Home » HP Manuals » Servers » HP Integrity BL870c » Manual Viewer

HP Integrity BL870c HP Integrity iLO 2 Operations Guide, Eleventh Edition - Page 76

Configuring Schema-Free LDAP

View all HP Integrity BL870c manuals

Add to My Manuals
Save this manual to your list of manuals

Page 76 highlights

It assists with installing the schema and snap-ins needed for Active Directory to work with iLO 2 products including Integrity iLO 2. This is for set up and management. It will not do automatic migration for you. For Integrity iLO 2, you must manually add iLO 2 objects to the directory server and set up user accounts and privileges. You can find the tool on the HP website at: http://h20000.www2.hp.com/bizsupport/TechSupport/ SoftwareDescription.jsp?lang=en&cc=US&swItem=MTX-UNITY-I23896 Using directory services after users enter their login and password, the browser sends the cookie to iLO 2. The iLO 2 processor accesses the directory service to determine which roles are available for that user login. iLO 2 first uses the credentials to access the iLO 2 device object in the directory. The directory service returns only the roles for which the user has rights. If the user credentials allow read access to the iLO 2 device object and the role object, iLO 2 determines the role object's distinguished name and the associated user privileges. iLO 2 then calculates the current user privileges based on those roles and grants them to that user. Configuring Schema-Free LDAP IMPORTANT: Due to command syntax changes in schema-free LDAP, some customer-developed scripts may not run. You must change any scripts you developed to enable them to run with the new schema-free LDAP syntax. Integrity iLO 2 schema-free directory integration enables you to use the standard directory schema instead of adding HP's schema to the directory database. You accomplish this by authenticating users from the directory database and authorizing iLO 2 privileges based on matching groups stored on each iLO 2. NOTE: Schema-Free LDAP is available only if you have the iLO 2 Advanced Pack license. In addition to general directory integration benefits, iLO 2 schema-free integration provides the following advantages: • Easy implementation without schema extensions. iLO 2 schema-free integration is configured from any iLO 2 user interface (browser, command line, or script). • Minimal administration and maintenance. - After initial setup, only groups and permissions require maintenance support on iLO 2; typically group and permission changes occur infrequently. - The schema-free approach does not require updating directory databases with new iLO 2 devices objects. • Reliable security. Integrity iLO 2 schema-free integration does not affect standard directory attributes, avoiding conflicting use of attributes that can result over time. • Complements two-factor authentication. Integrity iLO 2 schema-free integration can be used in conjunction with iLO 2 two-factor authentication to provide asset protection using strong authentication. NOTE: If you have already extended your directory with HP schema, there is no need to switch to the schema-free approach. Schema extension provides the lowest maintenance approach for directory integration. Once this process has taken place, there is no advantage for the schema-free approach until a schema change is required. To configure schema-free LDAP, follow these steps: 76 Configuring DHCP, DNS, LDAP, and Schema-Free LDAP

Section	Page
HP Integrity iLO 2 Operations Guide	1
Table of Contents	3
About This Document	15
Intended Audience	15
New and Changed Information in This Edition	15
Publishing History	15
Document Organization	17
Typographic Conventions	18
Related Information	18
HP Contact Information	19
Documentation Feedback	19
1 Introduction to iLO 2	21
Features	21
Standard Features	22
Always-On Capability	22
Virtual Front Panel	22
Multiple Access Methods	22
Security	22
User Access Control	22
Multiple Users	23
IPMI over LAN	23
System Management Homepage	23
Firmware Upgrades	24
Internal Subsystem Information	24
DHCP and DNS Support	24
Group Actions	24
Group Actions Using HP SIM	24
SNMP	24
SMASH	24
SM CLP	25
Mirrored Console	25
Remote Power Control	25
Power Regulation	25
Event Logging	25
Advanced Features	25
Virtual Media	25
Integrated Remote Console	26
Directory-Based Secure Authorization Using LDAP	26
Schema-Free LDAP	26
Power Meter Readings	26
HP Insight Power Manager	26
Obtaining and Activating iLO 2 Advanced Pack Licensing	27
Lights-Out Advanced KVM Card	27
Supported Systems and Required Components and Cables	27
Integrity iLO 2 Supported Browsers and Client Operating Systems	28
Security	28
Protecting SNMP Traffic	29
2 Ports and LEDs	31
HP Integrity Server Blade Components	31
Onboard Administrator	31
HP Integrity rx2660 Server Components	33
HP Integrity rx3600 and rx6600 Server Components	33
iLO 2 MP Status LEDs	34
iLO 2 MP Reset Button	35
Resetting Local User Accounts and Passwords to Default Values	35
Console Serial Port and Auxiliary Serial Port	35
MP LAN Port	36
MP LAN LEDs	36
3 Getting Connected to iLO 2	37
Setup Checklist	38
Setup Flowchart	39
Rackmount Server Connection	40
Preparing to Set Up iLO 2	40
Determining the Physical iLO 2 Access Method	40
Determining the iLO 2 MP LAN Configuration Method	41
Configuring the iLO 2 MP LAN Using DHCP and DNS	41
Configuring the iLO 2 MP LAN Using ARP Ping	42
Configuring the iLO 2 MP LAN Using the Console Serial Port	43
Server Blade Connection	45
Connecting to a Server Blade iLO 2 Using the Console Serial Port	45
Connecting the SUV Cable to the Server Blade	46
Connecting the Server Blade To iLO 2 Using the Onboard Administrator	48
Auto Login	49
Initiating an Auto Login Session	50
Terminating an Auto Login Session	50
User Account Cleanup During IPF Blade Initialization	50
Auto Login Troubleshooting	50
Additional Setup	51
Modifying User Accounts and Default Passwords	51
Setting Up Security	52
Setting Security Access	52
Setting iLO 2 MP LAN From EFI	52
4 Logging In to iLO 2	55
Logging In to iLO 2 Using the Web GUI	55
Logging In to iLO 2 Using the Command Line Interface	55
Network Port Usage	55
5 Adding Advanced Features	57
Lights-Out Advanced KVM Card for sx2000 Servers	57
Lights-Out Advanced KVM card Requirements	58
Configuring the Lights-Out Advanced KVM Card	59
Lights-Out Advanced KVM Card IRC Feature	60
Lights-Out Advanced KVM Card vMedia Feature	60
Installing the Lights-Out Advanced KVM Card in a Server	61
Lights-Out Advanced KVM Card Quick Setup Steps	63
Using Lights-Out Advanced KVM Features	64
Mid Range PCI Backplane Power Behavior	65
Troubleshooting the Lights-Out Advanced KVM Card	65
Core I/O Card Configurations	66
Supported PCI-X Slots	67
Upgrading the Lights-Out Advanced KVM Card Firmware	67
6 Accessing the Host (Operating System) Console	69
Accessing a Text Host Console through iLO 2 Virtual Serial Console	69
Accessing Online Help	70
Accessing a Text Host Console Using the TUI	70
Help System	70
Accessing a Graphic Host Console Using the Integrated Remote Console	71
Accessing a Text Host Console Using SMASH SM CLP	71
7 Configuring DHCP, DNS, LDAP, and Schema-Free LDAP	73
Configuring DHCP	73
Configuring DNS	74
Configuring LDAP Extended Schema	74
Login Process Using Directory Services with Extended LDAP	75
Configuring Schema-Free LDAP	76
Setting Up Directory Security Groups	77
Login Process Using Directory Services Without Schema Extensions	77
LDAP and MP Login for Integrity Cell-Based Servers	78
User Accounts	78
Commands	78
Access Rights	79
Partition User Support Options	82
8 Using iLO 2	83
Text User Interface	83
MP Command Interfaces	83
MP Main Menu	84
MP Main Menu Commands	84
CO (Console): Leave the MP Main Menu and enter console mode	85
VFP (Virtual Front Panel): Simulate the display panel	85
CM (Command Mode): Enter command mode	85
SMCLP (Server Management Command Line Protocol): Switch to the SMASH SMCLP	85
CL (Console Log): View the history of the console output	85
SL (Show Logs): View events in the log history	85
SL Command for Integrity Cell-Based Servers	87
HE (Help): Display help for the menu or command in the MP Main Menu	89
X (Exit): Exit iLO 2	89
Command Menu	89
Command Line Interface Scripting	91
Expect Script Example	91
Command Menu Commands and Standard Command Line Scripting Syntax	93
BP: Reset BMC passwords	93
BLADE: Display BLADE parameters	94
CA: Configure asynchronous local serial port	94
DATE: Display date	95
DC (Default Configuration): Reset all parameters to default configurations	95
DF: Display FRU information	96
DI: Disconnect LAN, WEB, SSH, or Console	96
DNS: DNS settings	96
FW: Upgrade the MP firmware	97
HE: Display help for menu or command in command menu interface	97
ID: System information settings	97
IT: Inactivity timeout settings	98
LC: LAN configuration usage	98
LDAP: LDAP directory settings	99
LDAP: LDAP group administration	100
LDAP: Schema-Free LDAP	101
LM: License management	101
LOC: Locator UID LED configuration	101
LS: LAN status	101
PC: Power control access	101
PM: Power regulator mode	102
PR: Power restore policy configuration	103
PS: Power status	103
RB: Reset BMC	103
RS: Reset system through the RST signal	103
SA: Set access LAN/WEB/SSH/IPMI over LAN ports	104
SNMP: Configure SNMP parameters	104
SO: Security option help	105
SS: System Status	105
SYSREV: Firmware revisions	106
TC: System reset through INIT or TOC signal	106
TE: Send a message to other mirroring terminals	106
UC: User Configuration (users, passwords, and so on)	106
WHO: Display a list of iLO 2 connected users	108
XD: iLO 2 Diagnostics or reset	108
Web GUI	110
System Status	110
Status Summary > General	110
Status Summary > Active Users	111
Status Summary > FW Revisions	112
Server Status > General	113
Server Status > Identification	114
System Event Log	115
Events	116
Remote Serial Console	116
Virtual Serial Port	119
Integrated Remote Console	119
IRC Requirements and Usage	119
Limitations of the IRC Mouse and Keyboard	120
Browsers and Client Operating Systems that Support the IRC	121
IRC-Supported Resolutions and Browser Configurations	121
Microsoft Windows Server 2003 and HP-UX Graphics Resolution Settings for the IRC	121
Server Display Properties	121
Server Mouse Properties	121
Console Settings	121
Enabling X Windows on HP-UX	122
Accessing the IRC	122
Integrated Remote Console Fullscreen	124
Virtual Media	125
Using iLO 2 Virtual Media Devices	125
Virtual CD/DVD	126
Virtual Media CD/DVD Operating System	128
Creating the iLO 2 Disk Image Files	128
Virtual Floppy/USB Key	130
Virtual Media Applet Timeout	131
Supported Operating Systems and USB Support for vMedia	131
Java Plug-in Version	132
Client Operating System and Browser Support for vMedia	132
Power Management	132
Power & Reset	132
Power Meter Readings	133
Power Regulator	135
Administration	137
Firmware Upgrade	137
Licensing	138
User Administration > Local Accounts	139
Group Accounts	140
Access Settings	141
LAN	142
Serial Page	143
Login Options Page	143
Current LDAP Parameters	144
Network Settings	146
Network Settings > Standard	146
Domain Name Server	147
SNMP Settings	148
BL c-Class	149
Help	150
SMASH Server Management Command Line Protocol	152
SM CLP Features and Functionality Overview	152
SM CLP Session	152
Accessing the SM CLP Interface	152
Exiting the SM CLP Interface	153
Changing the iLO 2 Default Interface to SM CLP	153
Using the SM CLP Interface	154
SM CLP Syntax	154
Command Line Terms	154
Command Verbs	155
Command Targets	156
Command Target Properties	156
Command Options	156
Level Option	156
Display Option	157
Character Set, Delimiters, Special, and Reserved Characters	157
System1 Target	158
Target: SYSTEM1	158
System Reset Power Status and Power Control	159
Resetting the System	159
Displaying Power Status	159
Powering Off the System	159
Powering On the System	159
Map1 (iLO 2) Target	160
Target: map1	160
Map1 Example	160
Resetting iLO 2	161
Text Console Services	161
Opening the MP Main Menu from SM CLP	161
Target: map1/textredirectsap1	161
Opening the System Console Interface from SM CLP	161
Target: system1/consoles1/textredirectsap1	161
Switching Between the System Console and the SM CLP	162
Starting a System Console Session	162
Determining the Session Termination Character Sequence for the System Console	162
Exiting the System Console Session and Returning to SM CLP	162
Entering the MP Main Menu Interface From SM CLP	162
Exiting the MP Main Menu Session and Returning to SM CLP	162
Firmware Revision Display and Upgrade	163
SM CLP Firmware Targets	163
Target: map1/swinstallsvc1	163
Target: map1/swinventory1	163
Target: map1/swinventory1/swid#	163
Displaying Firmware Revisions	164
Firmware Upgrade	165
Remote Access Configuration	165
Telnet SM CLP Targets	165
Target: map1/telnetsvc1	165
Telnet Examples	166
SSH	166
Target: map1/sshsvc1	166
SSH Examples	166
Network Configuration	166
SM CLP Network Targets, Properties, and Verbs	166
Target: map1/enetport1	166
Target: map1/enetport1/lanendpt1	167
Target: map1/enetport1/lanendpt1/ipendpt1	167
Target: map1/dhcpendpt1	168
Target: map1/dnsendpt1	168
Target: map1/enetport1/lanendpt1/ipendpt1/gateway1	169
Target: map1/dnsserver1, map1/dnsserver2, map1/dnsserver3	169
Target: map1/settings1/dnssettings1	169
SM CLP Network Command Examples	170
vMedia	171
Setting Up IIS for Scripted vMedia	171
vMedia Functionality on Server Blades and Rack-Mounted Servers	172
Target: map1/oemhp_vm1/cddr1	172
Using Scriptable vMedia on Server Blades and Rack-Mounted Servers	173
Using Scriptable vMedia on Server Blades Only	173
User Accounts Configuration	176
Target: map1/group1	176
Target: map1/group1/account#	176
User Account Examples	177
LDAP Configuration	177
Target: map1/settings1/oemhp_ldapsettings1	177
LDAP Configuration Examples	178
9 Installing and Configuring Directory Services	179
Directory Services	179
Features Supported by Directory Integration	179
Directory Services Installation Prerequisites	180
Installing Directory Services	180
Schema Documentation	180
Directory Services Support	181
eDirectory Installation Prerequisites	181
Required Schema Software	181
Schema Installer	182
Schema Preview Screen	182
Setup Screen	182
Results Screen	183
Management Snap-In Installer	184
Directory Services for Active Directory	184
Active Directory Installation Prerequisites	184
Preparing Directory Services for Active Directory	185
Installing and Initializing Snap-Ins for Active Directory	186
Example: Creating and Configuring Directory Objects for Use with iLO 2 in Active Directory	186
Directory Services Objects	189
Active Directory Snap-Ins	190
Managing HP Devices In a Role	190
Managing Users In a Role	190
Setting Login Restrictions	191
Setting Time Restrictions	192
Defining Client IP Address or DNS Name Access	192
Setting User or Group Role Rights	193
Directory Services for eDirectory	194
Installing and Initializing Snap-In for eDirectory	194
Example: Creating and Configuring Directory Objects for Use with iLO 2 Devices in eDirectory	195
Creating Objects	195
Creating Roles	196
Directory Services Objects for eDirectory	198
Adding Role Managed Devices	198
Adding Members	198
Setting Role Restrictions	199
Setting Time Restrictions	200
Defining Client IP Address or DNS Name Access	200
Setting Lights-Out Management Device Rights	200
Installing Snap-Ins and Extending Schema for eDirectory on a Linux Platform	201
Installing the Java Runtime Environment	201
Installing Snap-Ins	202
Extending Schema	202
Verifying Snap-In Installation and Schema Extension	203
Using the LDAP Command to Configure Directory Settings in iLO 2	203
User Login Using Directory Services	204
Certificate Services	205
Installing Certificate Services	205
Verifying Directory Services	205
Configuring an Automatic Certificate Request	205
Directory-Enabled Remote Management	205
Using Existing Groups	206
Using Multiple Roles	206
Creating Roles that Follow Organizational Structure	207
Restricting Roles	207
Role Time Restrictions	207
IP Address Range Restrictions	208
IP Address and Subnet Mask Restrictions	208
DNS-Based Restrictions	208
Role Address Restrictions	208
Enforcing Directory Login Restrictions	208
Enforcing User Time Restrictions	209
User Address Restrictions	210
Creating Multiple Restrictions and Roles	210
Directory Services Schema (LDAP)	211
HP Management Core LDAP Object Identifier Classes and Attributes	211
Core Classes	211
Core Attributes	211
Core Class Definitions	212
hpqTarget	212
hpqRole	212
hpqPolicy	212
Core Attribute Definitions	212
hpqPolicyDN	213
hpqRoleMembership	213
hpqTargetMembership	213
hpqRoleIPRestrictionDefault	213
hpqRoleIPRestrictions	213
hpqRoleTimeRestriction	214
iLO 2-Specific LDAP OID Classes and Attributes	214
iLO 2 Classes	214
iLO 2 Attributes	214
iLO 2 Class Definitions	215
hpqLOMv100	215
iLO 2 Attribute Definitions	215
hpqLOMRightLogin	215
hpqLOMRightRemoteConsole	215
hpqLOMRightRemoteConsole	216
hpqLOMRightServerReset	216
hpqLOMRightLocalUserAdmin	216
hpqLOMRightConfigureSettings	216
Glossary	217

Match case Limit results 1 per page

It assists with installing the schema and snap-ins needed for Active Directory to work with iLO

2 products including Integrity iLO 2. This is for set up and management. It will not do automatic

migration for you. For Integrity iLO 2, you must manually add iLO 2 objects to the directory

server and set up user accounts and privileges. You can find the tool on the HP website at:

http://h20000.www2.hp.com/bizsupport/T

echSupport/

Softw

areDescription.jsp?lang=en&cc=US&swItem=MTX-UNITY-I23896

Using directory services after users enter their login and password, the browser sends the cookie

to iLO 2. The iLO 2 processor accesses the directory service to determine which roles are available

for that user login. iLO 2 first uses the credentials to access the iLO 2 device object in the directory.

The directory service returns only the roles for which the user has rights. If the user credentials

allow read access to the iLO 2 device object and the role object, iLO 2 determines the role object’s

distinguished name and the associated user privileges. iLO 2 then calculates the current user

privileges based on those roles and grants them to that user.

Configuring Schema-Free LDAP

IMPORTANT:

Due to command syntax changes in schema-free LDAP, some customer-developed

scripts may not run. You must change any scripts you developed to enable them to run with the

new schema-free LDAP syntax.

Integrity iLO 2 schema-free directory integration enables you to use the standard directory

schema instead of adding HP’s schema to the directory database. You accomplish this by

authenticating users from the directory database and authorizing iLO 2 privileges based on

matching groups stored on each iLO 2.

NOTE:

Schema-Free LDAP is available only if you have the iLO 2 Advanced Pack license.

In addition to general directory integration benefits, iLO 2 schema-free integration provides the

following advantages:

•

Easy implementation without schema extensions.

iLO 2 schema-free integration is configured from any iLO 2 user interface (browser, command

line, or script).

•

Minimal administration and maintenance.

—

After initial setup, only groups and permissions require maintenance support on iLO

2; typically group and permission changes occur infrequently.

—

The schema-free approach does not require updating directory databases with new iLO

2 devices objects.

•

Reliable security.

Integrity iLO 2 schema-free integration does not affect standard directory attributes, avoiding

conflicting use of attributes that can result over time.

•

Complements two-factor authentication.

Integrity iLO 2 schema-free integration can be used in conjunction with iLO 2 two-factor

authentication to provide asset protection using strong authentication.

NOTE:

If you have already extended your directory with HP schema, there is no need to switch

to the schema-free approach. Schema extension provides the lowest maintenance approach for

directory integration. Once this process has taken place, there is no advantage for the schema-free

approach until a schema change is required.

To configure schema-free LDAP, follow these steps:

Configuring DHCP, DNS, LDAP, and Schema-Free LDAP