Using Existing Groups; Using Multiple Roles - HP Integrity BL870c Operation Manual

In general, you can use the HP provided snap-ins to create objects. It is useful to give the iLO 2
device objects meaningful names, such as the device's network address, DNS name, host server
name, or serial number.
Directory-enabled remote management enables you to:
• Create iLO 2 objects:
Each device object created represents each device that will use the directory service to
authenticate and authorize users. For more information, see the following sections:
"Directory Services for Active Directory" (page 184)
"Directory Services for eDirectory" (page 194)
• Configure iLO 2 devices:
Every iLO 2 device that uses the directory service to authenticate and authorize users must
be configured with the appropriate directory settings. For details about the specific directory
settings, see
In general, each device is configured with the appropriate directory server address, iLO 2
object distinguished name, and any user contexts. The server address is either the IP address
or DNS name of a local directory server, or, for more redundancy, a multihost DNS name.

Using Existing Groups

Many organizations arrange users and administrators into groups. In many cases, it is convenient
to use existing groups and associate these groups with one or more iLO 2 role objects. When the
devices are associated with role objects, you can control access to the iLO 2 devices associated
with the role by adding or deleting members from the groups.
When using Microsoft Active Directory, you can place one group within another, or create nested
groups. Role objects are considered groups and can include other groups directly. To include
other groups directly, add the existing nested group directly to the role and assign the appropriate
rights and restrictions. Add new users to either the existing group or to the role.
Novell™ eDirectory does not allow nested groups. In eDirectory, any user who can read a role
is considered a member of that role. When adding an existing group, organizational unit, or
organization to a role, add the object as a read trustee of the role. All the members of the object
are considered members of the role. Add new users to either the existing object or to the role.
When you use trustee or directory rights assignments to extend role membership, users must be
able to read the iLO 2 object representing the iLO 2 device. Some environments require the
trustees of a role to also be read trustees of the iLO 2 object to successfully authenticate users.

Using Multiple Roles

Most deployments do not require that the same user be in multiple roles managing the same
device. However, these configurations are useful for building complex rights relationships. When
building multiple-role relationships, users receive all the rights assigned by every applicable
role. Roles only grant rights, not revoke them. If one role grants a user a right, the user has the
right, even if the user is in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights
assigned and then creates additional roles to add additional rights. These additional rights are
added under specific circumstances or to a specific subset of the base role users.
For example, an organization might have two types of users: administrators of the iLO 2 device
or host server, and users of the iLO 2 device. In this situation, it makes sense to create two roles,
one for the administrators and one for the users. Both roles include some of the same devices,
but grant different rights. Sometimes, it is useful to assign generic rights to the lesser role, and
include the iLO 2 administrators in that role, and the administrative role.
206 Installing and Configuring Directory Services
"Using the LDAP Command to Configure Directory Settings in iLO 2" (page 203).