Home » HP Manuals » Desktops » HP Xw460c » Manual Viewer

HP Xw460c HP Integrated Lights-Out 2 User Guide for Firmware 1.75 and 1.77 - Page 141

Schema-free nested groups, Maximum Login Flexibility

Add to My Manuals
Save this manual to your list of manuals

Page 141 highlights

At login time, the login name and user context are combined to make the user's distinguished name. For instance, if the user logs in as "JOHN.SMITH" and a user context is set up as "CN=USERS,DC=HP,DC=COM", then the distinguished name that iLO 2 will try will be "CN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM." Maximum Login Flexibility • Configure iLO 2 as described. • Configure iLO 2 with a DNS name, not an IP address for the directory server's network address. The DNS name must be resolvable to an IP address from both iLO 2 and the client system. • Enable ActiveX controls in your browser. The iLO 2 login script will attempt to call a Windows® control to convert the login name to a distinguished name. Configuring iLO 2 with maximum login flexibility enables you to login using your full distinguished name and password, your name as it appears in the directory, NetBIOS format (domain/login_name), or the e-mail format (login_name@domain). NOTE: Your system security settings or installed software might prevent the login script from calling the Windows® ActiveX control. If this happens, your browser displays a warning message in the status bar, message box, or might stop responding. To help identify what software or setting is causing the problem, create another profile and log in to the system. In some cases, it might not be possible to get the maximum login flexibility option to work. For instance, if the client and iLO 2 are in different DNS domains, one of the two might not be able to resolve the directory server name to an IP address. Schema-free nested groups Many organizations have users and administrators arranged into groups. Having this arrangement of existing groups is convenient because you can associate them with one or more Integrated Lights-Out Management role objects. When the devices are associated with the role objects, you can use the administrator controls to access the Lights-Out devices associated with the role by adding or deleting members from the groups. When using Microsoft® Active Directory, you can place one group within another group, creating a nested group. Role objects are considered groups and can include other groups directly. You can add the existing nested group directly to the role and assign the appropriate rights and restrictions. New users can be added to either the existing group or the role. In previous implementations, only a schema-less user who was a direct member of the primary group was allowed to log in to iLO 2. Using schema-free integration, users who are indirect members (a member of a group which is a nested group of the primary group) are allowed to login to iLO 2. Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered a member of that role. When adding an existing group, organizational unit or organization to a role, add the object as a read trustee of the role. All the members of the object are considered members of the role. New users can be added to either the existing object or the role. When using trustee or directory rights assignments to extend role membership, users must be able to read the LOM object representing the LOM device. Some environments require the same trustees of a role to also be read trustees of the LOM object to successfully authenticate users. Directory services 141

Section	Page
HP Integrated Lights-Out 2 User Guide	1
Notice	2
Contents	3
Operational overview	9
Guide overview	9
New in this release of iLO 2	9
iLO 2 overview	10
Differences between iLO 2 and iLO	10
HP Insight Essentials Rapid Deployment Pack integration	11
Server management through IPMI version 2.0 compliant applications	11
WS-Management compatibility overview	12
iLO 2 browser interface overview	13
Supported browsers and client operating systems	13
Supported server operating system software	14
iLO 2 setup	16
Quick setup	16
Preparing to setup iLO 2	16
Connecting to the network	18
Configuring the IP address	18
Logging in to iLO 2 for the first time	19
Setting up user accounts	19
Setting up iLO 2 using iLO 2 RBSU	20
Setting up iLO 2 using the browser-based option	20
Activating iLO 2 licensed features using a browser	20
Installing iLO 2 device drivers	21
Microsoft device driver support	21
Linux device driver support	22
Novell NetWare device driver support	22
Configuring iLO 2	24
iLO 2 configuration overview	24
Upgrading iLO 2 firmware	24
Upgrading iLO 2 using a browser	25
Updating the firmware using the maintenance CD	26
Recovering from a failed iLO 2 firmware update	26
Downgrading the iLO 2 firmware	26
Licensing	26
User administration	28
Adding a new user	29
Viewing or modifying an existing user's settings	31
Deleting a user	31
Group administration	32
Configuring iLO 2 access	33
Services options	33
Terminal Services Passthrough option	35
Enabling the Terminal Services Passthrough option	37
Remote Console and Terminal Services clients	37
Terminal Services troubleshooting	38
Access options	39
iLO 2 Remote Console and Remote Serial Console access	41
Security	41
General security guidelines	42
Password guidelines	42
Securing RBSU	42
iLO 2 Security Override Switch administration	43
Trusted Platform Module support	43
User accounts and access	44
Privileges	44
Login security	44
SSH key administration	45
SSL certificate administration	45
Two-factor authentication	46
Setting up two-factor authentication for the first time	47
Setting up a user for two-factor authentication	49
Two-factor authentication login	49
Using two-factor authentication with directory authenticatio	50
Directory settings	51
Configuring directory settings	52
Directory tests	54
Encryption	54
Encryption settings	55
Connecting to the iLO 2 using AES/3DES encryption	55
HP SIM single sign-on (SSO)	56
Setting up iLO 2 for HP SIM SSO	56
Adding HP SIM trusted servers	57
Setting up HP SIM SSO	58
Remote Console Computer Lock	59
Network	60
Network Settings	61
iLO 2 subsystem name limitations	62
iLO 2 Shared Network Port	62
DHCP/DNS Settings	65
SNMP/Insight Manager settings	66
Enabling SNMP alerts	66
SNMP generated trap definitions	67
Configuring Insight Manager integration	68
ProLiant BL pClass configuration	69
ProLiant BL pClass user requirements	69
Static IP bay configuration	69
Configuring a ProLiant BL pClass blade enclosure	70
Configuring static IP bay settings	70
ProLiant BL pClass standard configuration parameters	71
ProLiant BL pClass advanced configuration parameters	71
Enabling iLO 2 IP address assignment	72
HP BladeSystem setup	72
iLO 2 configuration screen	73
Verify Server RAID Configuration screen	73
Connect Virtual Media screen	74
Install Software screen	74
iLO 2 diagnostic port configuration parameters	74
Using iLO 2	76
System status and status summary information	76
System Information Summary	78
Fans	78
Temperatures	79
Power	79
Processors	80
Memory	80
NIC	80
iLO 2 Log	80
IML	80
Diagnostics	81
Insight Agents	82
iLO 2 Remote Console	83
Remote Console overview and licensing options	84
Remote Console settings	84
Remote console hot keys	86
Supported hot keys	86
Hot keys and international keyboards	88
Hot keys and Virtual Serial Port	88
Integrated Remote Console Fullscreen	88
Integrated Remote Console option	88
Optimizing mouse performance for Remote Console or Integrated Remote Console	91
High Performance Mouse settings	91
Shared Remote Console	93
Using Console Capture	93
Using HP iLO Video Player	94
iLO Video Player user interface	94
iLO Video Player controls	95
Acquiring the Remote Console	96
Remote Console	96
Remote Console features and controls	97
Recommended client settings	98
Recommended server settings	98
Text-based remote console overview	98
Text-based console during POST	99
Text-based console after POST	99
Virtual serial port and remote serial console	102
Virtual media	107
Using iLO 2 Virtual Media devices	108
Virtual Media and Windows 7	108
iLO 2 Virtual Floppy/USBKey	108
iLO 2 Virtual CD/DVD-ROM	112
Creating iLO 2 disk image files	114
Virtual folder	115
Virtual folder operating system notes	115
Power management	116
Server power settings	117
Server power data	119
Processor states	120
Power efficiency	121
Graceful shutdown	122
ProLiant BL pClass Advanced management	122
Rack View	123
Blade configuration and information	124
Enclosure information	125
Power enclosure information	126
Network component information	126
iLO 2 control of ProLiant BL pClass server LEDs	127
Server POST tracking	127
Insufficient power notification	127
ProLiant BL pClass alert forwarding	127
ProLiant BladeSystem HP Onboard Administrator	127
iLO 2 BL c-Class tab	128
Enclosure bay IP addressing	128
Dynamic power capping for server blades	130
iLO 2 Virtual Fan	131
iLO option	131
Web Administration	132
BL pClass and BL c-Class features	132
Directory services	134
Overview of directory integration	134
Benefits of directory integration	134
Advantages and disadvantages of schema-free directories and HP schema directory	135
Schema-free directory integration	136
HP schema directory integration	136
Setup for Schema-free directory integration	138
Active Directory preparation	138
Introduction to certificate services	138
Installing certificate services	138
Verifying certificate services	139
Configuring Automatic Certificate Request	139
Schema-free browser-based setup	139
Schema-free scripted setup	140
Schema-free HPLOMIG-based setup	140
Schema-free setup options	140
Schema-free nested groups	141
Setting up HP schema directory integration	142
Features supported by HP schema directory integration	142
Setting up directory services	142
Schema documentation	143
Directory services support	143
Schema required software	144
Schema installer	144
Schema Preview	145
Setup	145
Results	146
Management snap-in installer	147
Directory services for Active Directory	147
Active Directory installation prerequisites	147
Installing Active Directory on Windows Server 2008	148
Directory services preparation for Active Directory	148
Snap-in installation and initialization for Active Directory	149
Example: Creating and configuring directory objects for use with iLO 2 in Active Directory	150
Directory services objects	152
Active Directory Lights-Out management	156
Directory services for eDirectory	157
eDirectory installation prerequisites	157
Snap-in installation and initialization for eDirectory	157
Example: Creating and configuring directory objects for use with LOM devices in eDirectory	157
Directory Services objects for eDirectory	161
eDirectory Role Restrictions	162
eDirectory Lights-Out Management	164
User login using directory services	165
Directory-enabled remote management	166
Introduction to directory-enabled remote management	166
Creating roles to follow organizational structure	166
Using existing groups	166
Using multiple roles	167
How directory login restrictions are enforced	168
Restricting roles	168
Role time restrictions	168
Role address restrictions	169
User restrictions	169
User address restrictions	169
How user time restrictions are enforced	170
Creating multiple restrictions and roles	170
Using bulk import tools	171
HPQLOMIG directory migration utility	173
Introduction to HPQLOMIG utility	173
Compatibility	173
HP Lights-Out directory package	173
Using HPQLOMIG	174
Finding management processors	174
Upgrading firmware on management processors	176
Selecting a directory access method	177
Naming management processors	178
Configuring directories when HP Extended schema is selected	179
Configuring directories when schema-free integration is selected	180
Setting up management processors for directories	181
HP Systems Insight Manager integration	183
Integrating iLO 2 with HP SIM	183
HP SIM functional overview	183
Establishing SSO with HP SIM	184
HP SIM identification and association	184
HP SIM status	184
HP SIM links	185
HP SIM systems lists	185
Receiving SNMP alerts in HP SIM	186
HP SIM port matching	186
Reviewing Advanced Pack license information in HP SIM	187
Troubleshooting iLO 2	188
iLO 2 POST LED indicators	188
Event log entries	189
Hardware and software link-related issues	192
JVM support	193
Login issues	193
Login name and password not accepted	193
Directory user premature logout	194
iLO 2 Management Port not accessible by name	194
iLO 2 RBSU unavailable after iLO 2 and server reset	194
Inability to access the login page	195
Inability to access iLO 2 using telnet	195
Inability to access virtual media or graphical remote console	195
Inability to connect to iLO 2 after changing network settings	195
Inability to connect to the iLO 2 Diagnostic Port	195
Inability to connect to the iLO 2 processor through the NIC	196
Inability to log in to iLO 2 after installing the iLO 2 certificate	196
Firewall issues	196
Proxy server issues	196
Two-factor authentication error	197
Troubleshooting alert and trap problems	197
Inability to receive HP SIM alarms (SNMP traps) from iLO 2	198
iLO 2 Security Override switch	198
Authentication code error message	198
Troubleshooting directory problems	198
Domain/name format login issues	199
ActiveX controls are enabled and I see a prompt but the domain/name login format does not work	199
User contexts do not appear to work	199
Directory user does not logout after the directory timeout has expires	199
Troubleshooting Remote Console problems	199
Remote Console applet has a red X when running Linux client browser	200
Inability to navigate the single cursor of the Remote Consol to corners of the Remote Console window	200
Remote Console no longer opens on the existing browser session	200
Remote console text window not updating properly	200
Remote Console turns gray or black	201
Remote Serial Console troubleshooting	201
Troubleshooting Integrated Remote Console problems	201
Internet Explorer 7 and a flickering remote console screen	201
Configuring Apache to accept exported capture buffers	202
No console replay while server is powered down	203
Skipping information during boot and fault buffer playback	203
Out of Memory error starting Integrated Remote Console	203
Session leader does not receive connection request when IRC is in replay mode	203
Keyboard LED does not display correctly	203
Inactive IRC	204
IRC Failed to connect to server error message	204
IRC toolbar icons do not update	204
GNOME interface does not lock	205
Repeating keys on the Remote Console	205
Remote Console playback does not work when the host server is powered down	205
Troubleshooting SSH and Telnet problems	205
Initial PuTTY input slow	205
PuTTY client unresponsive with Shared Network Port	205
SSH text support from a Remote Console session	206
Troubleshooting terminal services problems	206
Terminal Services button is not working	206
Terminal Services proxy stops responding	206
Troubleshooting video and monitor problems	206
General guidelines	206
Telnet displays incorrectly in DOS®	206
Video applications not displaying in the Remote Console	207
User interface is not displaying correctly	207
Troubleshooting Virtual Media problems	207
Virtual Media applet has a red X and will not display	207
Virtual Floppy media applet is unresponsive	207
Troubleshooting iLO Video Player problems	207
Video capture file does not play	207
Video capture file plays erratically	208
Troubleshooting Remote Text Console problems	208
Viewing the Linux installer in the text console	208
Passing data through an SSH terminal	208
Troubleshooting miscellaneous problems	208
Cookie sharing between browser instances and iLO 2	208
Shared instances	208
Cookie order behavior	209
Displaying the current session cookie	209
Preventing cookie-related user issues	210
Inability to access ActiveX downloads	210
Inability to get SNMP information from HP SIM	210
Incorrect time or date of the entries in the event log	210
Inability to upgrade iLO 2 firmware	210
Diagnostic steps	211
iLO 2 does not respond to SSL requests	211
Testing SSL	211
Resetting iLO 2	212
Server name still present after ERASE utility is executed	212
Troubleshooting a remote host	212
Directory services schema	213
HP Management Core LDAP OID classes and attributes	213
Core classes	213
Core attributes	213
Core class definitions	213
hpqTarget	213
hpqRole	214
hpqPolicy	214
Core attribute definitions	214
hpqPolicyDN	214
hpqRoleMembership	215
hpqTargetMembership	215
hpqRoleIPRestrictionDefault	215
hpqRoleIPRestrictions	215
hpqRoleTimeRestriction	216
Lights-Out Management specific LDAP OID classes and attributes	217
Lights-Out Management classes	217
Lights-Out Management attributes	217
Lights-Out Management class definitions	217
hpqLOMv100	217
Lights-Out Management attribute definitions	218
hpqLOMRightLogin	218
hpqLOMRightRemoteConsole	218
hpqLOMRightVirtualMedia	218
hpqLOMRightServerReset	219
hpqLOMRightLocalUserAdmin	219
hpqLOMRightConfigureSettings	219
Technical support	220
Support information	220
HP contact information	221
Before you contact HP	221
Acronyms and abbreviations	222

Match case Limit results 1 per page

Directory services 141

At login time, the login name and user context are combined to make the user's distinguished name.

For instance, if the user logs in as "JOHN.SMITH" and a user context is set up as

"CN=USERS,DC=HP,DC=COM", then the distinguished name that iLO 2 will try will be

"CN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM."

Maximum Login Flexibility

•

Configure iLO 2 as described.

•

Configure iLO 2 with a DNS name, not an IP address for the directory server's network address. The

DNS name must be resolvable to an IP address from both iLO 2 and the client system.

•

Enable ActiveX controls in your browser. The iLO 2 login script will attempt to call a Windows®

control to convert the login name to a distinguished name.

Configuring iLO 2 with maximum login flexibility enables you to login using your full distinguished

name and password, your name as it appears in the directory, NetBIOS format

(domain/login_name), or the e-mail format (login_name@domain).

NOTE:

Your system security settings or installed software might prevent the login script from

calling the Windows® ActiveX control. If this happens, your browser displays a warning

message in the status bar, message box, or might stop responding. To help identify what

software or setting is causing the problem, create another profile and log in to the system.

In some cases, it might not be possible to get the maximum login flexibility option to work. For instance, if

the client and iLO 2 are in different DNS domains, one of the two might not be able to resolve the

directory server name to an IP address.

Schema-free nested groups

Many organizations have users and administrators arranged into groups. Having this arrangement of

existing groups is convenient because you can associate them with one or more Integrated Lights-Out

Management role objects. When the devices are associated with the role objects, you can use the

administrator controls to access the Lights-Out devices associated with the role by adding or deleting

members from the groups.

When using Microsoft® Active Directory, you can place one group within another group, creating a

nested group. Role objects are considered groups and can include other groups directly. You can add the

existing nested group directly to the role and assign the appropriate rights and restrictions. New users

can be added to either the existing group or the role.

In previous implementations, only a schema-less user who was a direct member of the primary group was

allowed to log in to iLO 2. Using schema-free integration, users who are indirect members (a member of a

group which is a nested group of the primary group) are allowed to login to iLO 2.

Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered

a member of that role. When adding an existing group, organizational unit or organization to a role,

add the object as a read trustee of the role. All the members of the object are considered members of the

role. New users can be added to either the existing object or the role.

When using trustee or directory rights assignments to extend role membership, users must be able to read

the LOM object representing the LOM device. Some environments require the same trustees of a role to

also be read trustees of the LOM object to successfully authenticate users.