HP Integrity iLO 2 MP 5991-6005 manual Using Existing Groups, Using Multiple Roles

In general, you can use the HP provided snap-ins to create objects. It is useful to give the iLO 2 MP device objects meaningful names, such as the device's network address, DNS name, host server name, or serial number.

Directory-enabled remote management enables you to:

•Create iLO 2 MP objects:

Each device object created represents each device that will use the directory service to authenticate and authorize users. For more information, see the following sections:

“Directory Services for Active Directory” (page 152) “Directory Services for eDirectory” (page 163)

•Configure iLO 2 MP devices:

Every iLO 2 MP device that uses the directory service to authenticate and authorize users must be configured with the appropriate directory settings. For details about the specific directory settings, see “Using the LDAP Command to Configure Directory Settings in the iLO 2 MP” (page 171). In general, each device is configured with the appropriate directory server address, iLO 2 MP object distinguished name, and any user contexts. The server address is either the IP address or DNS name of a local directory server, or, for more redundancy, a multihost DNS name.

Using Existing Groups

Many organizations arrange users and administrators into groups. In many cases, it is convenient to use existing groups and associate these groups with one or more iLO 2 MP role objects. When the devices are associated with role objects, you can control access to the iLO 2 MP devices associated with the role by adding or deleting members from the groups.

When using Microsoft Active Directory, you can place one group within another, or create nested groups. Role objects are considered groups and can include other groups directly. To include other groups directly, add the existing nested group directly to the role and assign the appropriate rights and restrictions. Add new users to either the existing group or to the role.

Novell™ eDirectory does not allow nested groups. In eDirectory, any user who can read a role is considered a member of that role. When adding an existing group, organizational unit, or organization to a role, add the object as a read trustee of the role. All the members of the object are considered members of the role. Add new users to either the existing object or to the role.

When you use trustee or directory rights assignments to extend role membership, users must be able to read the iLO 2 MP object representing the iLO 2 MP device. Some environments require the trustees of a role to also be read trustees of the iLO 2 MP object to successfully authenticate users.

Using Multiple Roles

Most deployments do not require that the same user be in multiple roles managing the same device. However, these configurations are useful for building complex rights relationships. When building multiple-role relationships, users receive all the rights assigned by every applicable role. Roles only grant rights, not revoke them. If one role grants a user a right, the user has the right, even if the user is in another role that does not grant that right.

Typically, a directory administrator creates a base role with the minimum number of rights assigned and then creates additional roles to add additional rights. These additional rights are added under specific circumstances or to a specific subset of the base role users.

For example, an organization might have two types of users: administrators of the iLO 2 MP device or host server, and users of the iLO 2 MP device. In this situation, it makes sense to create two roles, one for the administrators and one for the users. Both roles include some of the same

174 Installing and Configuring Directory Services