Login Process Using Directory Services With Hp Default Schema - HP AB500A - Integrated Lights-Out Advanced Technology Brief
Hp integrated lights-out security, 6th edition
Hide thumbs
Also See for AB500A - Integrated Lights-Out Advanced:
- User manual (235 pages) ,
- Configuration (39 pages) ,
- Technology brief (24 pages)
Table of Contents
Advertisement
Figure 7. Login process when using directory services
Login process using directory services with HP default schema
Using the HP Default Schema method (sometimes referred to as Schema-free method), access to iLO
can be controlled using directories without requiring schema extensions. iLO acquires the user's name
to determine group membership from the directory. iLO then cross-references the group names with its
locally stored names to determine user privilege level. iLO must be configured with the appropriate
group names and their associated privileges.
For HP default Schema login, the user's full distinguished name is required to look up his or her group
memberships. iLO cannot efficiently convert a username into the user's distinguished name (DN). To
do this, an IADsNameTranslate object is created and its Get method is used to retry the user's DN. If
ActiveX is enabled, the login script will call IADsNameTranslate to write the DN to a cookie. The
purpose of the login script is to get the user's login credentials (user name and password), get session
information from iLO, and combine these into a security cookie. iLO then uses this cookie to ensure
that the user has access to the pages and resources he or she is trying to use.
If ActiveX is disabled in the browser or the call fails and the name used for login is a DN, then the
login script will work. The login script will also work if this name is only a user object name; then it is
combined with a user context to build a DN. Essentially, if the IADsNameTranslate command is
unavailable, then schema-free login reverts to the operational characteristics of the login process with
HP Schema. See
for more information and
http://msdn2.microsoft.com/en-us/library/Aa706046.aspx
examples.
The username and password information in the cookie is sufficient for authentication and
authorization using the local account database or the directory using HP schema.
NOTE:
Using IADsNameTranslate allows the user to login using NetBIOS
format (that is, domain/login name) or email format. Some IT
organizations may prefer to disable ActiveX for security reasons.
See the earlier section about local accounts for details about using
SSL, session keys, and cookies.
14
Advertisement
Table of Contents
