Role time restrictions, Role address restrictions, User restrictions – HP Integrated Lights-Out 2 User Manual

For step-by-step instructions on how to create network and time restrictions on a role, see

“Active

Directory role restrictions” (page 147)

or

“eDirectory Role Restrictions” (page 154)

.

Role time restrictions

Administrators can place time restrictions on LOM roles. Users are granted the rights specified for
the LOM devices listed in the role, only if they are members of the role and meet the time restrictions
for that role.

LOM devices use local host time to enforce time restrictions. If the LOM device clock is not set, the
role time restriction fails unless no time restrictions are specified on the role.

Role-based time restrictions can only be satisfied if the time is set on the LOM device. The time is
normally set when the host is booted, and it is maintained by running the agents in the host operating
system, which allows the LOM device to compensate for leap year and minimize clock drift with
respect to the host. Events, such as unexpected power loss or flashing LOM firmware, can cause
the LOM device clock to not be set. Also, the host time must be correct for the LOM device to
preserve time across firmware flashes.

Role address restrictions

Role address restrictions are enforced by the LOM firmware, based on the client's IP network
address. When the address restrictions are met for a role, the rights granted by the role apply.

Address restrictions can be difficult to manage if access is attempted across firewalls or through
network proxies. Either of these mechanisms can change the apparent network address of the
client, causing the address restrictions to be enforced in an unexpected manner.

User restrictions

You can restrict access using address or time restrictions.

User address restrictions

Administrators can place network address restrictions on a directory user account, and these
restrictions are enforced by the directory server. Refer to the directory service documentation for
details on the enforcement of address restrictions on LDAP clients, such as a user logging in to a
LOM device.

Network address restrictions placed on the user in the directory might not be enforced in the
expected manner if the directory user logs in through a proxy server. When a user logs in to a
LOM device as a directory user, the LOM device attempts authentication to the directory as that
user, which means that address restrictions placed on the user account apply when accessing the
LOM device. However, because the user is proxied at the LOM device, the network address of
the authentication attempt is that of the LOM device, not that of the client workstation.

IP address range restrictions

IP address range restrictions enable the administrator to specify network addresses that are granted
or denied access by the restriction. The address range is typically specified in a low-to-high range
format. An address range can be specified to grant or deny access to a single address. Addresses
that fall within the low to high IP address range meet the IP address restriction.

IP address and subnet mask restrictions

IP address and subnet mask restrictions enable the administrator to specify a range of addresses
that are granted or denied access by the restriction. This format has similar capabilities as an IP
address range but might be more native to your networking environment. An IP address and subnet
mask range is typically specified using a subnet address and address bit mask that identifies
addresses that are on the same logical network.

In binary math, if the bits of a client machine address, added with the bits of the subnet mask,
match the restriction subnet address, then the client machine meets the restriction.

Directory-enabled remote management

159