Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory121 Table 6-8. List of Attributes Added to the Active Directory Schema Attribute Name/Description Assigned OID/Syntax Object Identifier Single Valued dellPrivilegeMember List of dellPrivilege Objects that belong to this Attribute.1.2.840.113556.1.8000.1280.1.1.2.1 Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)FA L S E dellProductMembers List of dellRacDevices Objects that belong to this role. This attribute is the forward link to the dellAssociationMembers backward link. Link ID: 120701.2.840.113556.1.8000.1280.1.1.2.2 Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)FA L S E dellIsLoginUser TRUE if the user has Login rights on the device.1.2.840.113556.1.8000.1280.1.1.2.3 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsCardConfigAdmin TRUE if the user has Card Configuration rights on the device.1.2.840.113556.1.8000.1280.1.1.2.4 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsUserConfigAdmin TRUE if the user has User Configuration rights on the device.1.2.840.113556.1.8000.1280.1.1.2.5 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE delIsLogClearAdmin TRUE if the user has Log Clearing rights on the device.1.2.840.113556.1.8000.1280.1.1.2.6 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsServerResetUser TRUE if the user has Server Reset rights on the device.1.2.840.113556.1.8000.1280.1.1.2.7 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsConsoleRedirectUser TRUE if the user has Console Redirection rights on the device.1.2.840.113556.1.8000.1280.1.1.2.8 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE
122Using the DRAC 5 With Microsoft Active Directory dellIsVirtualMediaUser TRUE if the user has Virtual Media rights on the device.1.2.840.113556.1.8000.1280.1.1.2.9 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsTestAlertUser TRUE if the user has Test Alert User rights on the device.1.2.840.113556.1.8000.1280.1.1.2.10 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellIsDebugCommandAdmin TRUE if the user has Debug Command Admin rights on the device.1.2.840.113556.1.8000.1280.1.1.2.11 Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7)TRUE dellSchemaVersion The Current Schema Version is used to update the schema.1.2.840.113556.1.8000.1280.1.1.2.12 Case Ignore String (LDAPTYPE_CASEIGNORESTRING 1.2.840.113556.1.4.905)TRUE dellRacType This attribute is the Current Rac Type for the dellRacDevice object and the backward link to the dellAssociationObjectMembe rs forward link.1.2.840.113556.1.8000.1280.1.1.2.13 Case Ignore String (LDAPTYPE_CASEIGNORESTRING 1.2.840.113556.1.4.905)TRUE dellAssociationMembers List of dellAssociationObjectMembe rs that belong to this Product. This attribute is the backward link to the dellProductMembers Linked attribute. Link ID: 120711.2.840.113556.1.8000.1280.1.1.2.14 Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12)FA L S E Table 6-8. List of Attributes Added to the Active Directory Schema (continued) Attribute Name/Description Assigned OID/Syntax Object Identifier Single Valued
Using the DRAC 5 With Microsoft Active Directory123 Installing the Dell Extension to the Active Directory Users and Computers Snap-In When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers snap-in so the administrator can manage RAC (DRAC 5) devices, Users and User Groups, RAC Associations, and RAC Privileges. When you install your systems management software using the Dell Systems Management Tools and Documentation DVD, you can extend the snap-in by selecting the Dell Extension to the Active Directory User’s and Computers Snap-In option during the installation procedure. See the Dell OpenManage Software Quick Installation Guide for additional instructions about installing systems management software. For more information about the Active Directory User’s and Computers snap-in, see your Microsoft documentation. Installing the Administrator Pack You must install the Administrator Pack on each system that is managing the Active Directory DRAC 5 Objects. If you do not install the Administrator Pack, you cannot view the Dell RAC Object in the container. See Opening the Active Directory Users and Computers Snap-In on page 123 for more information. Opening the Active Directory Users and Computers Snap-In To open the Active Directory Users and Computers snap-in: 1 If you are logged into the domain controller, click Start Admin Tools Active Directory Users and Computers . If you are not logged into the domain controller, you must have the appropriate Microsoft Administrator Pack installed on your local system. To install this Administrator Pack, click Start Run, type MMC, and press Enter. The Microsoft Management Console (MMC) appears. 2In the Console 1 window, click File (or Console on systems running Windows 2000). 3Click Add/Remove Snap-in.
124Using the DRAC 5 With Microsoft Active Directory 4Select the Active Directory Users and Computers snap-in and click Add. 5Click Close and click OK. Adding DRAC 5 Users and Privileges to Active Directory Using the Dell-extended Active Directory Users and Computers snap-in, you can add DRAC 5 users and privileges by creating RAC, Association, and Privilege objects. To add each object type, perform the following procedures: •Create a RAC device Object • Create a Privilege Object • Create an Association Object • Add objects to an Association Object Creating a RAC Device Object 1In the MMC Console Root window, right-click a container. 2Select New Dell RAC Object. The New Object window appears. 3Type a name for the new object. The name must be identical to the DRAC 5 Name that you will type in step a of Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface on page 126. 4Select RAC Device Object. 5Click OK. Creating a Privilege Object NOTE: A Privilege Object must be created in the same domain as the related Association Object. 1In the Console Root (MMC) window, right-click a container. 2Select New Dell RAC Object. The New Object window appears. 3Type a name for the new object. 4Select Privilege Object. 5Click OK.
Using the DRAC 5 With Microsoft Active Directory125 6Right-click the privilege object that you created, and select Properties. 7Click the RAC Privileges tab and select the privileges that you want the user to have (for more information, see Table 5-4). Creating an Association Object The Association Object is derived from a Group and must contain a Group Type. The Association Scope specifies the Security Group Type for the Association Object. When you create an Association Object, choose the Association Scope that applies to the type of objects you intend to add. For example, if you select Universal, the association objects are only available when the Active Directory Domain is functioning in Native Mode or above. 1 In the Console Root (MMC) window, right-click a container. 2Select New Dell RAC Object. This opens the New Object window. 3Type a name for the new object. 4Select Association Object. 5Select the scope for the Association Object. 6Click OK. Adding Objects to an Association Object Using the Association Object Properties window, you can associate users or user groups, privilege objects, and RAC devices or RAC device groups. If your system is running Windows 2000 mode or higher, use Universal Groups to span domains with your user or RAC objects. You can add groups of Users and RAC devices. The procedure for creating Dell-related groups and non-Dell-related groups is identical. Adding Users or User Groups 1Right-click the Association Object and select Properties. 2Select the Users tab and click Add. 3Type the user or User Group name and click OK.
126Using the DRAC 5 With Microsoft Active Directory Click the Privilege Object tab to add the privilege object to the association that defines the user’s or user group’s privileges when authenticating to a RAC device. Only one privilege object can be added to an Association Object. Adding Privileges 1Select the Privileges Object tab and click Add. 2Type the Privilege Object name and click OK. Click the Products tab to add one or more RAC devices to the association. The associated devices specify the RAC devices connected to the network that are available for the defined users or user groups. Multiple RAC devices can be added to an Association Object. Adding RAC Devices or RAC Device Groups To add RAC devices or RAC device groups: 1 Select the Products tab and click Add. 2Type the RAC device or RAC device group name and click OK. 3In the Properties window, click Apply and click OK. Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface 1Open a supported Web browser window. 2Log in to the DRAC 5 Web-based interface. 3Expand the System tree and click Remote Access. 4Click the Configuration tab and select Active Directory. 5On the Active Directory Main Menu page, select Configure Active Directory and click Next. 6In the Common Settings section: aSelect the Enable Active Directory check box. bTy p e t h e Root Domain Name. The Root Domain Name is the fully qualified root domain name for the forest. cTy p e t h e Timeout time in seconds. 7Click Use Extended Schema in the Active Directory Schema Selection section.
Using the DRAC 5 With Microsoft Active Directory127 8In the Extended Schema Settings section: aTy p e t h e DRAC Name. This name must be the same as the common name of the new RAC object you created in your Domain Controller (see step 3 of Creating a RAC Device Object on page 124). bTy p e t h e DRAC Domain Name (for example, drac5.com). Do not use the NetBIOS name. The DRAC Domain Name is the fully qualified domain name of the sub-domain where the RAC Device Object is located. 9Click Apply to save the Active Directory settings. 10Click Go Back To Active Directory Main Menu. 11Upload your domain forest Root CA certificate into the DRAC 5. aSelect the Upload Active Directory CA Certificate check-box and then click Next. bIn the Certificate Upload page, type the file path of the certificate or browse to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. The domain controllers SSL certificates should have been signed by the root CA. Have the root CA certificate available on your management station accessing the DRAC 5 (see Exporting the Domain Controller Root CA Certificate to the DRAC 5 on page 138). cClick Apply. The DRAC 5 Web server automatically restarts after you click Apply. 12Log out and then log in to the DRAC 5 to complete the DRAC 5 Active Directory feature configuration. 13In the System tree, click Remote Access. 14Click the Configuration tab and then click Network. The Network Configuration page appears.
128Using the DRAC 5 With Microsoft Active Directory 15If Use DHCP (for NIC IP Address) is selected under Network Settings, then select Use DHCP to obtain DNS server address. To manually input a DNS server IP address, deselect Use DHCP to obtain DNS server addresses and type your primary and alternate DNS server IP addresses. 16Click Apply Changes. The DRAC 5 Extended Schema Active Directory feature configuration is complete. Configuring the DRAC 5 With Extended Schema Active Directory and RACADM Using the following commands to configure the DRAC 5 Active Directory Feature with Extended Schema using the RACADM CLI tool instead of the Web-based interface. 1 Open a command prompt and type the following racadm commands: racadm config -g cfgActiveDirectory -o cfgADEnable 1 racadm config -g cfgActiveDirectory -o cfgADType 1 racadm config -g cfgActiveDirectory -o cfgADRacDomain racadm config -g cfgActiveDirectory -o cfgADRootDomain racadm config -g cfgActiveDirectory -o cfgADRacName racadm sslcertupload -t 0x2 -f racadm sslcertdownload -t 0x1 -f 2 If DHCP is enabled on the DRAC 5 and you want to use the DNS provided by the DHCP server, type the following racadm command: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 1
Using the DRAC 5 With Microsoft Active Directory129 3If DHCP is disabled on the DRAC 5 or you want to input your DNS IP address, type following racadm commands: racadm config -g cfgLanNetworking -o cfgDNSServersFromDHCP 0 racadm config -g cfgLanNetworking -o cfgDNSServer1 racadm config -g cfgLanNetworking -o cfgDNSServer2 Press Enter to complete the DRAC 5 Active Directory feature configuration. Instead of DRAC 5 searching for Active Directory servers, you can specify the servers DRAC 5 needs to connect to, to authenticate the user. See Specify Server for Active Directory Configuration on page 131 for information on RACADM commands to specify servers. Accumulating Privileges Using Extended Schema The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects associated with the same user through different Association Objects. In other words, Extended Schema Authentication accumulates privileges to allow the user the super set of all assigned privileges corresponding to the different privilege objects associated with the same user. Figure 6-5 provides an example of accumulating privileges using Extended Schema.
130Using the DRAC 5 With Microsoft Active Directory Figure 6-5. Privilege Accumulation for a User The figure shows two Association Objects—A01 and A02. These Association Objects may be part of the same or different domains. User1 is associated to RAC1 and RAC2 through both association objects. Therefore, User1 has accumulated privileges that results when combining the Privileges set for objects Priv1 and Priv2. For example, Priv1 had the privileges: Login, Virtual Media, and Clear Logs and Privr2 had the privileges: Login, Configure DRAC, and Test Alerts. User1 will now have the privilege set: Login, Virtual Media, Clear Logs, Configure DRAC, and Test Alerts, which is the combined privilege set of Priv1 and Priv2 Extended Schema Authentication, thus, accumulates privileges to allow the user the maximum set of privileges possible considering the assigned privileges of the different privilege objects associated to the same user. A01A02 Group1 Priv1Priv2 User1User2 User1RAC1 RAC2