Alternatively, the directory administrator might create a role that grants the login right and restrict it to the
corporate network, and then create another role that grants only the server reset right and restrict it to
after-hours operation. This configuration is easier to manage but more dangerous because ongoing
administration might create another role that grants the login right to users from addresses outside the
corporate network. This role might unintentionally grant the LOM administrators in the server reset role
the ability to reset the server from anywhere, if they satisfy the role time constraints.
The configuration shown in Creating restrictions and roles meets corporate security requirements.
However, adding another role that grants the login right can inadvertently grant server reset privileges
from outside the corporate subnet after hours. A more manageable solution is to restrict the Reset role
and the General Use role, as shown in Restricting the Reset and General Use roles.
User
General Use
role
Reset role
Assigns Login privilege
IP Restrictions: DENY except to
corporate subnet
Server
Assigns Virtual Power and Reset
privilege AND Login privilege
Time Restriction: Denied Monday
through Friday, 8 a.m. to 5 p.m.
IP Restriction: DENY except to
corporate subnet
Figure 13: Restricting the Reset and General Use roles
Tools for configuring multiple iLO systems at a time
Configuring large numbers of LOM objects for Kerberos authentication and directory services is time
consuming. You can use the following utilities to configure several LOM objects at a time.
Directories Support for ProLiant Management Processors
This software includes a GUI that provides a step-by-step approach to configuring Kerberos
authentication and directory services with large numbers of management processors. Hewlett
Packard Enterprise recommends using this tool when you want to configure several management
processors.
Traditional import utilities
Administrators familiar with tools such as LDIFDE or the NDS Import/Export Wizard can use these
utilities to import or create LOM device directory objects. Administrators must still configure the
devices manually, but can do so at any time. Programmatic or scripting interfaces can be used to
create LOM device objects in the same way as users or other objects. For information about attributes
and attribute data formats when you are creating LOM objects, see the Directory services schema.
More information
Directory services schema on page 349
Directories Support for ProLiant Management Processors (HPLOMIG) on page 333
User login using directory services
The Login Name box on the iLO login page accepts directory users and local users.
The maximum length of the login name is 39 characters for local users and 127 characters for directory
users.
When you connect through the diagnostics port (on a blade server), Zero Sign In and directory user login
are not supported and you must use a local account.
332 Tools for configuring multiple iLO systems at a time
To Next Page
Loading...
Need help?
General