Setting up hp schema directory integration, Setting up directory services – HP Integrated Lights-Out User Manual
Page 142
Directory services 142
Management role objects. When the devices are associated with the role objects, you can use the
administrator controls to access the Lights-Out devices associated with the role by adding or deleting
members from the groups.
When using Microsoft® Active Directory, you can place one group within another group, creating a
nested group. Role objects are considered groups and can include other groups directly. You can add the
existing nested group directly to the role and assign the appropriate rights and restrictions. New users
can be added to either the existing group or the role.
In previous implementations, only a schema-less user who was a direct member of the primary group was
allowed to log in to iLO 2. Using schema-free integration, users who are indirect members (a member of a
group which is a nested group of the primary group) are allowed to login to iLO 2.
Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered
a member of that role. When adding an existing group, organizational unit or organization to a role,
add the object as a read trustee of the role. All the members of the object are considered members of the
role. New users can be added to either the existing object or the role.
When using trustee or directory rights assignments to extend role membership, users must be able to read
the LOM object representing the LOM device. Some environments require the same trustees of a role to
also be read trustees of the LOM object to successfully authenticate users.
Setting up HP schema directory integration
When using the HP schema directory integration, iLO 2 supports both Active Directory and eDirectory.
However, these directory services require the schema being extended.
Features supported by HP schema directory integration
iLO 2 Directory Services functionality enables you to:
•
Authenticate users from a shared, consolidated, scalable user database.
•
Control user privileges (authorization) using the directory service.
•
Use roles in the directory service for group-level administration of iLO 2 management processors and
iLO 2 users.
Extending the schema must be completed by a Schema Administrator. The local user database is
retained. You can decide not to use directories, to use a combination of directories and local accounts, or
to use directories exclusively for authentication.
NOTE:
When connected through the Diagnostics Port, the directory server is not available.
You can log in using a local account only.
Setting up directory services
To successfully enable directory-enabled management on any Lights-Out management processor:
1.
Plan
Review the following sections:
o
o