Integrating Ilo Login Into Complex Network Directories - HP AB500A - Integrated Lights-Out Advanced Configuration

"local admin" can access only the rights specified for that role (such as login access and Remote
Console) and only at specified times (such as from 8:00 a.m. to 5:00 p.m.) and locations (such as
from a specific IP address).
Roles can model very complex relationships and it is important to remember that users can be
grouped into one or more roles. An iLO device object in the directory service may have multiple role
objects associated with it. Be aware that a user's total privileges to a device are an accumulation of
privileges from all roles associated with the device. One way to simplify role management is to
associate existing user groups with roles, and then manage the membership of the groups instead of
the membership of the roles.
Finally, any role object that is related to the iLO device should be placed in a partition housed on the
directory server that iLO is referencing. The iLO device will be reading all of the role objects that
manage it; and if iLO has to contact a different server to read the role object, it may result in long
latencies or the possibility that iLO cannot read the role object and therefore deny access to a
legitimate user.

Integrating iLO login into complex network directories

Many large corporate networks may have very sophisticated domain structures, including multiple
domain tree forests. The forest-and-tree model is a structural context for interconnecting multiple
network domains. Trees represent sets of shared domains, while forests are comprised of one or more
domain trees that don't share a namespace. Forest-and-tree model implementations become necessary
due to:
• Sheer size and complexity of the organizational structure
• Integration of once separate corporate networks into a single network structure
When using either of the directory services authentication methods, it is possible to create scenarios in
which iLO's user logins fail to authenticate against the directory because of issues with domain and
forest trust relationships. This is exacerbated by the fact that in many cases, this includes extension of
a long-standing schema structure to add iLO user authentication.
When using the default schema method, no new objects are created in the directory structure.
However, iLO does make use of both the user object and the security group objects of which the user
is a member in order to authenticate the user and his privileges against the directory. For
authentication to work properly, there must be existing trust relationships between the domain
containing the user object and the domain(s) containing the security group objects of which the user is
a member. For most directory structures this is not an issue, since domains within a domain tree are
usually created with built-in trust relationships. However, it can become an issue in complex directory
structures consisting of a forest of separate domain trees.
In the extended schema method, the directory structure relationships are more complex. When
installed, iLO schema extensions create two new objects in the Directory schema..
• iLO object
• HPQ Roles object
These new objects interact with the pre-existing user objects when authenticating an iLO user against
the directory. Because these objects were created later, they can end up in different domain trees or
even different forests in the directory schema. In order for login authentication to work in these
situations, all three directory objects – the users, the iLO, and the HPQ Roles – must exist in domain
trees and/or forests that have mutual trust relationships (see Figure 5).
17