Role address restrictions, User restrictions, User address restrictions – HP Integrated Lights-Out User Manual

Directory-enabled remote management 169

host. Events, such as unexpected power loss or flashing LOM firmware, can cause the LOM device clock

to not be set. Also, the host time must be correct for the LOM device to preserve time across firmware
flashes.

Role address restrictions

Role address restrictions are enforced by the LOM firmware, based on the client's IP network address.

When the address restrictions are met for a role, the rights granted by the role apply.
Address restrictions can be difficult to manage if access is attempted across firewalls or through network

proxies. Either of these mechanisms can change the apparent network address of the client, causing the
address restrictions to be enforced in an unexpected manner.

User restrictions

You can restrict access using address or time restrictions.

User address restrictions

Administrators can place network address restrictions on a directory user account, and these restrictions

are enforced by the directory server. Refer to the directory service documentation for details on the

enforcement of address restrictions on LDAP clients, such as a user logging in to a LOM device.
Network address restrictions placed on the user in the directory might not be enforced in the expected
manner if the directory user logs in through a proxy server. When a user logs in to a LOM device as a

directory user, the LOM device attempts authentication to the directory as that user, which means that

address restrictions placed on the user account apply when accessing the LOM device. However,

because the user is proxied at the LOM device, the network address of the authentication attempt is that

of the LOM device, not that of the client workstation.

IP address range restrictions

IP address range restrictions enable the administrator to specify network addresses that are granted or

denied access by the restriction. The address range is typically specified in a low-to-high range format. An

address range can be specified to grant or deny access to a single address. Addresses that fall within the

low to high IP address range meet the IP address restriction.

IP address and subnet mask restrictions

IP address and subnet mask restrictions enable the administrator to specify a range of addresses that are

granted or denied access by the restriction. This format has similar capabilities as an IP address range but

might be more native to your networking environment. An IP address and subnet mask range is typically

specified using a subnet address and address bit mask that identifies addresses that are on the same
logical network.
In binary math, if the bits of a client machine address, added with the bits of the subnet mask, match the

restriction subnet address, then the client machine meets the restriction.

DNS-based restrictions

DNS-based restrictions use the network naming service to examine the logical name of the client machine
by looking up machine names assigned to the client IP addresses. DNS restrictions require a functional