HP Ilo 4 User Guide
Here you can view all the pages of manual HP Ilo 4 User Guide. The HP manuals for Server are available online for free. You can easily download all the documents as PDF.
Page 281
Ataminimum,youmustcreatethefollowing: •OneroleobjectthatcontainsoneormoreusersandoneormoreiLOobjects •OneiLOobjectthatcorrespondstoeachiLOmanagementprocessorthatusesthedirectory CreatingandconfiguringdirectoryobjectsforusewithiLOinActiveDirectory ThefollowingexampledescribeshowtosetuprolesandHPdevicesinanenterprisedirectory withthedomaintestdomain.local.Thisdomainconsistsoftwoorganizationalunits,Roles andiLOs. TIP:FormoreinformationaboutusingtheActiveDirectorysnap-ins,see“ActiveDirectorysnap-ins”...
Page 282
g.ClicktheLightsOutManagementtabtosettherightsfortherole. Allusersandgroupswithinarolewillhavetherightsassignedtotheroleonallofthe iLOdevicesthattherolemanages.Inthisexample,theusersintheremoteAdminsrole willreceivefullaccesstotheiLOfunctionality. h.Selectthecheckboxnexttoeachright,andthenclickApply.ClickOKtoclosethedialog box. 4.Byusingtheprocedureinstep3,editthepropertiesoftheremoteMonitorsroleasfollows: a.Addtherib-email-serverdevicetothelistontheHPDevicestab....
Page 283
Memberstab Afteruserobjectsarecreated,theMemberstabenablesyoutomanagetheuserswithintherole. ClickingAddenablesyoutonavigatetotheuseryouwanttoadd.Highlightinganexistinguser andclickingRemoveremovestheuserfromthelistofvalidmembers. RoleRestrictionstab TheRoleRestrictionstabenablesyoutosetrestrictionsforarole. SettingupHPextendedschemadirectoryintegration283
Page 284
Thefollowingrestrictionscanbeconfigured: •Timerestrictions •IPnetworkaddressrestrictions: IP/mask◦ ◦IPrange ◦DNSname Timerestrictions YoucanmanagethehoursavailableforlogonbymembersoftherolebyclickingEffectiveHours ontheRoleRestrictionstab. IntheLogonHoursdialogbox,youcanselectthetimesavailableforlogonforeachdayofthe week,inhalf-hourincrements.Youcanchangeasinglesquarebyclickingit,oryoucanchange asectionofsquaresbyclickingandholdingthemousebutton,draggingthecursoracrossthe 284Directoryservices
Page 285
squarestobechanged,andreleasingthemousebutton.Thedefaultsettingistoallowaccessat alltimes. EnforcedclientIPaddressorDNSnameaccess AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSname. 1.FromtheByDefaultlist,selectwhethertoGrantorDenyaccessfromalladdressesexceptthe specifiedIPaddresses,IPaddressranges,andDNSnames. 2.Selectthetypeofrestriction,andthenclickAdd. •DNSName—AllowsyoutorestrictaccessbasedonasingleDNSnameorasubdomain, enteredintheformofhost.company.comor*.domain.company.com....
Page 286
UserrightstoanyiLOarecalculatedasthesumofallrightsassignedbyallrolesinwhichtheuser isamember,andinwhichtheiLOisamanageddevice.Usingtheexamplein“Creatingand configuringdirectoryobjectsforusewithiLOinActiveDirectory”(page281),ifauserisinboth theremoteAdminsandremoteMonitorsroles,theywillhaveallavailablerights,becausethe remoteAdminsrolehasallrights. Theavailablerightsareasfollows: •Login—Controlswhetheruserscanlogintotheassociateddevices. •RemoteConsole—EnablestheusertoaccesstheRemoteConsole....
Page 287
Directoryusersspecifiedusingthe@searchableformmightbelocatedinoneofthree searchablecontexts,whichareconfiguredontheSecurity→Directorypage. ◦Usernameformat Example:JohnSmith Directoryusersspecifiedusingtheusernameformatmightbelocatedinoneofthree searchablecontexts,whichareconfiguredontheSecurity→Directorypage. •Localusers—EntertheLoginNameofyouriLOlocaluseraccount. Directory-enabledremotemanagement ThissectionisforadministratorswhoarefamiliarwithdirectoryservicesandtheiLOproductand...
Page 288
Usingmultipleroles Mostdeploymentsdonotrequirethatthesameuserbeinmultiplerolesmanagingthesamedevice. However,theseconfigurationsareusefulforbuildingcomplexrightsrelationships.Whenusers buildmultiple-rolerelationships,theyreceiveallrightsassignedbyeveryapplicablerole.Roles canonlygrantrights,neverrevokethem.Ifonerolegrantsauseraright,thentheuserhasthe right,eveniftheuserisinanotherrolethatdoesnotgrantthatright. Typically,adirectoryadministratorcreatesabaserolewiththeminimumnumberofrightsassigned,...
Page 289
Figure9Directoryloginrestrictions Restrictingroles Restrictionsallowadministratorstolimitthescopeofarole.Arolegrantsrightsonlytouserswho satisfytherolerestrictions.Usingrestrictedrolesresultsinuserswhohavedynamicrightsthatcan changebasedonthetimeofdayornetworkaddressoftheclient. NOTE:Whendirectoriesareenabled,accesstoaparticulariLOisbasedonwhethertheuser hasreadaccesstoaroleobjectthatcontainsthecorrespondingiLOobject.Thisincludes,butis...
Page 290
Userrestrictions Youcanrestrictaccessusingaddressortimerestrictions. Useraddressrestrictions Administratorscanplacenetworkaddressrestrictionsonadirectoryuseraccount,whichare enforcedbythedirectoryserver.Forinformationabouttheenforcementofaddressrestrictionson LDAPclients,suchasauserloggingintoaLOMdevice,seethedocumentationforthedirectory service. Networkaddressrestrictionsplacedontheuserinthedirectorymightnotbeenforcedinthe expectedmannerifthedirectoryuserlogsinthroughaproxyserver.Whenauserlogsintoa...