Configuring iLO 2 51
with CN=John Doe,OU=IT,DC=MyCompany,DC=com, which is the user's actual distinguished name. If
the correct password is entered, the user is authenticated.
Authentication using Default Directory Schema, part 2:
The distinguished name for a user in the directory
is [email protected],OU=IT,DC=MyCompany,DC=com, and the following are the
attributes of John Doe's certificate:
•
Subject: DC=com/DC=MyCompany/OU=Employees/CN=John
Doe/[email protected]
•
SAN/UPN: [email protected]
•
Search context on the Directory Settings page is set to: OU=IT,DC=MyCompany,DC=com
In this example, if SAN is selected on the Two-Factor Authentication Settings page, the Directory User field
on the login page is populated with [email protected]. After the correct password is entered,
the user is authenticated. The user is authenticated even though [email protected] is not the
distinguished name for the user. The user is authenticated because iLO 2 attempts to authenticate using
the search context fields ([email protected], OU=IT, DC=MyCompany, DC=com)
configured on the Directory Settings page. Because this is the correct distinguished name for the user, iLO
2 successfully finds the user in the directory.
NOTE:
Selecting Subject on the Two-Factor Authentication Settings page causes authentication
to fail, because the subject of the certificate is not the distinguished name for the user in the
directory.
When authenticating using the HP Extended Schema method, HP recommends selecting the SAN option
on the Two-factor Authentication Settings page.
Directory settings
iLO 2 connects to Microsoft® Active Directory, Novell e-Directory, and other LDAP 3.0-compliant directory
services for user authentication and authorization. You can configure iLO 2 to authenticate and authorize
users using the HP schema directory integration or the schema-free directory integration. iLO 2 only
connects to directory services using SSL-secured connections to the directory server LDAP port. The default
secure LDAP port is 636. Directory services support is a licensed feature available with the purchase of
optional licenses. For more information, see "Licensing (on page
26
)". For additional information about
directories, see "Directory services (on page
134
)."
Locally-stored user accounts (found on the User Administration page) can be active while iLO 2 directory
support is enabled. This support enables both local- and directory-based user directory-based user
accesses. Typically, an administrator can delete local user accounts (except, possibly an emergency
access account) after iLO 2 is successfully configured to access the directory service. You can also disable
access to these accounts if directory support is enabled.