HP rp3440 HP Integrity and HP 9000 iLO MP Operations Guide, Fifth Edition - Page 46
Login Process Using Directory Services with Extended LDAP, Configuring LDAP Lite Default Schema
View all HP rp3440 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 46 highlights
Login Process Using Directory Services with Extended LDAP You can choose to enable directory services to authenticate users and authorize user privileges for groups of the iLO MPs. The iLO MP directory services feature uses the industry-standard LDAP. HP layers LDAP on top of SSL to transmit the directory services information securely to the directory servers. More information about directory services is available from the HP web site at: http://www.hp.com/servers/lights-out Using directory services after a user enters their login and password, the browser sends the cookie to the iLO MP. The iLO MP accesses the directory service to determine which roles are available for that user login. The iLO MP first uses the credentials to access the iLO MP device object in the directory. The directory service returns only the roles for which the user has rights. If the user credentials allow read access to the iLO MP device object and the role object, the iLO MP determines the role object's distinguished name and the associated user privileges. The iLO MP then calculates the current user privileges based on those roles and grants them to that user. Configuring LDAP Lite Default Schema The iLO MP schema-free directory integration enables you to use the standard directory schema instead of adding HP's schema to the directory database. You accomplish this by authenticating users from the directory database and authorizing iLO MP privileges based on matching groups stored on each iLO MP. NOTE: The LDAP feature is available only if you have the iLO MP Advanced Pack license. In addition to general directory integration benefits, the iLO MP schema-free integration provides the following advantages: • Easy implementation without schema extensions. The iLO MP schema-free integration is configured from any iLO MP user interface (browser, command line or script). • Minimal administration and maintenance: - After initial setup, only groups and permissions require maintenance support on iLO MPs; typically group and permission changes occur infrequently. - The schema-free approach does not require updating directory databases with new iLO MP devices objects. • Reliable security. iLO MP schema-free integration does not affect standard directory attributes, avoiding conflicting use of attributes that might result over time. • Complements two-factor authentication. iLO MP schema-free integration can be used in conjunction with iLO MP two-factor authentication to provide asset protection using strong authentication. NOTE: If you have already extended your directory with HP schema, there is no need to switch to the schema-free approach. Schema extension provides the lowest maintenance approach for directory integration and once this process has taken place there is no advantage for the schema-free approach until a schema change is required. To configure LDAP Lite, follow these steps: 1. Follow the procedure for "Configuring LDAP Extended Schema" (page 44), but omit step 8. It is not necessary to enter a new port number. 2. Set up directory security groups. 46 Configuring DHCP, DNS, LDAP, and LDAP Lite