Schema-free setup options, Minimum login flexibility, Better login flexibility – HP Integrated Lights-Out 3 User Manual

For more information, see

“HP Directories Support for ProLiant Management Processors utility”

(page 196)

.

Schema-free setup options

The schema-free setup options are the same, regardless of the method you use to configure the
directory.

To review the available methods, see

“Schema-free setup using the iLO web interface” (page 168)

,

“Schema-free setup using scripts” (page 168)

, and

“Schema-free setup with HP Directories Support

for ProLiant Management Processors” (page 168)

.

After you enable directories and select the schema-free option, you have the following options:

Minimum login flexibility

•

Enter the directory server DNS name or IP address and LDAP port. Typically, the LDAP port
for an SSL connection is 636.

•

Enter the DN for at least one group. This group can be a security group (for example,
CN=Administrators,CN=Builtin,DC=HP,DC=com

) or any other group as long as the

intended iLO users are members of the group.

With a minimum configuration, you can log in to iLO by using your full DN and password.
You must be a member of a group that iLO recognizes.

Better login flexibility

In addition to the minimum settings, enter at least one directory user context.

At login time, the login name and user context are combined to make the user DN. For example,
if the user logs in as JOHN.SMITH, and a user context is set up as CN=USERS,DC=HP,DC=COM,
the DN that iLO tries is CN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM.

Maximum login flexibility

Configure iLO with a DNS name, and not an IP address, for the directory server network address.
The DNS name must be resolvable to an IP address from both iLO and the client system.

Configuring iLO with maximum login flexibility enables you to log in using your full DN and
password, your name as it appears in the directory, NetBIOS format (domain/login_name), or
email format (login_name@domain).

In some cases, the maximum login flexibility option might not work. For example, if the client and
iLO are in different DNS domains, one of the two might not be able to resolve the directory server
name to an IP address.

Schema-free nested groups

Many organizations have users and administrators arranged in groups. This arrangement of existing
groups is convenient because you can associate them with one or more iLO management role
objects. When iLO devices are associated with the role objects, you can use the administrator
controls to access the devices associated with the role by adding or deleting members from the
groups.

When using Microsoft Active Directory, you can place one group in another group to create a
nested group. Role objects are considered groups and can include other groups directly. You can
add the existing nested group directly to the role and assign the appropriate rights and restrictions.
You can add new users to either the existing group or the role.

In previous implementations, only a schema-free user who was a direct member of the primary
group was allowed to log in to iLO. In schema-free integration, users who are indirect members
(a member of a group that is a nested group of the primary group) are allowed to log in to iLO.

Schema-free directory integration

169