HP Ilo 3 User Guide

							4.Manage
a.Createamanagementdeviceobjectandaroleobjectbyusingthesnap-in.
b.Assignrightstotheroleobject,asnecessary,andassociatetherolewiththemanagement
deviceobject.
c.Adduserstotheroleobject.
Formoreinformationaboutmanagingthedirectoryservice,see“Directory-enabledremote
management”(page190).Examplesareavailablein“DirectoryservicesforActiveDirectory”
(page174)and“DirectoryservicesforeDirectory”(page182).
5.Handleexceptions
iLOmigrationutilitiesareeasiertousewithasinglerole.Ifyouplantocreatemultipleroles
inthedirectory,youmightneedtousedirectoryscriptingutilities,likeLDIFDEorVBScript
utilities.Theseutilitiescreatecomplexroleassociations.Formoreinformation,see“Usingbulk
importtools”(page196).
Aftertheschemahasbeenextended,youcancompletethedirectoryservicessetupbyusingHP
migrationutilities,whichareincludedintheHPDirectoriesSupportforProLiantManagement
Processorspackage.
Schemadocumentation
Toassistwiththeplanningandapprovalprocess,HPprovidesdocumentationaboutthechanges
madetotheschemaduringtheschemasetupprocess.Toreviewthechangesmadetoyourexisting
schema,see“Directoryservicesschema”(page239).
Directoryservicessupport
iLOsoftwareisdesignedtorunwiththeMicrosoftActiveDirectoryUsersandComputerssnap-in
ortheNovellConsoleOnemanagementtools,enablingyoutomanageuseraccountsthroughthe
directory.
iLOsupportsthefollowingdirectoryservicesforHPschemadirectoryintegration:
•MicrosoftActiveDirectory
•MicrosoftWindowsServer2003ActiveDirectory
•MicrosoftWindowsServer2008ActiveDirectory
•NovelleDirectory
ThissolutionmakesnodistinctionbetweeneDirectoryrunningonLinuxoreDirectoryrunning
onWindows.eDirectoryschemaextensionrequiresJava1.4.0orlaterforSSLauthentication.
Schemarequiredsoftware
iLOrequiresspecificsoftwarethatextendstheschemaandprovidessnap-instomanagetheiLO
network.TheHPDirectoriesSupportforProLiantManagementProcessorspackagecontainsthe
schemainstallerandthemanagementsnap-ininstaller,asshowninFigure85(page172).Youcan
downloadthesoftwarefromhttp://www.hp.com/support/ilo3.
SettingupHPextendedschemadirectoryintegration171 
						

							Figure85InstallerforSchemaExtenderandsnap-ins
YoucannotruntheschemainstalleronadomaincontrollerthathostsWindowsServer2008Core.
Forsecurityandperformancereasons,WindowsServer2008CoredoesnotuseaGUI.Touse
theschemainstaller,youmustinstallaGUIonthedomaincontrolleroruseadomaincontroller
thathostsanearlierversionofWindows.
SchemaExtender
Several.xmlfilesarebundledwiththeSchemaExtender.Thesefilescontaintheschemasthat
areaddedtothedirectory.Typically,oneofthesefilescontainsacoreschemathatiscommonto
allofthesupporteddirectoryservices.Additionalfilescontainproduct-specificschemas.Theschema
installerrequiresthe.NETFramework.
TheSchemaExtenderinstallerincludesthreeimportantwindows:
•SchemaPreview
•Setup
•Results
SchemaPreviewwindow
TheSchemaPreviewwindow(Figure86)enablestheusertoviewtheproposedextensionstothe
schema.Theinstallerreadstheselectedschemafiles,parsestheXML,anddisplaysitasatree
view.Itlistsalldetailsoftheinstalledattributesandclasses.
Figure86SchemaPreviewwindow
172Directoryservices 
						

							Setupwindow
YouusetheSetupwindow(Figure87)toentertheappropriateinformationbeforeextendingthe
schema.
TheDirectoryServersectionoftheSetupwindowenablesyoutospecifywhetheryouwilluse
ActiveDirectoryoreDirectory,andtosetthecomputernameandtheporttobeusedforLDAP
communications.
NOTE:WhenyouarerunningtheSchemaExtendertool,youmustusetheAdministrator
loginalongwiththedomainname,forexample,[email protected]\
Administrator.
ExtendingtheschemaforActiveDirectoryrequiresthattheuserisanauthenticatedschema
administrator,thattheschemaisnotwriteprotected,andthatthedirectoryistheFSMOroleowner
inthetree.TheinstallerattemptstomakethetargetdirectoryservertheFSMOschemamasterof
theforest.
TheDirectoryLoginsectionoftheSetupwindowenablesyoutoenteryourloginnameand
password.Thesemightberequiredtocompletetheschemaextension.TheUseSSLforthisSession
optionsetstheformofsecureauthenticationtobeused.Ifthisoptionisselected,directory
authenticationthroughSSLisused.IfthisoptionisnotselectedandActiveDirectoryisselected,
WindowsNTauthenticationisused.IfthisoptionisnotselectedandeDirectoryisselected,the
administratorauthenticationandtheschemaextensionproceedbyusinganunencrypted(clear
text)connection.
Figure87Setupwindow
Resultswindow
TheResultswindow(Figure88)displaystheresultsoftheinstallation,includingwhethertheschema
couldbeextendedandwhatattributeswerechanged.
SettingupHPextendedschemadirectoryintegration173 
						

							Figure88Resultswindow
Managementsnap-ininstaller
Themanagementsnap-ininstallerinstallsthesnap-insrequiredtomanageiLOobjectsinaMicrosoft
ActiveDirectoryUsersandComputersdirectoryorNovellConsoleOnedirectory.
iLOsnap-insareusedtoperformthefollowingtasksincreatinganiLOdirectory:
•CreatingandmanagingtheiLOobjectsandroleobjects
•MakingtheassociationsbetweentheiLOobjectsandtheroleobjects
DirectoryservicesforActiveDirectory
Thefollowingsectionsprovideinstallationprerequisites,preparationinstructions,andaworking
exampleofdirectoryservicesforActiveDirectory.HPprovidesautilitytoautomatemuchofthe
directorysetupprocess.YoucandownloadHPDirectoriesSupportforProLiantManagement
Processorsfromhttp://www.hp.com/support/ilo3.
ActiveDirectoryinstallationprerequisites
•ActiveDirectorymusthaveadigitalcertificateinstalledtoenableiLOtoconnectsecurelyover
thenetwork.
•ActiveDirectorymusthavetheschemaextendedtodescribeiLOobjectclassesandproperties.
•AniLOlicensemustbeinstalled.
FormoreinformationaboutiLOlicensinggotohttp://www.hp.com/go/ilo/licensing.
174Directoryservices 
						

							•InstallingdirectoryservicesforiLOrequiresextendingtheActiveDirectoryschema.AnActive
Directoryschemaadministratormustextendtheschema.
•directoryservicesforiLOusesLDAPoverSSLtocommunicatewiththedirectoryservers.Before
youinstallsnap-insandschemaforActiveDirectory,readandhaveavailablethefollowing
documentation:
◦MicrosoftKnowledgeBaseArticles
Thesearticlesareavailableathttp://support.microsoft.com/.
–321051EnablingLDAPoverSSLwithaThird-PartyCertificateAuthority
–299687MS01-036:FunctionExposedByUsingLDAPoverSSLCouldEnable
PasswordstoBeChanged
◦iLOrequiresasecureconnectiontocommunicatewiththedirectoryservice.Thisconnection
requirestheinstallationoftheMicrosoftCA.Formoreinformation,seetheMicrosoft
KnowledgeBaseArticle321051:HowtoEnableLDAPoverSSLwithaThird-Party
CertificationAuthority.
InstallingActiveDirectory
Fortheschema-freeconfiguration
1.DisableIPv6,andtheninstallActiveDirectory,DNS,andtherootCAtoWindowsServer
2008.
2.LogintoiLOandenterthedirectorysettingsanddirectoryusercontextsonthe
Administration→Security→Directorypage.
Formoreinformation,see“Configuringdirectorysettings”(page51).
3.ClickApplySettingstosavethechanges.
4.ClicktheAdministerGroupsbutton,andthencreatedirectorygroupsfortheiLOusers.
Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface”(page32).
5.NavigatetotheiLODedicatedNetworkPortorSharedNetworkPortGeneralSettingspage,
andthenentertheenvironmentsettingsintheDomainNameandPrimaryDNSserverboxes.
Formoreinformation,see“ConfiguringIPv4settings”(page74).
ForHPextendedschema
1.DisableIPv6,andtheninstallActiveDirectory,DNS,andtherootCAtoWindowsServer
2008.
2.Verifythatversion2.0orlaterofthe.NETFrameworkisinstalled.Thissoftwareisrequired
bytheiLOLDAPcomponent.
3.InstallthelatestHPDirectoriesSupportforProLiantManagementProcessorssoftwarefrom
http://www.hp.com/support/ilo3.
4.ExtendtheschemabyusingtheSchemaExtender.
Formoreinformation,see“Schemarequiredsoftware”(page171).
5.InstalltheHPLDAPcomponentsnap-ins.
Formoreinformation,see“Schemarequiredsoftware”(page171).
6.CreatetheHPdeviceandHProle.
7.LogintoiLOandenterthedirectorysettingsanddirectoryusercontextsonthe
Administration→Security→Directorypage.
Formoreinformation,see“Configuringdirectorysettings”(page51).
SettingupHPextendedschemadirectoryintegration175 
						

							8.NavigatetotheiLODedicatedNetworkPortorSharedNetworkPortGeneralSettingspage,
andthenentertheenvironmentsettingsintheDomainNameandPrimaryDNSserverboxes.
Formoreinformation,see“ConfiguringiLOnetworksettings”(page69).
NOTE:TheLDAPcomponentdoesnotworkwithaWindowsServer2008Coreinstallation.
Snap-ininstallationandinitializationforActiveDirectory
1.Runthesnap-ininstallationapplicationtoinstallthesnap-ins.
2.ConfigurethedirectoryservicetohavetheappropriateobjectsandrelationshipsforiLO
management.
a.Usethemanagementsnap-insfromHPtocreateiLO,policy,admin,anduserroleobjects.
b.Usethemanagementsnap-insfromHPtobuildassociationsbetweentheiLOobject,the
policyobject,andtheroleobject.
c.PointtheiLOobjecttotheadminanduserroleobjects.(Adminanduserrolesautomatically
pointbacktotheiLOobject.)
FormoreinformationaboutiLOobjects,see“Directoryservicesobjects”(page177).
Ataminimum,youmustcreatethefollowing:
•OneroleobjectthatcontainsoneormoreusersandoneormoreiLOobjects
•OneiLOobjectthatcorrespondstoeachiLOmanagementprocessorthatusesthedirectory
CreatingandconfiguringdirectoryobjectsforusewithiLOinActiveDirectory
ThefollowingexampledescribeshowtosetuprolesandHPdevicesinanenterprisedirectory
withthedomaintestdomain.local.Thisdomainconsistsoftwoorganizationalunits,Roles
andiLOs.
TIP:FormoreinformationaboutusingtheActiveDirectorysnap-ins,see“ActiveDirectorysnap-ins”
(page178).
CreateanorganizationalunitthatcontainstheiLOdevicesmanagedbythedomain.
1.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instocreateLights-Out
ManagementobjectsintheiLOsorganizationalunitforseveraliLOdevices.
a.Right-clicktheiLOsorganizationalunitinthetestdomain.localdomain,andthen
selectNewHPObject.
TheCreateNewHPManagementObjectdialogboxopens.
b.SelectDevice.
c.EnteranappropriatenameintheNamebox.
Inthisexample,theDNShostnameoftheiLOdevice,rib-email-server,isusedas
thenameoftheLights-OutManagementobject.
d.ClickOK.
2.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instocreateHProleobjects
intheRolesorganizationalunit.
a.Right-clicktheRolesorganizationalunit,andthenselectNewHPObject.
TheCreateNewHPManagementObjectdialogboxopens.
b.SelectRole.
c.EnteranappropriatenameintheNamebox.
Inthisexample,therolecontainsuserstrustedforremoteserveradministrationandis
calledremoteAdmins.
176Directoryservices  
						

							d.ClickOK.
e.Repeattheprocess,creatingaroleforremoteservermonitorscalledremoteMonitors.
3.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instoassignrightstothe
rolesandassociatetheroleswithusersanddevices.
a.Right-clicktheremoteAdminsroleintheRolesorganizationalunitinthe
testdomain.localdomain,andthenselectProperties.
TheremoteAdminsPropertiesdialogboxopens.
b.ClicktheHPDevicestab,andthenclickAdd.
TheSelectUsersdialogboxopens.
c.EntertheLights-OutManagementobjectcreatedinstep2,rib-email-serverinfolder
testdomain.local/iLOs.
d.ClickOKtoclosethedialogbox,andthenclickApplytosavethelist.
e.ClicktheMemberstab(Figure90,andaddusersbyusingtheAddbutton.
f.ClickOKtoclosethedialogbox,andthenclickApplytosavethelist.
Thedevicesandusersarenowassociated.
g.ClicktheLightsOutManagementtab(Figure94)tosettherightsfortherole.
Allusersandgroupswithinarolewillhavetherightsassignedtotheroleonallofthe
iLOdevicesthattherolemanages.Inthisexample,theusersintheremoteAdminsrole
willreceivefullaccesstotheiLOfunctionality.
h.Selectthecheckboxnexttoeachright,andthenclickApply.ClickOKtoclosethedialog
box.
4.Byusingtheprocedureinstep3,editthepropertiesoftheremoteMonitorsroleasfollows:
a.Addtherib-email-serverdevicetothelistontheHPDevicestab.
b.AdduserstotheremoteMonitorsroleontheMemberstab.
c.SelecttheLoginrightontheLightsOutManagementtab.
Withthisright,membersoftheremoteMonitorsrolewillbeabletoauthenticateand
viewtheserverstatus.
5.ToconfigureiLOandassociateitwithaLights-OutManagementobject,usesettingssimilar
tothefollowingontheAdministration→Security→Directorypage.
LOM Object Distinguished Name =
cn=rib-email-server,ou=ILOs,dc=testdomain,dc=local Directory User
Context 1 = cn=Users,dc=testdomain,dc=local
Directoryservicesobjects
Oneofthekeystodirectory-basedmanagementispropervirtualizationofthemanageddevices
inthedirectoryservice.Thisvirtualizationallowstheadministratortobuildrelationshipsbetween
themanageddeviceandusersorgroupswithinthedirectoryservice.UsermanagementofiLO
requiresthefollowingbasicobjectsinthedirectoryservice:
•Lights-OutManagementobject
•Roleobject
•Userobjects
Eachobjectrepresentsadevice,user,orrelationshipthatisrequiredfordirectory-based
management.
SettingupHPextendedschemadirectoryintegration177 
						

							Afterthesnap-insareinstalled,iLOobjectsandiLOrolescanbecreatedinthedirectory.Byusing
theActiveDirectoryUsersandComputerstool,theusercompletesthefollowingtasks:
•CreatesiLOandroleobjects
•Addsuserstotheroleobjects
•Setstherightsandrestrictionsoftheroleobjects
NOTE:Afterthesnap-insareinstalled,ConsoleOneandMMCmustberestartedtoshowthe
newentries.
ActiveDirectorysnap-ins
ThefollowingsectionsdiscusstheadditionalmanagementoptionsavailableinActiveDirectory
UsersandComputersaftertheHPsnap-inshavebeeninstalled.
HPDevicestab
TheHPDevicestab(Figure89)enablesyoutoaddtheHPdevicestobemanagedwithinarole.
ClickingAddenablesyoutonavigatetoanHPdeviceandaddittothelistofmemberdevices.
ClickingRemoveenablesyoutonavigatetoanHPdeviceandremoveitfromthelistofmember
devices.
Figure89HPDevicestab
Memberstab
Afteruserobjectsarecreated,theMemberstab(Figure90)enablesyoutomanagetheusers
withintherole.ClickingAddenablesyoutonavigatetotheuseryouwanttoadd.Highlighting
anexistinguserandclickingRemoveremovestheuserfromthelistofvalidmembers.
178Directoryservices 
						

							Figure90Memberstab
RoleRestrictionstab
TheRoleRestrictionstab(Figure91)enablesyoutosetthefollowingrestrictionsfortherole:
•Timerestrictions
•IPnetworkaddressrestrictions:
IP/mask◦
◦IPrange
◦DNSname
Figure91RoleRestrictionstab
Timerestrictions
YoucanmanagethehoursavailableforlogonbymembersoftherolebyclickingEffectiveHours
ontheRoleRestrictionstab.IntheLogonHoursdialogbox(Figure92),youcanselectthetimes
availableforlogonforeachdayoftheweek,inhalf-hourincrements.Youcanchangeasingle
SettingupHPextendedschemadirectoryintegration179 
						

							squarebyclickingit,oryoucanchangeasectionofsquaresbyclickingandholdingthemouse
button,draggingthecursoracrossthesquarestobechanged,andreleasingthemousebutton.
Thedefaultsettingistoallowaccessatalltimes.
Figure92LogonHoursdialogbox
EnforcedclientIPaddressorDNSnameaccess
AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSname.
1.FromtheByDefaultlist,selectwhethertoGrantorDenyaccessfromalladdressesexceptthe
specifiedIPaddresses,IPaddressranges,andDNSnames.
2.Selectthetypeofrestriction,andthenclickAdd.
•DNSName—AllowsyoutorestrictaccessbasedonasingleDNSnameorasubdomain,
enteredintheformofhost.company.comor*.domain.company.com.
•IP/MASK—AllowsyoutoenteranIPaddressornetworkmask.
•IPRange—AllowsyoutoenteranIPaddressrange.
3.IntheNewIP/MaskRestrictionwindow(Figure93),entertherequiredinformation,andthen
clickOK.
4.ClickOKtosavethechangesandclosethePropertiesdialogbox.
Toremoveanyoftheentries,highlighttheentryinthedisplaylistandclickRemove.
180Directoryservices