User Address Restrictions; Creating Multiple Restrictions And Roles; Restricting General Use - HP Integrity BL870c Operation Manual

User Address Restrictions

You can place network address restrictions on a directory user account, and the directory server
enforces these restrictions. See the directory service documentation for information about the
enforcement of address restrictions on LDAP clients, such as a user logging in to an iLO 2 device.
Network address restrictions placed on the user in the directory may not be enforced in the
expected manner if the directory user logs in through a proxy server. When a user logs in to an
iLO 2 device as a directory user, the iLO 2 device attempts authentication to the directory as that
user, which means that address restrictions placed on the user account apply when accessing
the iLO 2 device. However, because the user is proxied at the iLO 2 device, the network address
of the authentication attempt is that of the iLO 2 device, not that of the client workstation.

Creating Multiple Restrictions and Roles

The most useful application of multiple roles includes restricting one or more roles so that rights
do not apply in all situations. Other roles provide different rights under different constraints.
Using multiple restrictions and roles enables you to create arbitrary, complex rights relationships
with a minimum number of roles.
For example, an organization might have a security policy in which iLO 2 administrators are
allowed to use the iLO 2 device from within the corporate network but are only able to reset the
server outside of regular business hours.
Directory administrators may be tempted to create two roles to address this situation, but extra
caution is required. Creating a role that provides the required server reset rights and restricting
it to an after-hours application might allow administrators outside the corporate network, to
reset the server, which is contrary to most security policies.
Figure 9-26 shows how security policy dictates that general use is restricted to clients within the
corporate subnet, and server reset capability is additionally restricted to after hours.
Figure 9-26 Restricting General Use
Alternatively, the directory administrator could create a role that grants the login right and
restrict it to the corporate network, create another role that grants only the server reset right and
restrict it to after-hours operation. This configuration is easier to manage but more dangerous
because ongoing administration can create another role that grants users from addresses outside
the corporate network the login right, which could unintentionally grant the iLO 2 administrators
in the server reset role the ability to reset the server from anywhere, provided they satisfy the
time constraints of that role.
The previous configuration satisfies corporate security policy. However, adding another role
that grants the login right can inadvertently grant server reset privileges from outside the corporate
subnet after hours. A more manageable solution would be to restrict the reset role, as well as the
general use role.
210 Installing and Configuring Directory Services