Directory services 134
Directory services
Overview of directory integration
iLO 2 can be configured to use a directory to authenticate and authorize its users. Before configuring iLO
2 for directories, you must decide whether or not you want to use the HP Extended schema option.
The advantages of using the HP Extended schema option are:
•
There is much more flexibility in controlling access. For example, access can be limited to a time of
day or from a certain range of IP addresses.
•
Groups are maintained in the directory, not on each iLO 2.
•
RILOE and RILOE II only work with HP Extended schema. (Schema-free will be added to RILOE II at
later date.)
iLO 2, RILOE, and RILOE II will only work with eDirectory with HP Extended schema.
See the comprehensive list of benefits in the "Benefits of directory integration (on page
134
)" section. The
"Directory-enabled remote management (on page
166
)" section details how roles, groups, and security is
enabled and enforced using directories. There are also white papers available for more information on
directory integration on the HP website (
http://www.hp.com/servers/lights-out
).
Benefits of directory integration
•
Scalability—The directory can be leveraged to support thousands of users on thousands of iLO 2s.
•
Security—Robust user password policies are inherited from the directory. User password complexity,
rotation frequency, and expiration are policy examples.
•
Anonymity (lack thereof)—In some environments, users share Lights-Out accounts, which results in the
lack of knowing who performed an operation, instead of knowing what account (or role) was used.
•
Role-based administration—You can create roles (for instance, clerical, remote control of the host,
complete control) and associate users or user groups with those roles. A change at a single role
applies to all users and Lights-Out devices associated with that role.
•
Single point of administration—You can use native administrative tools like MMC and ConsoleOne
to administrate Lights-Out users.
•
Immediacy—A single change in the directory rolls-out immediately to associated Lights-Out
processors. This eliminates the need to script this process.
•
Elimination of another username and password—You can use existing user accounts and passwords
in the directory without having to record or remember a new set of credentials for Lights-Out.
•
Flexibility—You can create a single role for a single user on a single iLO 2, or you can create a
single role for multiple users on multiple iLOs, or you can use a combinations of roles as is suitable
for your enterprise.