In general, you can use the HP provided snap-ins to create objects. It is useful to give the iLO 2
MP device objects meaningful names, such as the device's network address, DNS name, host
server name, or serial number.
Directory-enabled remote management enables you to:
•
Create iLO 2 MP objects:
Each device object created represents each device that will use the directory service to
authenticate and authorize users. For more information, see the following sections:
“Directory Services for Active Directory” (page 152)
“Directory Services for eDirectory” (page 163)
•
Configure iLO 2 MP devices:
Every iLO 2 MP device that uses the directory service to authenticate and authorize users
must be configured with the appropriate directory settings. For details about the specific
directory settings, see
“Using the LDAP Command to Configure Directory Settings in the
iLO 2 MP” (page 171)
. In general, each device is configured with the appropriate directory
server address, iLO 2 MP object distinguished name, and any user contexts. The server
address is either the IP address or DNS name of a local directory server, or, for more
redundancy, a multihost DNS name.
Using Existing Groups
Many organizations arrange users and administrators into groups. In many cases, it is convenient
to use existing groups and associate these groups with one or more iLO 2 MP role objects. When
the devices are associated with role objects, you can control access to the iLO 2 MP devices
associated with the role by adding or deleting members from the groups.
When using Microsoft Active Directory, you can place one group within another, or create nested
groups. Role objects are considered groups and can include other groups directly. To include
other groups directly, add the existing nested group directly to the role and assign the appropriate
rights and restrictions. Add new users to either the existing group or to the role.
Novell
™
eDirectory does not allow nested groups. In eDirectory, any user who can read a role
is considered a member of that role. When adding an existing group, organizational unit, or
organization to a role, add the object as a read trustee of the role. All the members of the object
are considered members of the role. Add new users to either the existing object or to the role.
When you use trustee or directory rights assignments to extend role membership, users must be
able to read the iLO 2 MP object representing the iLO 2 MP device. Some environments require
the trustees of a role to also be read trustees of the iLO 2 MP object to successfully authenticate
users.
Using Multiple Roles
Most deployments do not require that the same user be in multiple roles managing the same
device. However, these configurations are useful for building complex rights relationships. When
building multiple-role relationships, users receive all the rights assigned by every applicable
role. Roles only grant rights, not revoke them. If one role grants a user a right, the user has the
right, even if the user is in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights
assigned and then creates additional roles to add additional rights. These additional rights are
added under specific circumstances or to a specific subset of the base role users.
For example, an organization might have two types of users: administrators of the iLO 2 MP
device or host server, and users of the iLO 2 MP device. In this situation, it makes sense to create
two roles, one for the administrators and one for the users. Both roles include some of the same
174
Installing and Configuring Directory Services
Summary of Contents for ntegrity iLO 2 MP
Page 1: ...HP Integrity iLO 2 MP Operations Guide HP Part Number 5991 5992 Published November 2007 ...
Page 10: ...10 ...
Page 48: ...48 ...
Page 146: ...146 ...
Page 186: ...186 ...
Page 194: ...194 ...