HP Ilo 2 User Guide
Have a look at the manual HP Ilo 2 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3.CreateHPRoleobjectsintherolesorganizationalunitusingtheHPprovidedConsoleOne snap-instool. a.Right-clicktherolesorganizationalunitfoundintheregion2organizationalunit,and selectNew>Object. b.SelecthpqRolefromthelistofclasses,andclickOK. c.EnteranappropriatenameontheNewhpqRolepage.Inthisexample,therolewill containuserstrustedforremoteserveradministrationandwillbenamedremoteAdmins. ClickOK.TheSelectObjectSubtypepageappears. d.BecausethisrolemanagestherightstoLights-OutManagementdevices,selectLightsOut ManagementDevicesfromthelist,andclickOK. e.Repeattheprocess,creatingaroleforremoteservermonitors,namedremoteMonitors, inrolesinregion1,andaremoteAdminsandaremoteMonitorsroleinrolesinregion2. 4.AssignrightstotheroleandassociatetheroleswithusersanddevicesusingtheHPprovided ConsoleOnesnap-instool. a.Right-clicktheremoteAdminsroleintherolesorganizationalunitintheregion1 organizationalunit,andselectProperties. b.SelecttheRoleManagedDevicestaboftheHPManagementoptionandclickAdd. c.UsingtheSelectObjectspage,browsetothehp devicesorganizationalunitinthe region1organizationalunit.SelectthethreeLOMobjectscreatedinstep2.Click OK>Apply. d.ClicktheMemberstab,andadduserstotherolebyclickingAddontheSelectObject page.Devicesandusersarenowassociated. e.SettherightsfortheroleusingtheLightsOutManagementDeviceRightsoptiononthe HPManagementtab.Alluserswithintherolehavetherightsassignedtotheroleonall oftheiLO2devicesmanagedbytherole.Inthisexample,theusersintheremoteAdmins rolearegivenfullaccesstotheiLO2functionality.Selectthecheckboxesnexttoeach right,andclickApply.Toclosethepropertysheet,clickClose. SettingupHPschemadirectoryintegration151
5.Usingthesameprocedureasinstep4,editthepropertiesoftheremoteMonitorsrole: a.AddthethreeiLO2deviceswithinhpdevicesunderregion1totheManagedDevices listontheRoleManagedDevicesoptionoftheHPManagementtab. b.AdduserstotheremoteMonitorsroleusingtheMemberstab. c.SelecttheLogincheck-box,andclickApply>Close.UsingtheLightsOutManagement DeviceRightsoptionoftheHPManagementtab,membersoftheremoteMonitorsrole canauthenticateandviewtheserverstatus. UserrightstoanyLOMdevicearecalculatedasthesumofalltherightsassignedbyalltheroles inwhichtheuserisamember,andinwhichtheLOMdeviceisamanageddevice.Followingthe precedingexamples,ifauserisinboththeremoteAdminsandremoteMonitorsroles,theywill havealltherights,becausetheremoteAdminsrolehasthoserights. ToconfigureaLOMdeviceandassociateitwithaLOMobjectusedinthisexample,usesettings similartothefollowingontheDirectorySettingspage. NOTE:Commas,notperiods,areusedinLDAPdistinguishednamestoseparateeachcomponent. RIB Object DN = cn=rib-email-server,ou=hp devices,ou=region1,o=samplecorp Directory User Context 1 = ou=users,o=samplecorp Forexample,userCSmith,locatedintheusersorganizationalunitwithinthesamplecorp organization,whoisalsoamemberofoneoftheremoteAdminsorremoteMonitorsroles,would beallowedtologintotheiLO2.Theuserenterscsmith(caseinsensitive)intheLoginName fieldoftheiLO2loginscreenandusestheeDirectorypasswordinthePasswordfieldofthatscreen togainaccess. DirectoryServicesobjectsforeDirectory DirectoryServicesobjectsenablevirtualizationofthemanageddevicesandtherelationships betweenthemanageddeviceanduserorgroupsalreadycontainedwithinthedirectoryservice. Rolemanageddevices TheRoleManagedDevicessubtabundertheHPManagementtabisusedtoaddtheHPdevices tobemanagedwithinarole.ClickingAddenablesyoutobrowsetothespecificHPdeviceand additasamanageddevice. 152Directoryservices
Members Afteruserobjectsarecreated,theMemberstaballowsyoutomanagetheuserswithintherole. ClickingAddenablesyoutobrowsetothespecificuseryouwanttoadd.Highlightinganexisting userandclickingDeleteremovestheuserfromthelistofvalidmembers. SettingupHPschemadirectoryintegration153
eDirectoryRoleRestrictions TheRoleRestrictionssubtabenablesyoutosetloginrestrictionsfortherole.Theserestrictions include: •Timerestrictions •IPnetworkaddressrestrictions IP/mask— —IPrange •DNSname Timerestrictions Youcanmanagethehoursavailableforlogonbymembersoftherolebyusingthetimegrid displayedintheRoleRestrictionssubtab.Youcanselectthetimesavailableforlogonforeachday oftheweekinhalf-hourincrements.Youcanchangeasinglesquarebyclickingit,orasectionof squaresbyclickingandholdingthemousebutton,draggingthecursoracrossthesquarestobe changed,andreleasingthemousebutton.Thedefaultsettingistoallowaccessatalltimes. EnforcedclientIPaddressorDNSnameaccess AccesscanbegrantedordeniedtoanIPaddress,IPaddressrange,orDNSnames. 1.IntheByDefaultdropdownmenu,selectwhethertoAlloworDenyaccessfromalladdresses, exceptthespecifiedIPaddresses,IPaddressranges,andDNSnames. 2.Selecttheaddressestobeadded,selectthetypeofrestriction,andclickAdd. 3.IntheAddNewRestrictionpop-upwindow,entertheinformationandclickOK.TheAddNew Restrictionpop-upfortheIP/Maskoptionisshown. TheDNSNameoptionallowsyoutorestrictaccessbasedonasingleDNSnameora subdomain,enteredintheformofhost.company.comor*.domain.company.com. 4.ClickApplytosavethechanges. Toremoveanyoftheentries,highlighttheentryinthedisplayfieldandclickDelete. 154Directoryservices
eDirectoryLights-OutManagement Afteraroleiscreated,rightsfortherolecanbeselected.Usersandgroupobjectscannowbe mademembersoftherole,givingtheusersorgroupofuserstherightsgrantedbytherole.Rights aremanagedontheLightsOutManagementDeviceRightssubtaboftheHPManagementtab. Theavailablerightsare: •Login–Thisoptioncontrolswhetheruserscanlogintotheassociateddevices. Loginaccesscanbeusedtocreateauserwhoisaserviceproviderandwhoreceivesalerts fromiLO2butdoesnothaveloginaccesstoiLO2. •RemoteConsole–ThisoptionallowstheuseraccesstotheRemoteConsole. •VirtualMedia–ThisoptionallowstheuseraccesstotheiLO2VirtualFloppyandVirtual Mediafunctionality. SettingupHPschemadirectoryintegration155
•ServerResetandPower–Thisoptionallowstheusertoremotelyresettheserverorpowerit down. •AdministerLocalUserAccounts–Thisoptionallowstheusertoadministeraccounts.Theuser canmodifytheiraccountsettings,modifyotheruseraccountsettings,addusers,anddelete users. •AdministerLocalDeviceSettings–ThisoptionallowstheusertoconfigureiLO2settings. ThesesettingsincludetheoptionsavailableontheGlobalSettings,NetworkSettings,SNMP Settings,andDirectorySettingsscreensoftheiLO2browser. Userloginusingdirectoryservices TheiLO2loginpageLoginNamefieldacceptsallofthefollowing: •Directoryusers •LDAPFullyDistinguishedNames Example:CN=John Smith,CN=Users,DC=HP,DC=COM, or @HP.com NOTE:Theshortformoftheloginnamebyitselfdoesnottellthedirectorywhichdomain youaretryingtoaccess.YoumustprovidethedomainnameorusetheLDAPdistinguished nameofyouraccount. •DOMAIN\user nameform(ActiveDirectoryOnly) Example:HP\jsmith •username@domain form(ActiveDirectoryOnly) Example:[email protected] NOTE:Directoryusersspecifiedusingthe@searchableformcanbelocatedinoneofthree searchablecontexts,whichareconfiguredwithinDirectorySettings. •User nameform Example:John Smith NOTE:Directoryusersspecifiedusingtheusernameformcanbelocatedinoneofthree searchablecontexts,whichareconfiguredwithinDirectorySettings. •Localusers–Login-ID NOTE:OntheiLO2loginpage,themaximumlengthoftheloginnameis39characters forlocalusers.ForDirectoryServicesusers,themaximumlengthoftheloginnameis256 characters. Directory-enabledremotemanagement Introduction ThissectionisforadministratorswhoarefamiliarwithdirectoryservicesandtheiLO2product andwanttousetheHPschemadirectoryintegrationoptionforiLO2.Youmustbefamiliarwith “Directoryservices”(page130)andcomfortablewithsettingupandunderstandingtheexamples. Directory-enabledremotemanagementenablesyouto: •CreateLights-OutManagementObjects YoumustcreateoneLOMdeviceobjecttorepresenteachdevicethatwillusethedirectory servicetoauthenticateandauthorizeusers.ForadditionalinformationoncreatingLOMdevice objectsforActiveDirectory,see“Directoryservices”(page130),“DirectoryservicesforActive 156Directoryservices
Directory”(page140),and“DirectoryservicesforeDirectory”(page149).Ingeneral,youcan usetheHPprovidedsnap-instocreateobjects.ItisusefultogivetheLOMdeviceobjects meaningfulnames,suchasthedevicenetworkaddress,DNSname,hostservername,or serialnumber. •ConfiguretheLights-Outmanagementdevices EveryLOMdevicethatusesthedirectoryservicetoauthenticateandauthorizeusersmustbe configuredwiththeappropriatedirectorysettings.Fordetailsonthespecificdirectorysettings, see“Configuringdirectorysettings”(page51).Ingeneral,youcanconfigureeachdevice withtheappropriatedirectoryserveraddress,LOMobjectdistinguishedname,andanyuser contexts.TheserveraddressiseithertheIPaddressorDNSnameofalocaldirectoryserver or,formoreredundancy,amulti-hostDNSname. Creatingrolestofolloworganizationalstructure Often,theadministratorswithinanorganizationareplacedintoahierarchyinwhichsubordinate administratorsmustassignrightsindependentlyofrankingadministrators.Inthiscase,itisuseful tohaveonerolethatrepresentstherightsassignedbyhigher-leveladministratorsandtoallowthe subordinateadministratorstocreateandmanagetheirownroles. Usingexistinggroups Manyorganizationshaveusersandadministratorsarrangedintogroups.Inmanycases,the organizationscanusetheexistinggroupsandassociatethegroupswithoneormoreLights-Out Managementroleobjects.Whenthedevicesareassociatedwiththeroleobjects,theadministrator controlsaccesstotheLights-Outdevicesassociatedwiththerolebyaddingordeletingmembers fromthegroups. WhenusingMicrosoftActiveDirectory,itispossibletoplaceonegroupwithinanotherornested groups.Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Addtheexisting nestedgroupdirectlytotherole,andassigntheappropriaterightsandrestrictions.Newusers canbeaddedtoeithertheexistinggrouportherole. NovelleDirectorydoesnotallownestedgroups.IneDirectory,anyuserthatcanreadaroleis consideredamemberofthatrole.Whenaddinganexistinggroup,organizationalunitor organizationtoarole,addtheobjectasareadtrusteeoftherole.Allthemembersoftheobject areconsideredmembersoftherole.Newuserscanbeaddedtoeithertheexistingobjectorthe role. Whenusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmustbeable toreadtheLOMobjectrepresentingtheLOMdevice.Someenvironmentsrequirethesametrustees ofaroletoalsobereadtrusteesoftheLOMobjecttosuccessfullyauthenticateusers. Usingmultipleroles Mostdeploymentsdonotrequirethesameusertobeinmultiplerolesmanagingthesamedevice. However,theseconfigurationsareusefulforbuildingcomplexrightsrelationships.Whenbuilding multiple-rolerelationships,usersreceivealltherightsassignedbyeveryapplicablerole.Rolescan onlygrantrights,neverrevokethem.Ifonerolegrantsauseraright,thentheuserhastheright, eveniftheuserisinanotherrolethatdoesnotgrantthatright. Typically,adirectoryadministratorcreatesabaserolewiththeminimumnumberofrightsassigned andthencreatesadditionalrolestoaddadditionalrights.Theseadditionalrightsareaddedunder specificcircumstancesortoaspecificsubsetofthebaseroleusers. Forexample,anorganizationcanhavetwotypesofusers,administratorsoftheLOMdeviceor hostserverandusersoftheLOMdevice.Inthissituation,itmakessensetocreatetworoles,one fortheadministratorsandonefortheusers.Bothrolesincludesomeofthesamedevicesbutgrant differentrights.Sometimes,itisusefultoassigngenericrightstothelesserroleandincludethe LOMadministratorsinthatrole,aswellastheadministrativerole. Directory-enabledremotemanagement157
Anadminusergainstheloginrightfromtheregularusergroup.Moreadvancedrightsareassigned throughtheAdminrole,whichassignsadditionalrights–ServerResetandRemoteConsole. TheAdminroleassignsalladminrightsServerReset,RemoteConsole,andLogin. Howdirectoryloginrestrictionsareenforced Twosetsofrestrictionspotentiallylimitadirectoryuser'saccesstoLOMdevices.Useraccess restrictionslimitauser'saccesstoauthenticatetothedirectory.Roleaccessrestrictionslimitan authenticateduser'sabilitytoreceiveLOMprivilegesbasedonrightsspecifiedinoneormore Roles. Restrictingroles Restrictionsallowadministratorstolimitthescopeofarole.Aroleonlygrantsrightstothoseusers thatsatisfytherole'srestrictions.Usingrestrictedrolesresultsinuserswithdynamicrightsthatcan changebasedonthetimeofdayornetworkaddressoftheclient. 158Directoryservices
NOTE:Whendirectoriesareenabled,accesstoaparticulariLO2isbasedonwhethertheuser hasreadaccesstoaRoleobjectthatcontainsthecorrespondingiLO2object.Thisincludesbut isnotlimitedtothememberslistedintheroleobject.IftheRoleissetuptoallowinheritable permissionstopropagatefromaparent,thenmembersoftheparentwhichhavereadaccess privilegeswillalsohaveaccesstoiLO2.Toviewtheaccesscontrollist,navigatetoUsersand Computers,openthepropertiesscreenfortheRoleobjectandselecttheSecuritytab. Forstep-by-stepinstructionsonhowtocreatenetworkandtimerestrictionsonarole,see“Active Directoryrolerestrictions”(page147)or“eDirectoryRoleRestrictions”(page154). Roletimerestrictions AdministratorscanplacetimerestrictionsonLOMroles.Usersaregrantedtherightsspecifiedfor theLOMdeviceslistedintherole,onlyiftheyaremembersoftheroleandmeetthetimerestrictions forthatrole. LOMdevicesuselocalhosttimetoenforcetimerestrictions.IftheLOMdeviceclockisnotset,the roletimerestrictionfailsunlessnotimerestrictionsarespecifiedontherole. Role-basedtimerestrictionscanonlybesatisfiedifthetimeissetontheLOMdevice.Thetimeis normallysetwhenthehostisbooted,anditismaintainedbyrunningtheagentsinthehostoperating system,whichallowstheLOMdevicetocompensateforleapyearandminimizeclockdriftwith respecttothehost.Events,suchasunexpectedpowerlossorflashingLOMfirmware,cancause theLOMdeviceclocktonotbeset.Also,thehosttimemustbecorrectfortheLOMdeviceto preservetimeacrossfirmwareflashes. Roleaddressrestrictions RoleaddressrestrictionsareenforcedbytheLOMfirmware,basedontheclient'sIPnetwork address.Whentheaddressrestrictionsaremetforarole,therightsgrantedbytheroleapply. Addressrestrictionscanbedifficulttomanageifaccessisattemptedacrossfirewallsorthrough networkproxies.Eitherofthesemechanismscanchangetheapparentnetworkaddressofthe client,causingtheaddressrestrictionstobeenforcedinanunexpectedmanner. Userrestrictions Youcanrestrictaccessusingaddressortimerestrictions. Useraddressrestrictions Administratorscanplacenetworkaddressrestrictionsonadirectoryuseraccount,andthese restrictionsareenforcedbythedirectoryserver.Refertothedirectoryservicedocumentationfor detailsontheenforcementofaddressrestrictionsonLDAPclients,suchasauserloggingintoa LOMdevice. Networkaddressrestrictionsplacedontheuserinthedirectorymightnotbeenforcedinthe expectedmannerifthedirectoryuserlogsinthroughaproxyserver.Whenauserlogsintoa LOMdeviceasadirectoryuser,theLOMdeviceattemptsauthenticationtothedirectoryasthat user,whichmeansthataddressrestrictionsplacedontheuseraccountapplywhenaccessingthe LOMdevice.However,becausetheuserisproxiedattheLOMdevice,thenetworkaddressof theauthenticationattemptisthatoftheLOMdevice,notthatoftheclientworkstation. IPaddressrangerestrictions IPaddressrangerestrictionsenabletheadministratortospecifynetworkaddressesthataregranted ordeniedaccessbytherestriction.Theaddressrangeistypicallyspecifiedinalow-to-highrange format.Anaddressrangecanbespecifiedtograntordenyaccesstoasingleaddress.Addresses thatfallwithinthelowtohighIPaddressrangemeettheIPaddressrestriction. Directory-enabledremotemanagement159
IPaddressandsubnetmaskrestrictions IPaddressandsubnetmaskrestrictionsenabletheadministratortospecifyarangeofaddresses thataregrantedordeniedaccessbytherestriction.ThisformathassimilarcapabilitiesasanIP addressrangebutmightbemorenativetoyournetworkingenvironment.AnIPaddressandsubnet maskrangeistypicallyspecifiedusingasubnetaddressandaddressbitmaskthatidentifies addressesthatareonthesamelogicalnetwork. Inbinarymath,ifthebitsofaclientmachineaddress,addedwiththebitsofthesubnetmask, matchtherestrictionsubnetaddress,thentheclientmachinemeetstherestriction. DNS-basedrestrictions DNS-basedrestrictionsusethenetworknamingservicetoexaminethelogicalnameoftheclient machinebylookingupmachinenamesassignedtotheclientIPaddresses.DNSrestrictionsrequire afunctionalnameserver.Ifthenameservicegoesdownorcannotbereached,DNSrestrictions cannotbematchedandwillfail. DNS-basedrestrictionscanlimitaccesstoasingle,specificmachinenameortomachinessharing acommondomainsuffix.Forexample,theDNSrestriction,www.hp.com,matcheshoststhatare assignedthedomainnamewww.hp.com.However,theDNSrestriction,*.hp.com,matches anymachineoriginatingfromHP. DNSrestrictionscancausesomeambiguitybecauseahostcanbemulti-homed.DNSrestrictions donotnecessarilymatchone-to-onewithasinglesystem. UsingDNS-basedrestrictionscancreatesomesecuritycomplications.Nameserviceprotocolsare insecure.AnyindividualwithmaliciousintentandaccesstothenetworkcanplacearogueDNS serviceonthenetworkcreatingfakeaddressrestrictioncriteria.Organizationalsecuritypolicies mustbetakenintoconsiderationwhenimplementingDNS-basedaddressrestrictions. Howusertimerestrictionsareenforced Administratorscanplaceatimerestrictionondirectoryuseraccounts.Timerestrictionslimitthe abilityoftheusertologin(authenticate)tothedirectory.Typically,timerestrictionsareenforced usingthetimeatthedirectoryserver,butifthedirectoryserverislocatedinadifferenttimezone orareplicainadifferenttimezoneisaccessed,thentimezoneinformationfromthemanaged objectcanbeusedtoadjustforrelativetime. Thedirectoryserverevaluatesusertimerestrictions,butthedeterminationcanbecomplicatedby timezonechangesorauthenticationmechanism. 160Directoryservices