HP Integrity iLO 2 Operations Guide
Table Of Contents
- HP Integrity iLO 2 Operations Guide
- Contents
- About This Document
- 1 Introduction to iLO 2
- Features
- Standard Features
- Always-On Capability
- Virtual Front Panel
- Multiple Access Methods
- Security
- User Access Control
- Multiple Users
- IPMI over LAN
- System Management Homepage
- Firmware Upgrades
- Internal Subsystem Information
- DHCP and DNS Support
- Group Actions
- Group Actions Using HP SIM
- SNMP
- SMASH
- SM CLP
- Mirrored Console
- Remote Power Control
- Power Regulation
- Event Logging
- Advanced Features
- Standard Features
- Obtaining and Activating iLO 2 Advanced Pack Licensing
- Supported Systems and Required Components and Cables
- Integrity iLO 2 Supported Browsers and Client Operating Systems
- Security
- Features
- 2 Ports and LEDs
- 3 Getting Connected to iLO 2
- 4 Logging In to iLO 2
- 5 Adding Advanced Features
- Lights-Out Advanced KVM Card for sx2000 Servers
- Lights-Out Advanced KVM card Requirements
- Configuring the Lights-Out Advanced KVM Card
- Lights-Out Advanced KVM Card IRC Feature
- Lights-Out Advanced KVM Card vMedia Feature
- Installing the Lights-Out Advanced KVM Card in a Server
- Lights-Out Advanced KVM Card Quick Setup Steps
- Using Lights-Out Advanced KVM Features
- Mid Range PCI Backplane Power Behavior
- Troubleshooting the Lights-Out Advanced KVM Card
- Core I/O Card Configurations
- Supported PCI-X Slots
- Upgrading the Lights-Out Advanced KVM Card Firmware
- Lights-Out Advanced KVM Card for sx2000 Servers
- 6 Accessing the Host (Operating System) Console
- 7 Configuring DHCP, DNS, LDAP, and Schema-Free LDAP
- 8 Using iLO 2
- Text User Interface
- MP Command Interfaces
- MP Main Menu
- MP Main Menu Commands
- CO (Console): Leave the MP Main Menu and enter console mode
- VFP (Virtual Front Panel): Simulate the display panel
- CM (Command Mode): Enter command mode
- SMCLP (Server Management Command Line Protocol): Switch to the SMASH SMCLP
- CL (Console Log): View the history of the console output
- SL (Show Logs): View events in the log history
- HE (Help): Display help for the menu or command in the MP Main Menu
- X (Exit): Exit iLO 2
- MP Main Menu Commands
- Command Menu
- Command Line Interface Scripting
- Command Menu Commands and Standard Command Line Scripting Syntax
- BP: Reset BMC passwords
- BLADE: Display BLADE parameters
- CA: Configure asynchronous local serial port
- DATE: Display date
- DC (Default Configuration): Reset all parameters to default configurations
- DF: Display FRU information
- DI: Disconnect LAN, WEB, SSH, or Console
- DNS: DNS settings
- FW: Upgrade the MP firmware
- HE: Display help for menu or command in command menu interface
- ID: System information settings
- IT: Inactivity timeout settings
- LC: LAN configuration usage
- LDAP: LDAP directory settings
- LM: License management
- LOC: Locator UID LED configuration
- LS: LAN status
- PC: Power control access
- PM: Power regulator mode
- PR: Power restore policy configuration
- PS: Power status
- RB: Reset BMC
- RS: Reset system through the RST signal
- SA: Set access LAN/WEB/SSH/IPMI over LAN ports
- SNMP: Configure SNMP parameters
- SO: Security option help
- SS: System Status
- SYSREV: Firmware revisions
- TC: System reset through INIT or TOC signal
- TE: Send a message to other mirroring terminals
- UC: User Configuration (users, passwords, and so on)
- WHO: Display a list of iLO 2 connected users
- XD: iLO 2 Diagnostics or reset
- Web GUI
- System Status
- Remote Serial Console
- Integrated Remote Console
- Virtual Media
- Power Management
- Administration
- BL c-Class
- Help
- SMASH Server Management Command Line Protocol
- SM CLP Features and Functionality Overview
- Accessing the SM CLP Interface
- Using the SM CLP Interface
- SM CLP Syntax
- System1 Target
- System Reset Power Status and Power Control
- Map1 (iLO 2) Target
- Text Console Services
- Firmware Revision Display and Upgrade
- Remote Access Configuration
- Network Configuration
- User Accounts Configuration
- LDAP Configuration
- Text User Interface
- 9 Installing and Configuring Directory Services
- Directory Services
- Directory Services for Active Directory
- Directory Services for eDirectory
- Installing and Initializing Snap-In for eDirectory
- Example: Creating and Configuring Directory Objects for Use with iLO 2 Devices in eDirectory
- Directory Services Objects for eDirectory
- Setting Role Restrictions
- Setting Time Restrictions
- Setting Lights-Out Management Device Rights
- Installing Snap-Ins and Extending Schema for eDirectory on a Linux Platform
- Using the LDAP Command to Configure Directory Settings in iLO 2
- User Login Using Directory Services
- Certificate Services
- Directory-Enabled Remote Management
- Directory Services Schema (LDAP)
- Glossary
- Index
Directory-Enabled Remote Management
This section is for administrators who are familiar with directory services and with the iLO 2 product.
To familiarize yourself with the product and services, see “Directory Services” (page 169). Be sure
you understand the examples and are comfortable with setting up the product.
In general, you can use the HP provided snap-ins to create objects. It is useful to give the iLO 2
device objects meaningful names, such as the device's network address, DNS name, host server
name, or serial number.
Directory-enabled remote management enables you to:
• Create iLO 2 objects:
Each device object created represents each device that will use the directory service to
authenticate and authorize users. For more information, see the following sections:
“Directory Services for Active Directory” (page 174)
“Directory Services for eDirectory” (page 184)
• Configure iLO 2 devices:
Every iLO 2 device that uses the directory service to authenticate and authorize users must be
configured with the appropriate directory settings. For details about the specific directory
settings, see “Using the LDAP Command to Configure Directory Settings in iLO 2” (page 193).
In general, each device is configured with the appropriate directory server address, iLO 2
object distinguished name, and any user contexts. The server address is either the IP address
or DNS name of a local directory server, or, for more redundancy, a multihost DNS name.
Using Existing Groups
Many organizations arrange users and administrators into groups. In many cases, it is convenient
to use existing groups and associate these groups with one or more iLO 2 role objects. When the
devices are associated with role objects, you can control access to the iLO 2 devices associated
with the role by adding or deleting members from the groups.
When using Microsoft Active Directory, you can place one group within another, or create nested
groups. Role objects are considered groups and can include other groups directly. To include other
groups directly, add the existing nested group directly to the role and assign the appropriate rights
and restrictions. Add new users to either the existing group or to the role.
Novell™ eDirectory does not allow nested groups. In eDirectory, any user who can read a role is
considered a member of that role. When adding an existing group, organizational unit, or
organization to a role, add the object as a read trustee of the role. All the members of the object
are considered members of the role. Add new users to either the existing object or to the role.
When you use trustee or directory rights assignments to extend role membership, users must be
able to read the iLO 2 object representing the iLO 2 device. Some environments require the trustees
of a role to also be read trustees of the iLO 2 object to successfully authenticate users.
Using Multiple Roles
Most deployments do not require that the same user be in multiple roles managing the same device.
However, these configurations are useful for building complex rights relationships. When building
multiple-role relationships, users receive all the rights assigned by every applicable role. Roles only
grant rights, not revoke them. If one role grants a user a right, the user has the right, even if the
user is in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights assigned
and then creates additional roles to add additional rights. These additional rights are added under
specific circumstances or to a specific subset of the base role users.
196 Installing and Configuring Directory Services