HP Ilo 4 User Guide

							Ataminimum,youmustcreatethefollowing:
•OneroleobjectthatcontainsoneormoreusersandoneormoreiLOobjects
•OneiLOobjectthatcorrespondstoeachiLOmanagementprocessorthatusesthedirectory
CreatingandconfiguringdirectoryobjectsforusewithiLOinActiveDirectory
ThefollowingexampledescribeshowtosetuprolesandHPdevicesinanenterprisedirectory
withthedomaintestdomain.local.Thisdomainconsistsoftwoorganizationalunits,Roles
andiLOs.
TIP:FormoreinformationaboutusingtheActiveDirectorysnap-ins,see“ActiveDirectorysnap-ins”
(page282).
CreateanorganizationalunitthatcontainstheiLOdevicesmanagedbythedomain.
1.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instocreateLights-Out
ManagementobjectsintheiLOsorganizationalunitforseveraliLOdevices.
a.Right-clicktheiLOsorganizationalunitinthetestdomain.localdomain,andthen
selectNewHPObject.
TheCreateNewHPManagementObjectdialogboxopens.
b.SelectDevice.
c.EnteranappropriatenameintheNamebox.
Inthisexample,theDNShostnameoftheiLOdevice,rib-email-server,isusedas
thenameoftheLights-OutManagementobject.
d.ClickOK.
2.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instocreateHProleobjects
intheRolesorganizationalunit.
a.Right-clicktheRolesorganizationalunit,andthenselectNewHPObject.
TheCreateNewHPManagementObjectdialogboxopens.
b.SelectRole.
c.EnteranappropriatenameintheNamebox.
Inthisexample,therolecontainsuserstrustedforremoteserveradministrationandis
calledremoteAdmins.
d.ClickOK.
e.Repeattheprocess,creatingaroleforremoteservermonitorscalledremoteMonitors.
3.UsetheHP-providedActiveDirectoryUsersandComputerssnap-instoassignrightstothe
rolesandassociatetheroleswithusersanddevices.
a.Right-clicktheremoteAdminsroleintheRolesorganizationalunitinthe
testdomain.localdomain,andthenselectProperties.
TheremoteAdminsPropertiesdialogboxopens.
b.ClicktheHPDevicestab,andthenclickAdd.
TheSelectUsersdialogboxopens.
c.EntertheLights-OutManagementobjectcreatedinstep2,rib-email-serverinfolder
testdomain.local/iLOs.
d.ClickOKtoclosethedialogbox,andthenclickApplytosavethelist.
e.ClicktheMemberstab,andaddusersbyusingtheAddbutton.
f.ClickOKtoclosethedialogbox,andthenclickApplytosavethelist.
Thedevicesandusersarenowassociated.
SettingupHPextendedschemadirectoryintegration281  
						

							g.ClicktheLightsOutManagementtabtosettherightsfortherole.
Allusersandgroupswithinarolewillhavetherightsassignedtotheroleonallofthe
iLOdevicesthattherolemanages.Inthisexample,theusersintheremoteAdminsrole
willreceivefullaccesstotheiLOfunctionality.
h.Selectthecheckboxnexttoeachright,andthenclickApply.ClickOKtoclosethedialog
box.
4.Byusingtheprocedureinstep3,editthepropertiesoftheremoteMonitorsroleasfollows:
a.Addtherib-email-serverdevicetothelistontheHPDevicestab.
b.AdduserstotheremoteMonitorsroleontheMemberstab.
c.SelecttheLoginrightontheLightsOutManagementtab.
Withthisright,membersoftheremoteMonitorsrolewillbeabletoauthenticateand
viewtheserverstatus.
5.ToconfigureiLOandassociateitwithaLights-OutManagementobject,usesettingssimilar
tothefollowingontheAdministration→Security→Directorypage.
LOM Object Distinguished Name =
cn=rib-email-server,ou=ILOs,dc=testdomain,dc=local Directory User
Context 1 = cn=Users,dc=testdomain,dc=local
Directoryservicesobjects
Oneofthekeystodirectory-basedmanagementispropervirtualizationofthemanageddevices
inthedirectoryservice.Thisvirtualizationallowstheadministratortobuildrelationshipsbetween
themanageddeviceandusersorgroupswithinthedirectoryservice.UsermanagementofiLO
requiresthefollowingbasicobjectsinthedirectoryservice:
•Lights-OutManagementobject
•Roleobject
•Userobjects
Eachobjectrepresentsadevice,user,orrelationshipthatisrequiredfordirectory-based
management.
Afterthesnap-insareinstalled,iLOobjectsandiLOrolescanbecreatedinthedirectory.Byusing
theActiveDirectoryUsersandComputerstool,theusercompletesthefollowingtasks:
•CreatesiLOandroleobjects
•Addsuserstotheroleobjects
•Setstherightsandrestrictionsoftheroleobjects
NOTE:Afterthesnap-insareinstalled,ConsoleOneandMMCmustberestartedtoshowthe
newentries.
ActiveDirectorysnap-ins
ThefollowingsectionsdiscusstheadditionalmanagementoptionsavailableinActiveDirectory
UsersandComputersaftertheHPsnap-inshavebeeninstalled.
HPDevicestab
TheHPDevicestabenablesyoutoaddtheHPdevicestobemanagedwithinarole.ClickingAdd
enablesyoutonavigatetoanHPdeviceandaddittothelistofmemberdevices.ClickingRemove
enablesyoutonavigatetoanHPdeviceandremoveitfromthelistofmemberdevices.
282Directoryservices 
						

							Memberstab
Afteruserobjectsarecreated,theMemberstabenablesyoutomanagetheuserswithintherole.
ClickingAddenablesyoutonavigatetotheuseryouwanttoadd.Highlightinganexistinguser
andclickingRemoveremovestheuserfromthelistofvalidmembers.
RoleRestrictionstab
TheRoleRestrictionstabenablesyoutosetrestrictionsforarole.
SettingupHPextendedschemadirectoryintegration283 
						

							Thefollowingrestrictionscanbeconfigured:
•Timerestrictions
•IPnetworkaddressrestrictions:
IP/mask◦
◦IPrange
◦DNSname
Timerestrictions
YoucanmanagethehoursavailableforlogonbymembersoftherolebyclickingEffectiveHours
ontheRoleRestrictionstab.
IntheLogonHoursdialogbox,youcanselectthetimesavailableforlogonforeachdayofthe
week,inhalf-hourincrements.Youcanchangeasinglesquarebyclickingit,oryoucanchange
asectionofsquaresbyclickingandholdingthemousebutton,draggingthecursoracrossthe
284Directoryservices 
						

							squarestobechanged,andreleasingthemousebutton.Thedefaultsettingistoallowaccessat
alltimes.
EnforcedclientIPaddressorDNSnameaccess
AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSname.
1.FromtheByDefaultlist,selectwhethertoGrantorDenyaccessfromalladdressesexceptthe
specifiedIPaddresses,IPaddressranges,andDNSnames.
2.Selectthetypeofrestriction,andthenclickAdd.
•DNSName—AllowsyoutorestrictaccessbasedonasingleDNSnameorasubdomain,
enteredintheformofhost.company.comor*.domain.company.com.
•IP/MASK—AllowsyoutoenteranIPaddressornetworkmask.
•IPRange—AllowsyoutoenteranIPaddressrange.
3.IntheNewIP/MaskRestrictionwindow,entertherequiredinformation,andthenclickOK.
4.ClickOKtosavethechangesandclosethePropertiesdialogbox.
Toremoveanyoftheentries,highlighttheentryinthedisplaylistandclickRemove.
LightsOutManagementtab
Afteryoucreatearole,youcanselectrightsfortherole.Youcanmakeusersandgroupobjects
membersoftherole,givingtheusersorgroupofuserstherightsgrantedbytherole.Rightsare
managedontheLightsOutManagementtab.
SettingupHPextendedschemadirectoryintegration285 
						

							UserrightstoanyiLOarecalculatedasthesumofallrightsassignedbyallrolesinwhichtheuser
isamember,andinwhichtheiLOisamanageddevice.Usingtheexamplein“Creatingand
configuringdirectoryobjectsforusewithiLOinActiveDirectory”(page281),ifauserisinboth
theremoteAdminsandremoteMonitorsroles,theywillhaveallavailablerights,becausethe
remoteAdminsrolehasallrights.
Theavailablerightsareasfollows:
•Login—Controlswhetheruserscanlogintotheassociateddevices.
•RemoteConsole—EnablestheusertoaccesstheRemoteConsole.
•VirtualMedia—EnablestheusertoaccesstheiLOVirtualMediafunctionality.
•ServerResetandPower—EnablestheusertoaccesstheiLOVirtualPowerbuttontoremotely
resettheserverorpoweritdown.
•AdministerLocalUserAccounts—Enablestheusertoadministeraccounts.Userscanmodify
theiraccountsettings,modifyotheruseraccountsettings,addusers,anddeleteusers.
•AdministerLocalDeviceSettings—EnablestheusertoconfiguretheiLOmanagementprocessor
settings.
Userloginusingdirectoryservices
TheLoginNameboxontheiLOloginpageacceptsdirectoryusersandlocalusers.
Themaximumlengthoftheloginnameis39charactersforlocalusersand256charactersfor
directoryusers.
•Directoryusers—Thefollowingformatsaresupported:
LDAPfullydistinguishednames
Example:CN=John Smith,CN=Users,DC=HP,DC=COM,[email protected]
◦
Theshortformoftheloginnamedoesnotnotifythedirectorywhichdomainyouare
tryingtoaccess.YoumustprovidethedomainnameorusetheLDAPDNofyouraccount.
◦DOMAIN\user nameform
Example:HP\jsmith
◦username@domainform
Example:[email protected]
286Directoryservices 
						

							Directoryusersspecifiedusingthe@searchableformmightbelocatedinoneofthree
searchablecontexts,whichareconfiguredontheSecurity→Directorypage.
◦Usernameformat
Example:JohnSmith
Directoryusersspecifiedusingtheusernameformatmightbelocatedinoneofthree
searchablecontexts,whichareconfiguredontheSecurity→Directorypage.
•Localusers—EntertheLoginNameofyouriLOlocaluseraccount.
Directory-enabledremotemanagement
ThissectionisforadministratorswhoarefamiliarwithdirectoryservicesandtheiLOproductand
wanttousetheHPschemadirectoryintegrationoptionforiLO.Youmustbefamiliarwithdirectory
services.
Directory-enabledremotemanagementenablesyoutodothefollowing:
•CreateLights-OutManagementobjects
YoumustcreateoneLOMdeviceobjecttorepresenteachdevicethatwillusethedirectory
servicetoauthenticateandauthorizeusers.ForinformationaboutcreatingLOMdeviceobjects,
see“Directoryservices”(page265).Ingeneral,youcanusethesnap-insthatHPhasprovided
tocreateobjects.ItisusefultogivetheLOMdeviceobjectsmeaningfulnames,suchasthe
devicenetworkaddress,DNSname,hostservername,orserialnumber.
•ConfigureLights-Outmanagementdevices
EveryLOMdevicethatusesthedirectoryservicetoauthenticateandauthorizeusersmustbe
configuredwiththeappropriatedirectorysettings.Forinformationonthespecificdirectory
settings,see“Configuringauthenticationanddirectoryserversettings”(page73).Ingeneral,
youcanconfigureeachdevicewiththeappropriatedirectoryserveraddress,LOMobject
DN,andanyusercontexts.TheserveraddressistheIPaddressorDNSnameofalocal
directoryserveror,formoreredundancy,amultihostDNSname.
Creatingrolestofolloworganizationalstructure
Often,administratorsinanorganizationareplacedinahierarchyinwhichsubordinate
administratorsmustassignrightsindependentlyofrankingadministrators.Inthiscase,itisuseful
tohaveonerolethatrepresentstherightsassignedbyhigher-leveladministrators,andtoallow
subordinateadministratorstocreateandmanagetheirownroles.
Usingexistinggroups
Manyorganizationshaveusersandadministratorsarrangedingroups.Inmanycases,itis
convenienttousetheexistinggroupsandassociatethemwithoneormoreLights-OutManagement
roleobjects.Whenthedevicesareassociatedwiththeroleobjects,theadministratorcontrols
accesstotheLights-Outdevicesassociatedwiththerolebyaddingordeletingmembersfromthe
groups.
WhenusingMicrosoftActiveDirectory,youcanplaceonegroupwithinanother(thatis,usenested
groups).Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Addtheexisting
nestedgroupdirectlytotherole,andassigntheappropriaterightsandrestrictions.Youcanadd
newuserstoeithertheexistinggrouportherole.
Whenyouareusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmust
beabletoreadtheLOMobjectthatrepresentstheLOMdevice.Someenvironmentsrequirethat
thetrusteesofarolealsobereadtrusteesoftheobjecttosuccessfullyauthenticateusers.
Directory-enabledremotemanagement287 
						

							Usingmultipleroles
Mostdeploymentsdonotrequirethatthesameuserbeinmultiplerolesmanagingthesamedevice.
However,theseconfigurationsareusefulforbuildingcomplexrightsrelationships.Whenusers
buildmultiple-rolerelationships,theyreceiveallrightsassignedbyeveryapplicablerole.Roles
canonlygrantrights,neverrevokethem.Ifonerolegrantsauseraright,thentheuserhasthe
right,eveniftheuserisinanotherrolethatdoesnotgrantthatright.
Typically,adirectoryadministratorcreatesabaserolewiththeminimumnumberofrightsassigned,
andthencreatesadditionalrolestoaddmorerights.Theseadditionalrightsareaddedunder
specificcircumstancesortoaspecificsubsetofthebaseroleusers.
Forexample,anorganizationcanhavetwotypesofusers:administratorsoftheLOMdeviceor
hostserver,andusersoftheLOMdevice.Inthissituation,itmakessensetocreatetworoles,one
fortheadministratorsandonefortheusers.Bothrolesincludesomeofthesamedevicesbutgrant
differentrights.Sometimes,itisusefultoassigngenericrightstothelesserroleandincludethe
LOMadministratorsinthatrole,aswellastheadministrativerole.
AnAdminusergainstheloginrightfromtheregularuserrole.Advancedrightsareassigned
throughtheAdminrole,whichassignstheadvancedrightsServerResetandRemoteConsole
(Figure7).
Figure7Adminuser
TheAdminroleassignsallAdminrights:ServerReset,RemoteConsole,andLogin(Figure8).
Figure8Adminrole
Howdirectoryloginrestrictionsareenforced
Twosetsofrestrictionscanlimitadirectoryuser'saccesstoLOMdevices(Figure9).
•Useraccessrestrictionslimitauser'saccesstoauthenticatetothedirectory.
•Roleaccessrestrictionslimitanauthenticateduser'sabilitytoreceiveLOMprivilegesbased
onrightsspecifiedinoneormoreroles.
288DirectoryservicesAdmin UserUser Admin Role
Role Server Admin UserUser Admin Role
Role Server  
						

							Figure9Directoryloginrestrictions
Restrictingroles
Restrictionsallowadministratorstolimitthescopeofarole.Arolegrantsrightsonlytouserswho
satisfytherolerestrictions.Usingrestrictedrolesresultsinuserswhohavedynamicrightsthatcan
changebasedonthetimeofdayornetworkaddressoftheclient.
NOTE:Whendirectoriesareenabled,accesstoaparticulariLOisbasedonwhethertheuser
hasreadaccesstoaroleobjectthatcontainsthecorrespondingiLOobject.Thisincludes,butis
notlimitedto,thememberslistedintheroleobject.Iftheroleisconfiguredtoallowinheritable
permissionstopropagatefromaparent,membersoftheparentthathavereadaccessprivileges
willalsohaveaccesstoiLO.Toviewtheaccesscontrollist,navigatetoActiveDirectoryUsersand
Computers,openthePropertiespagefortheroleobject,andthenclicktheSecuritytab.The
AdvancedViewmustbeenabledinMMCinordertoviewtheSecuritytab.
Forinstructionsonhowtocreatenetworkandtimerestrictionsforarole,see“RoleRestrictions
tab”(page283).
Roletimerestrictions
AdministratorscanplacetimerestrictionsonLOMroles.Usersaregrantedtherightsspecifiedfor
theLOMdeviceslistedintheroleonlyiftheyaremembersoftheroleandmeetthetimerestrictions
fortherole.LOMdevicesuselocalhosttimetoenforcetimerestrictions.IftheLOMdeviceclock
isnotset,theroletimerestrictionfailsunlessnotimerestrictionsarespecifiedfortherole.
Role-basedtimerestrictionscanbemetonlyifthetimeissetontheLOMdevice.Thetimeisnormally
setwhenthehostisbooted.ThetimesettingcanbemaintainedbyconfiguringSNTP,whichallows
theLOMdevicetocompensateforleapyearsandminimizeclockdriftwithrespecttothehost.
Events,suchasunexpectedpowerlossorflashingLOMfirmware,cancausetheLOMdeviceclock
tonotbeset.Also,thehosttimemustbecorrectfortheLOMdevicetopreservetimeacrossfirmware
flashes.
Roleaddressrestrictions
RoleaddressrestrictionsareenforcedbytheLOMfirmware,basedontheclientIPnetworkaddress.
Whentheaddressrestrictionsaremetforarole,therightsgrantedbytheroleapply.
Addressrestrictionscanbedifficulttomanageifaccessisattemptedacrossfirewallsorthrough
networkproxies.Eitherofthesemechanismscanchangetheapparentnetworkaddressofthe
client,causingtheaddressrestrictionstobeenforcedinanunexpectedmanner.
Directory-enabledremotemanagement289UserLOM
Client
Workstation Directory
Server
User restrictions must be met to 
authenticate to the directory.
Enforced by the directory
server. Role restrictions must be
met to receive rights
granted by 1 or more roles.
Enforced by LOM.
Role access
restrictions
User access
restrictions  
						

							Userrestrictions
Youcanrestrictaccessusingaddressortimerestrictions.
Useraddressrestrictions
Administratorscanplacenetworkaddressrestrictionsonadirectoryuseraccount,whichare
enforcedbythedirectoryserver.Forinformationabouttheenforcementofaddressrestrictionson
LDAPclients,suchasauserloggingintoaLOMdevice,seethedocumentationforthedirectory
service.
Networkaddressrestrictionsplacedontheuserinthedirectorymightnotbeenforcedinthe
expectedmannerifthedirectoryuserlogsinthroughaproxyserver.Whenauserlogsintoa
LOMdeviceasadirectoryuser,theLOMdeviceattemptsauthenticationtothedirectoryasthat
user,whichmeansthataddressrestrictionsplacedontheuseraccountapplywhentheuseris
accessingtheLOMdevice.However,becausetheuserisproxiedattheLOMdevice,thenetwork
addressoftheauthenticationattemptisthatoftheLOMdevice,notthatoftheclientworkstation.
IPaddressrangerestrictions
IPaddressrangerestrictionsenabletheadministratortospecifynetworkaddressesthataregranted
ordeniedaccess.Theaddressrangeistypicallyspecifiedinalow-to-highrangeformat.Anaddress
rangecanbespecifiedtograntordenyaccesstoasingleaddress.Addressesthatfallwithinthe
low-to-highIPaddressrangemeettheIPaddressrestriction.
IPaddressandsubnetmaskrestrictions
IPaddressandsubnetmaskrestrictionsenabletheadministratortospecifyarangeofaddresses
thataregrantedordeniedaccess.ThisformathassimilarcapabilitiesasanIPaddressrange,but
mightbemorenativetoyournetworkingenvironment.AnIPaddressandsubnetmaskrangeis
typicallyspecifiedthroughasubnetaddressandaddressbitmaskthatidentifiesaddressesonthe
samelogicalnetwork.
Inbinarymath,ifthebitsofaclientmachineaddress,combinedwiththebitsofthesubnetmask,
matchthesubnetaddressintherestriction,theclientmachinemeetstherestriction.
DNS-basedrestrictions
DNS-basedrestrictionsusethenetworknameservicetoexaminethelogicalnameoftheclient
machinebylookingupmachinenamesassignedtotheclientIPaddresses.DNSrestrictionsrequire
afunctionalnameserver.Ifthenameservicegoesdownorcannotbereached,DNSrestrictions
cannotbematchedandtheclientmachinefailstomeettherestriction.
DNS-basedrestrictionscanlimitaccesstoaspecificmachinenameortomachinesthatsharea
commondomainsuffix.Forexample,theDNSrestrictionwww.example.commatcheshoststhat
areassignedthedomainnamewww.example.com.However,theDNSrestriction*.example.com
matchesanymachinethatoriginatesfromtheexamplecompany.
DNSrestrictionscancauseambiguitybecauseahostcanbemulti-homed.DNSrestrictionsdonot
necessarilymatchonetoonewithasinglesystem.
UsingDNS-basedrestrictionscancreatesecuritycomplications.Nameserviceprotocolsarenot
secure.AnyindividualwhohasmaliciousintentandaccesstothenetworkcanplacearogueDNS
serviceonthenetworkandcreateafakeaddressrestrictioncriterion.Whenimplementing
DNS-basedaddressrestrictions,besuretotakeorganizationalsecuritypoliciesintoconsideration.
Usertimerestrictions
Administratorscanplaceatimerestrictionondirectoryuseraccounts(Figure10).Timerestrictions
limittheabilityoftheusertologin(authenticate)tothedirectory.Typically,timerestrictionsare
enforcedusingthetimeatthedirectoryserver.Ifthedirectoryserverislocatedinadifferenttime
zone,orifareplicainadifferenttimezoneisaccessed,time-zoneinformationfromthemanaged
objectcanbeusedtoadjustforrelativetime.
290Directoryservices