Directory groups – HP Onboard Administrator User Manual

Configuring the HP BladeSystem c7000 enclosure and enclosure devices 279

If the directory server SSL certificate has been loaded onto Onboard Administrator verify that the certificate

provided by the directory server matches the current certificate stored on Onboard Administrator. If the
directory server SSL certificate has not been loaded, then this test does not run.

•

A successful test reports that Onboard Administrator was able to validate the directory server certificate
against the certificates stored on Onboard Administrator for the specified directory server.

•

A failed test reports that the directory server certificate stored on Onboard Administrator does not match
the certificate provided on the SSL connection.

User Authentication
This test attempts to log in the user to the directory using the user name and password provided. User

authentication proceeds first by using the user name and password provided. If this fails, then each search

context is attempted. If a search context begins with the character @, then the DN used to log in is the search
name concatenated to the user name entered. Otherwise the search DN used to log in is constructed as

follows; cn=<username>,<search context>. The result from this test identifies the search context that was

successful in authenticating the user.
User Authorization
After a user has successfully authenticated and logged into Onboard Administrator, the configured directory

group to which the user belongs is identified. A user might belong to multiple directory groups, so the

directory group that gives the user the most privileges is identified.

•

A successful test reports the directory group with the highest privilege levels for the authenticated user.

•

A failed test reports the authenticated user does not have any authorization on Onboard Administrator
because the user does not belong to any of the configured directory groups.

Test Log
This is a running log of the details associated with the tests that have run and the results of those tests.
Directory Test Controls
The user name and password are sent to the LDAP server for authentication before the User Authentication

and User Authorization tests are performed.

Directory Groups

Access to the enclosure can be granted using LDAP. To use the LDAP server, you must create directory

accounts.
The Directory Groups screen displays current directory groups that have been added to the Primary

Connection enclosure. You may add user groups to all enclosures. You may edit and delete user groups from
the Primary Connection enclosure only. To use LDAP services, you must add at least one directory group.

Column

Description

Check box

Used to select Directory Group for editing or deleting

Group Name

1 to 255 characters and contains the same characters as search contexts. The group

name is used to determine LDAP users' group membership. The group name must match

one of the following five properties of a directory group: the name, distinguished name,
common name, Display Name, or SAM Account Name. For nested groups, matching
is based on objectSid (an attribute that specifies the security ID of the group). The

distinguished name is recommended to uniquely specify the LDAP group. If the

Onboard Administrator is configured to search the GC port and a distinguished name

is not used, then an incorrect match in multiple domains may occur which could result