HP rp3440 HP Integrity and HP 9000 iLO MP Operations Guide, Fifth Edition - Page 119

Directory-enabled remote management enables you to: • Create iLO MP objects Each device object created represents each device that will use the directory service to authenticate and authorize users. For additional information on creating iLO MP device objects for Active Directory, see "Directory Services" (page 91), "Directory Services for Active Directory" (page 96), and eDirectory "Directory Services for eDirectory" (page 107). In general, you can use the snap-ins provided by HP to create objects. It is useful to give the iLO MP device objects meaningful names, such as the device's network address, DNS name, host server name, or serial number. • Configure iLO MP devices Every iLO MP device that uses the directory service to authenticate and authorize users must be configured with the appropriate directory settings. For details about the specific directory settings, see "Using the LDAP Command to Configure Directory Settings in iLO MP" (page 116). In general, you can configure each device with the appropriate directory server address, iLO MP object distinguished name, and any user contexts. The server address is either the IP address or DNS name of a local directory server, or, for more redundancy, a multihost DNS name. Using Existing Groups Many organizations arrange users and administrators into groups. In many cases, it is convenient to use existing groups and associate these groups with one or more iLO MP role objects. When the devices are associated with the role objects, you can control access to the iLO MP devices associated with the role by adding or deleting members from the groups. When using Microsoft Active Directory, you can place one group within another, or create nested groups. Role objects are considered groups and can include other groups directly. To include other groups directly, add the existing nested group directly to the role and assign the appropriate rights and restrictions. Add new users to either the existing group or to the role. Novell eDirectory does not allow nested groups. In eDirectory, any user who can read a role is considered a member of that role. When adding an existing group, organizational unit, or organization to a role, add the object as a read trustee of the role. All the members of the object are considered members of the role. Add new users to either the existing object or to the role. When you use trustee or directory rights assignments to extend role membership, users must be able to read the iLO MP object representing the iLO MP device. Some environments require the trustees of a role to also be read trustees of the iLO MP object to successfully authenticate users. Using Multiple Roles Most deployments do not require that the same user be in multiple roles managing the same device. However, these configurations are useful for building complex rights relationships. When building multiple-role relationships, users receive all the rights assigned by every applicable role. Roles only grant rights, not revoke them. If one role grants a user a right, the user has the right, even if the user is in another role that does not grant that right. Typically, a directory administrator creates a base role with the minimum number of rights assigned and creates additional roles to add additional rights. These additional rights are added under specific circumstances or to a specific subset of the base role users. For example, an organization might have two types of users: administrators of the iLO MP device or host server, and users of the iLO MP device. In this situation, it makes sense to create two roles, one for the administrators and one for the users. Both roles include some of the same devices, but grant different rights. Sometimes, it is useful to assign generic rights to the lesser role, and include the iLO MP administrators in that role and the administrative role. Directory-Enabled Management 119