HP Integrated Lights-Out 3 User Manual

extended with the HP Extended Schema. User accounts and group memberships are
used to authenticate and authorize users. After you enter and save the directory
network information, click Administer Groups, and then enter one or more valid
directory DNs and privileges to grant users access to iLO.

•

Kerberos Authentication—Enables Kerberos login. If Kerberos login is enabled and
configured correctly, the HP Zero Sign In button appears on the login page.

•

Local User Accounts—Enables or disables local user account access.

Enabled—A user can log in by using locally stored user credentials. HP recommends
enabling this option and configuring a user account with administrator privileges.
This account can be used if iLO cannot communicate with the directory server.

◦

◦

Disabled—User access is limited to valid directory credentials.

Access through local user accounts is enabled when directory support is disabled or an
iLO license is revoked. You cannot disable local user access when you are logged in
through a local user account.

•

Kerberos Realm—The name of the Kerberos realm in which the iLO processor is operating.
This string can be up to 128 characters. A realm name is usually the DNS name converted
to uppercase. Realm names are case sensitive.

•

Kerberos KDC Server Address—The IP address or DNS name of the KDC server. This
string can be up to 128 characters. Each realm must have at least one KDC that contains
an authentication server and a ticket grant server. These servers can be combined.

•

Kerberos KDC Server Port—The TCP or UDP port number on which the KDC is listening.
The default KDC port is 88.

•

Kerberos Keytab—A binary file that contains pairs of service principal names and
encrypted passwords. In the Windows environment, the keytab file is generated by the
ktpass

utility. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome), and

then follow the onscreen instructions to select a file.

IMPORTANT:

The components of the service principal name stored in the Kerberos

keytab file are case sensitive. The primary (service type) must be in uppercase letters, for
example, (HTTP). The instance (iLO host name) must be in lowercase letters, for example,
iloexample.example.net

. The realm name must be in uppercase, for example,

EXAMPLE.NET

.

3.

Enter the directory server settings.

iLO directory server settings enable you to identify the directory server address and LDAP port.

•

Directory Server Address—Specifies the network DNS name or IP address of the directory
server. The directory server address can be up to 127 characters.

IMPORTANT:

HP recommends using DNS round-robin when you are defining the

directory server.

•

Directory Server LDAP Port—Specifies the port number for the secure LDAP service on the
server. The default value is 636. You can specify a different value if your directory service
is configured to use a different port.

Configuring iLO security

53