Figure 5. Directory implementation
Directory Forest with Two Domain Trees
iLO Role
ABCcorp.com
Users
Sales.ABCCorp.com
Finance.ABCcorp.com
Configuring iLO to access the directory service
The directory server field can be configured with a DNS name or an IP address. The DNS name can
be the DNS name of a single server or the DNS name of a domain. This field can be configured with
multiple IP addresses or DNS names separated with a comma or space.
The directory service may be configured to have a single DNS name that points to multiple TCP/IP
addresses. If the directory service is configured for multi-hosting, HP recommends configuring iLO to
access the directory server using the DNS name rather than an IP address. This configuration allows
iLO to attempt a connection with any address returned in the lookup of the DNS name, which can
provide redundancy. This option may be more desirable than using a DNS name that resolves to a
single IP address.
If the administrator configures the directory server addresses using IP addresses or a single address
DNS name, HP recommends never using the host server of an iLO device as the directory server for
that iLO device. If the server is down, the directory service is down. For example, if the administrator
uses iLO to power off the server, the connection to the directory will be lost. The administrator will be
unable to log in using the directory account and will have to use a local iLO account to power on the
server remotely.
For security, iLO communicates with directory servers using LDAP protocol over an SSL connection.
Therefore, any plan to attach a directory server for iLO User Authentication must include configuration
to support SSL sessions. Microsoft Active Directory servers are by default NOT configured for SSL
sessions and must be changed in order to support iLO User Authentication.
Local versus directory accounts
It is important to remember that local iLO user accounts still exist, even after iLO is configured to use
directory services. HP recommends using the local accounts only if the directory service has not been
configured, if the directory service is unavailable, or if the administrator cannot authenticate to the
iLO
Users
Users
Sales.ABCHoldings.com
Two Way Transitive Trust
ABCHoldings.com
iLO Role
Finance.ABCHoldings.com
iLO
Users
18