Schema-free nested groups – HP Integrated Lights-Out 2 User Manual

Better Login Flexibility

•

In addition to the minimum settings, enter at least one directory user context.

At login time, the login name and user context are combined to make the user's distinguished
name. For instance, if the user logs in as JOHN.SMITH and a user context is set up as
CN=USERS,DC=HP,DC=COM

, then the distinguished name that iLO 2 tries is

CN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM

.

Maximum Login Flexibility

•

Configure iLO 2 as described.

•

Configure iLO 2 with a DNS name, not an IP address for the directory server's network address.
The DNS name must be resolvable to an IP address from both iLO 2 and the client system.

•

Enable ActiveX controls in your browser. The iLO 2 login script will attempt to call a Windows
control to convert the login name to a distinguished name.

Configuring iLO 2 with maximum login flexibility enables you to login using your full
distinguished name and password, your name as it appears in the directory, NetBIOS format
(domain/login_name), or the e-mail format (login_name@domain).

NOTE:

Your system security settings or installed software might prevent the login script from

calling the Windows ActiveX control. If this happens, your browser displays a warning message
in the status bar, message box, or might stop responding. To help identify what software or
setting is causing the issue, create another profile and log in to the system.

In some cases, it might not be possible to get the maximum login flexibility option to work. For
instance, if the client and iLO 2 are in different DNS domains, one of the two might not be able
to resolve the directory server name to an IP address.

Schema-free nested groups

Many organizations have users and administrators arranged into groups. Having this arrangement
of existing groups is convenient because you can associate them with one or more Integrated
Lights-Out Management role objects. When the devices are associated with the role objects, you
can use the administrator controls to access the Lights-Out devices associated with the role by
adding or deleting members from the groups.

When using Microsoft Active Directory, you can place one group within another group, creating
a nested group. Role objects are considered groups and can include other groups directly. You
can add the existing nested group directly to the role and assign the appropriate rights and
restrictions. New users can be added to either the existing group or the role.

In previous implementations, only a schema-less user who was a direct member of the primary
group was allowed to log in to iLO 2. Using schema-free integration, users who are indirect
members (a member of a group which is a nested group of the primary group) are allowed to log
in to iLO 2.

Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is
considered a member of that role. When adding an existing group, organizational unit or
organization to a role, add the object as a read trustee of the role. All the members of the object
are considered members of the role. New users can be added to either the existing object or the
role.

When using trustee or directory rights assignments to extend role membership, users must be able
to read the LOM object representing the LOM device. Some environments require the same trustees
of a role to also be read trustees of the LOM object to successfully authenticate users.

Setting up Schema-free directory integration

135