameconvertedtouppercase. Forexample: •Parentdomainname:example.net •Kerberosrealmname:EXAMPLE.NET Computeraccounts AcomputeraccountmustbepresentandenabledinthedomaindirectoryforeachiLOaccount. InWindows,createtheuseraccountintheActiveDirectoryUsersandComputerssnap-in.For example: •iLOhostname:iloname •Parentdomainname:example.net •iLOdomainname(fullyqualified):iloname.example.net Useraccounts Auseraccountmustbepresentandenabledinthedomaindirectoryforeachuserwhoisallowed tologintoiLO. Kerberossupport161
Generatingakeytab ThissectiondescribeshowtogenerateakeytabfileforiLOinaWindowsenvironment. TheiLOhostnamethatyouuseforkeytabgenerationmustbeidenticaltotheconfigurediLOhost name.iLOhostnamesarecasesensitive. 1.Usethektpasscommandtogenerateakeytabandsetthesharedsecret. Thecommandiscasesensitiveandhasspecialcharacters. ktpass -out iloname.keytab +rndPass -ptype KRB5_NT_SRV_HST -mapuser [email protected] -princ HTTP/[email protected] Theoutputshouldbesimilartothefollowing: Targeting domain controller: domaincontroller.example.net Using legacy password setting method Successfully mapped HTTP/iloname.example.net to iloname. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to iloname. keytab: Keytab version: 0x502 keysize 69 HTTP/[email protected] ptype 3 (KRB5 _NT_SRV_HST) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x5a5c7c18ae23559acc2 9d95e0524bf23) NOTE:Thektpasscommandmightdisplayamessageaboutnotbeingabletosetthe UPN.ThisisacceptablebecauseiLOisaservice,notauser.Youmightbepromptedto confirmthepasswordchangeonthecomputerobject.ClickOKtoclosethewindowand continuecreatingthekeytabfile.Donotusethe-kvnooptionofthektpasscommand.This optioncausestheknvointhekeytabfiletobeoutofsyncwiththekvnoinActiveDirectory. 2.UsetheSetSPNcommandtoassigntheKerberosSPNtothecomputerobject.Forexample: SetSPN -A HTTP/iloname.example.net iloname IftheSetSPNcommanddisplaysanerrormessage,dothefollowing: a.UseMMCwiththeADSIEditsnap-inandfindthecomputerobjectforiLO. b.SettheDNSHostNamepropertytotheiLODNSname.Forexample: cn=iloname,ou=us,ou=clients,dc=example,dc=net 3.UsetheSetSPN -L ilonamecommandtodisplaytheSPNsandDNfortheiLO. VerifythattheHTTP/iloname.example.netserviceisdisplayed. NOTE:TheSetSPNcommandmightdisplayamessageaboutnotbeingabletosetthe UPN.ThisisacceptablebecauseiLOisaservice,notauser.Youmightbepromptedto confirmthepasswordchangeonthecomputerobject.ClickOKtoclosethewindowand continuecreatingthekeytabfile. Keyversionnumber IfadomaincontrollerOSisreinstalled,thekeyversionnumbersequenceresets.Youmustregenerate andreinstallthekeytabfilesthatiLOusesfordevicesassociatedwiththatdomaincontroller. WindowsVista TogeneratekeytabfilesonWindowsVista,useMicrosofthotfixKB960830andktpass.exe version6.0.6001.22331orlater. 162Directoryservices
Universalandglobalusergroups(forauthorization) TosetpermissionsiniLO,youmustcreateagroupinthedomaindirectory.Userswhologinto iLOaregrantedthesumofthepermissionsforallgroupsofwhichtheyareamember.Only universalandglobalusergroupscanbeusedtosetpermissions.Domainlocalgroupsarenot supported. ConfiguringiLOforKerberoslogin ThissectiondescribestheiLOrequirementsforKerberoslogin.YoucanconfigureiLOforKerberos loginusingtheiLOwebinterface,XMLconfigurationandcontrolscripts,ortheCLI,CLP,orSSH interface. UsingtheiLOwebinterface ToconfiguretheiLOparametersbyusingthewebinterface: 1.NavigatetotheNetwork→iLODedicatedNetworkPortorSharedNetworkPort→General pagetoconfiguretheiLOHostnameparameterintheiLOSubsystemName(HostName)box. ThecaseoftheiLOhostnameusedforkeytabgenerationmustbeidenticaltothecaseofthe configurediLOhostname. Formoreinformation,see“Configuringgeneralnetworksettings”(page72). 2.NavigatetotheAdministration→Security→Directorypagetoconfigurethefollowing Kerberos-specificparameters: •KerberosAuthentication •KerberosRealm •KerberosKDCServerAddress •KerberosKDCServerPort •KerberosKeytab FormoreinformationabouttheKerberos-specificparameters,see“Configuringdirectory settings”(page51). 3.NavigatetotheAdministration→UserAdministrationpagetoconfiguredirectorygroups. EachDirectoryGroupincludesaDN,SID,andpermissions.ForKerberoslogin,theSIDsof groupsofwhichtheuserisamemberarecomparedtotheSIDsfordirectorygroupsforwhich iLOisconfigured.Theuserisgrantedthesumofthepermissionsforallgroupsofwhichthe userisamemberof. Youcanonlyuseglobalanduniversalgroupstosetpermissions.Domainlocalgroupsare notsupported. Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface”(page32). 4.NavigatetotheInformation→OverviewpagetochecktheCurrentiLODate/Time. Formoreinformation,see“ViewingiLOoverviewinformation”(page94). 5.NavigatetotheAdministration→Network→SNTPSettingspageifyouwanttochangethe dateandtime. ForKerberosauthenticationtofunctionproperly,thedateandtimemustbesynchronized betweentheiLOprocessor,theKDC,andtheclientworkstation.SetthedateandtimeiniLO withtheserver,orobtainthedateandtimefromthenetworkbyenablingtheSNTPSettings featureiniLO. Formoreinformation,see“ConfiguringSNTPsettings”(page79). Kerberossupport163
UsingXMLconfigurationandcontrolscripts ThefollowingsamplescriptsshowhowtosettheiLOparametersfordirectories: •Set_Server_Name.xmlshowshowtosettheiLOhostname. •Mod_Schemaless_Directory.xmlshowshowtoconfiguredirectorygroups. •Mod_Network_Settings.xmlshowshowtoconfigureSNTPsettings. •Mod_Kerberos_Config.xmlshowshowtoconfigureKerberos-specificparameters. NOTE:YoucandownloadsampleXMLscriptsfromhttp://www.hp.com/support/ilo3.Formore information,seetheHPiLO3ScriptingandCommandLineGuide. UsingtheCLI,CLP,orSSHinterface ToconfiguretheiLOparametersbyusingtheCLI,CLP,orSSHinterface: •iLOHostname—YoucanchangetheiLOhostnameintheHostnamepropertyofthe /map1/dnsendpt1target. •Directorygroups—Youcanconfiguredirectorygroupnamesandpermissionsintheproperties ofthe/map1/oemhp_dircfg1target.ThegroupSIDscannotbeconfiguredthroughthis interface. •iLODate/Time,SNTPSettings—ThecurrentdateandtimeandtheSNTPsettingscannotbe displayedthroughthisinterface. •Kerberos-specificconfigurationparameters—YoucanconfigureKerberosparametersinthe propertiesoftheoemhp_dircfg1,target. NOTE:FormoreinformationaboutconfiguringtheiLOparametersbyusingtheCLI,CLP,or SSH,seetheHPiLO3ScriptingandCommandLineGuide. Timerequirement TologintoKerberossuccessfully,ensurethatthedateandtimeofthefollowingaresettowithin 5minutesofoneanother: •TheiLOserver •Theclientrunningthewebbrowser •Theserversperformingtheauthentication Configuringsinglesign-on UserswhoareallowedtologintoiLOmustbemembersofthegroupsforwhichpermissionsare assigned.ForWindowsclients,lockingandunlockingtheworkstationrefreshesthecredentials thatareusedtologintoiLO.HomeversionsoftheWindowsoperatingsystemdonotsupport Kerberoslogin. InternetExplorer Thissectiondescribestheprocedureforenablingsinglesign-onwithInternetExplorer.Thefollowing stepsenableloginifActiveDirectoryisconfiguredcorrectlyforiLO,andiLOisconfiguredcorrectly forKerberoslogin. NOTE:ThisprocedureisbasedonInternetExplorer7.Newerbrowserversionsmighthave differentsteps. 164Directoryservices
1.EnableauthenticationinInternetExplorer: a.SelectTools→InternetOptions. b.ClicktheAdvancedtab. c.ScrolltotheSecuritysection. d.VerifythattheEnableIntegratedWindowsAuthenticationoptionisselected. e.ClickOK. 2.AddtheiLOdomaintotheIntranetzone: a.SelectTools→InternetOptions. b.ClicktheSecuritytab. c.ClicktheLocalintraneticon. d.ClicktheSitesbutton. e.ClicktheAdvancedbutton. f.EnterthesitetoaddintheAddthiswebsitetothezonebox. Onacorporatenetwork,*.example.netissufficient. g.ClickAdd. h.ClickClose. i.ClickOKtoclosetheLocalintranetdialogbox. j.ClickOKtoclosetheInternetOptionsdialogbox. 3.EnableAutomaticlogononlyinIntranetzone: a.SelectTools→InternetOptions. b.ClicktheSecuritytab. c.ClicktheLocalintraneticon. d.ClickCustomlevel. e.ScrolltotheUserAuthenticationsection. f.VerifythattheAutomaticlogononlyinIntranetzoneoptionisselected. g.ClickOKtoclosetheSecuritySettings—LocalIntranetZonewindow. h.ClickOKtoclosetheInternetOptionsdialogbox. 4.Ifanyoptionswerechanged,closeandrestartInternetExplorer. 5.UsetheFQDNtobrowsetoiLO(forexample,iloname.example.net). 6.ClicktheHPZeroSignInbutton. Firefox Thissectiondescribestheprocedureforenablingsinglesign-onwithFirefox.Thefollowingsteps enableloginifActiveDirectoryisconfiguredcorrectlyforiLO,andiLOisconfiguredcorrectlyfor Kerberoslogin: 1.Enterabout:configinthebrowserlocationbartoopenthebrowserconfigurationpage. IfthemessageThis might void your warranty!appears,clicktheI'llbecareful,I promise!button. 2.Enternetwork.negotiateintheFilterbox. 3.Double-clicknetwork.negotiate-auth.trusted-uris. 4.EntertheiLODNSdomainname(forexample,example.net),andthenclickOK. 5.UsetheFQDNtobrowsetoiLO(forexample,iloname.example.net). 6.ClicktheHPZeroSignInbutton. Chrome NospecialsettingsarerequiredfortheChromebrowser. Kerberossupport165
Verifyingsinglesign-on(HPZeroSignIn)configuration ToverifythatHPZeroSignInisconfiguredcorrectly: 1.BrowsetotheiLOloginpage(forexample, http://iloname.example.net). 2.ClicktheHPZeroSignInbutton. Ifapromptforcredentialsappears,Kerberosauthenticationhasfailedandthesystemhas revertedtoNTLMauthentication.ClickCancel,andthenrepeattheproceduresin“Configuring singlesign-on”(page164). Loginbyname Toverifythatloginbynameisworkingproperly: 1.BrowsetotheiLOloginpage(forexample, http://iloname.example.net). 2.EntertheusernameintheKerberosSPNformat(forexample,[email protected]). 3.Entertheassociateddomainpassword. Ifapromptforcredentialsappears,Kerberosauthenticationhasfailed.ClickCanceltoclose thedialogbox. LoginbynamemightnotworkcorrectlyifthecomputeraccountforiLOispartofachild domain,buttheKerberosconfigurationparameters(KerberosRealm,KerberosKDCServer Address,andKerberosKDCServerPort)referencetheparentdomain. Schema-freedirectoryintegration Withschema-freedirectoryintegration,usersandgroupmembershipsresideinthedirectory,but groupprivilegesresideintheiLOsettings.iLOuseslogincredentialstoreadtheuserobjectinthe directoryandretrievetheusergroupmemberships,whicharecomparedtothosestorediniLO.If thecredentialsandmembershipmatch,authorizationisgranted,asshowninFigure84(page166). Figure84Schema-freedirectoryintegration Advantagesofusingschema-freedirectoryintegrationincludethefollowing: •Youdonothavetoextendthedirectoryschema. •Minimalsetupisrequiredforusersinthedirectory.Ifnosetupexists,thedirectoryusesexisting usersandgroupmembershipstoaccessiLO.Forexample,ifyouhaveadomainadministrator namedUser1,youcancopytheDNofthedomainadministratorsecuritygrouptoiLOand giveitfullprivileges.User1wouldthenhaveaccesstoiLO. 166DirectoryservicesUser entersuser name and password iLO interface Credentials translated to a DN Login script validates user credentials User found inthe directory and veried in the iLO groups Directory iLO interface
Usingschema-freedirectoryintegrationhasthefollowingdisadvantage: •GroupprivilegesareadministeredoneachiLO.However,thisdisadvantagehasminimal impactbecausegroupprivilegesrarelychange,andthetaskofchanginggroupmembership isadministeredinthedirectoryandnotoneachiLO.HPprovidestoolsthatenableyouto makechangestoalargenumberofiLOsatthesametime. Settingupschema-freedirectoryintegration Ifyouwanttousetheschema-freedirectoryintegrationmethod,yoursystemmustmeetthe prerequisitesdescribedin“ActiveDirectoryprerequisites”(page167). ActiveDirectoryprerequisites SSLmustbeenabledatthedirectorylevel.ToenableSSL,installacertificateforthedomainin ActiveDirectory.iLOcommunicateswiththedirectoryonlyoverasecureSSLconnection. Tovalidatethesetup,youmusthavethedirectoryDNofatleastoneuserandtheDNofasecurity groupthattheuserisamemberof. IntroductiontoCertificateServices CertificateServicesisusedtoissuesigneddigitalcertificatestonetworkhosts.Thecertificatesare usedtoestablishSSLconnectionswiththehostandverifytheauthenticityofthehost. InstallingCertificateServicesenablesActiveDirectorytoreceiveacertificatethatallowsiLO processorstoconnecttothedirectoryservice.Withoutacertificate,iLOcannotconnecttothe directoryservice. EachdirectoryservicethatyouwantiLOtoconnecttomustbeissuedacertificate.Ifyouinstall anEnterpriseCertificateService,ActiveDirectorycanautomaticallyrequestandinstallcertificates forallActiveDirectorycontrollersonthenetwork. InstallingCertificateServices UsethefollowingprocedureforWindowsServer2008: 1.NavigatetoServerManager. 2.ClickRolesintheleftpane. 3.ClickAddRoles. 4.SelectActiveDirectoryCertificateServices. 5.Followtheonscreeninstructions.Ifyouarenotsurewhatvaluestouse,acceptthedefault values. VerifyingCertificateServices BecausemanagementprocessorscommunicatewithActiveDirectorybyusingSSL,youmustcreate acertificateorinstallCertificateServices.YoumustinstallanenterpriseCAbecauseyouwillissue certificatestoobjectsinyourorganizationaldomain. ToverifythatCertificateServicesisinstalled,selectStart→Programs→Administrative Tools→CertificationAuthority.AnerrormessageappearsifCertificateServicesisnotinstalled. ForinformationabouttheOIDssupportedbyiLOcertificates,see“OIDsupportforcertificates” (page245). ConfiguringAutomaticCertificateRequest Tospecifythatacertificatebeissuedtotheserver: 1.SelectStart→Run,andthenentermmc. 2.SelectFile→Add/RemoveSnap-in. 3.Toaddthesnap-intoMMC,selectGroupPolicyObject,andthenclickAdd. 4.ClickBrowse,andthenselecttheDefaultDomainPolicyobject.ClickOK. Schema-freedirectoryintegration167
5.ClickFinish,andthenclickCloseandOKtoclosetheremainingdialogboxes.
6.ExpandComputerConfiguration→WindowsSettings→SecuritySettings→PublicKey.
7.Right-clickAutomaticCertificateRequestsSettings,andselectNew→AutomaticCertificate
Request.
TheAutomaticCertificateRequestSetupwizardstarts.
8.ClickNext.
9.SelecttheDomainControllertemplate,andclickNext.
10.Selectthelistedcertificateauthority(itisthesameCAthatwasdefinedduringtheCertificate
Servicesinstallation).ClickNext.
11.ClickFinishtoclosethewizard.
Schema-freesetupusingtheiLOwebinterface
Youcansetupaschema-freeconfigurationbyusingtheiLOwebinterface.Onlyuserswhohave
theConfigureiLOSettingsprivilegecanchangethesesettings.UserswhodonothavetheConfigure
iLOSettingsprivilegecanonlyviewtheassignedsettings.
1.NavigatetotheAdministration→Security→Directorypage.
2.SelectUseDirectoryDefaultSchemaintheAuthenticationandDirectoryServerSettingssection.
Formoreinformation,see“Schema-freesetupoptions”(page169).
3.ClickApplySettings.
4.TotestthecommunicationbetweenthedirectoryserverandiLO,clickTestSettings.
Schema-freesetupusingscripts
Tosetupaschema-freedirectoryconfigurationbyusingXMLconfigurationandcontrolscripts:
1.ReviewtheHPiLO3ScriptingandCommandLineGuide.
2.WriteandexecuteascriptthatconfiguresiLOforschema-freedirectorysupport.
Usethefollowingscriptasatemplate:
Schema-freesetupwithHPDirectoriesSupportforProLiantManagementProcessors
HPrecommendsusingHPDirectoriesSupportforProLiantManagementProcessors(HPLOMIG.exe)
whenyouareconfiguringmultipleiLOprocessorsfordirectories.
168Directoryservices
Formoreinformation,see“HPDirectoriesSupportforProLiantManagementProcessorsutility” (page196). Schema-freesetupoptions Theschema-freesetupoptionsarethesame,regardlessofthemethodyouusetoconfigurethe directory. Toreviewtheavailablemethods,see“Schema-freesetupusingtheiLOwebinterface”(page168), “Schema-freesetupusingscripts”(page168),and“Schema-freesetupwithHPDirectoriesSupport forProLiantManagementProcessors”(page168). Afteryouenabledirectoriesandselecttheschema-freeoption,youhavethefollowingoptions: Minimumloginflexibility •EnterthedirectoryserverDNSnameorIPaddressandLDAPport.Typically,theLDAPport foranSSLconnectionis636. •EntertheDNforatleastonegroup.Thisgroupcanbeasecuritygroup(forexample, CN=Administrators,CN=Builtin,DC=HP,DC=com)oranyothergroupaslongasthe intendediLOusersaremembersofthegroup. Withaminimumconfiguration,youcanlogintoiLObyusingyourfullDNandpassword. YoumustbeamemberofagroupthatiLOrecognizes. Betterloginflexibility Inadditiontotheminimumsettings,enteratleastonedirectoryusercontext. Atlogintime,theloginnameandusercontextarecombinedtomaketheuserDN.Forexample, iftheuserlogsinasJOHN.SMITH,andausercontextissetupasCN=USERS,DC=HP,DC=COM, theDNthatiLOtriesisCN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM. Maximumloginflexibility ConfigureiLOwithaDNSname,andnotanIPaddress,forthedirectoryservernetworkaddress. TheDNSnamemustberesolvabletoanIPaddressfrombothiLOandtheclientsystem. ConfiguringiLOwithmaximumloginflexibilityenablesyoutologinusingyourfullDNand password,yournameasitappearsinthedirectory,NetBIOSformat(domain/login_name),or emailformat(login_name@domain). Insomecases,themaximumloginflexibilityoptionmightnotwork.Forexample,iftheclientand iLOareindifferentDNSdomains,oneofthetwomightnotbeabletoresolvethedirectoryserver nametoanIPaddress. Schema-freenestedgroups Manyorganizationshaveusersandadministratorsarrangedingroups.Thisarrangementofexisting groupsisconvenientbecauseyoucanassociatethemwithoneormoreiLOmanagementrole objects.WheniLOdevicesareassociatedwiththeroleobjects,youcanusetheadministrator controlstoaccessthedevicesassociatedwiththerolebyaddingordeletingmembersfromthe groups. WhenusingMicrosoftActiveDirectory,youcanplaceonegroupinanothergrouptocreatea nestedgroup.Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Youcan addtheexistingnestedgroupdirectlytotheroleandassigntheappropriaterightsandrestrictions. Youcanaddnewuserstoeithertheexistinggrouportherole. Inpreviousimplementations,onlyaschema-freeuserwhowasadirectmemberoftheprimary groupwasallowedtologintoiLO.Inschema-freeintegration,userswhoareindirectmembers (amemberofagroupthatisanestedgroupoftheprimarygroup)areallowedtologintoiLO. Schema-freedirectoryintegration169
Whenyouareusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmust beabletoreadtheobjectthatrepresentstheiLOdevice.Someenvironmentsrequirethatthe trusteesofarolealsobereadtrusteesoftheobjecttosuccessfullyauthenticateusers. SettingupHPextendedschemadirectoryintegration WhenyouareusingHPschemadirectoryintegration,iLOsupportsbothActiveDirectoryand eDirectory.However,thesedirectoryservicesrequirethattheschemabeextended. FeaturessupportedbyHPschemadirectoryintegration UsingtheHPschemaenablesyoutodothefollowing: •Authenticateusersfromashared,consolidated,scalableuserdatabase. •Controluserprivileges(authorization)byusingthedirectoryservice. •Userolesinthedirectoryserviceforgroup-leveladministrationofiLOmanagementprocessors andiLOusers. Aschemaadministratormustcompletethetaskofextendingtheschema.Thelocaluserdatabase isretained.Youcandecidenottousedirectories,touseacombinationofdirectoriesandlocal accounts,ortousedirectoriesexclusivelyforauthentication. NOTE:WhenyouareconnectedthroughtheDiagnosticsPort,thedirectoryserverisnotavailable. Youloginusingalocalaccount. AdvantagesofusingtheHPextendedschemaincludethefollowing: •Thereismoreflexibilityincontrollingaccess.Forexample,accesscanbelimitedtoatimeof dayoracertainrangeofIPaddresses. •Groupsaremaintainedinthedirectory,notoneachiLO. Settingupdirectoryservices Tosuccessfullyimplementdirectory-enabledmanagementonanyiLOmanagementprocessor: 1.Plan Reviewthefollowingsections: •Directoryservices.Formoreinformation,see“Directoryservices”(page160). •Directory-enabledremotemanagement.Formoreinformation,see“Directory-enabled remotemanagement”(page190). •Directoryservicesschema.Formoreinformation,see“Directoryservicesschema” (page239). 2.Install a.DownloadtheHPDirectoriesSupportforProLiantManagementProcessorspackagethat containstheschemainstaller,themanagementsnap-ininstaller,andthemigrationutilities fromhttp://www.hp.com/support/ilo3. b.Runtheschemainstalleroncetoextendtheschema. c.Runthemanagementsnap-ininstallerandinstalltheappropriatesnap-inforyourdirectory serviceononeormoremanagementworkstations. 3.Update a.SetdirectoryserversettingsandtheDNofthemanagementprocessorobjectsonthe DirectorySettingspageintheiLOwebinterface.Formoreinformation,see“Configuring directorysettings”(page51). b.Ifyouareusingtheschema-freeintegrationorKerberosZeroSignIn,configuredirectory groups.Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface” (page32). 170Directoryservices