Installation Manual
Directory-enabled remote management (HPE Extended Schema
configuration)
This section is for administrators who are familiar with directory services and the iLO product
and want to use the HPE schema directory integration option for iLO.
Directory-enabled remote management enables you to:
• Create Lights-Out Management objects
You must create one LOM device object to represent each device that will use the directory
service to authenticate and authorize users. You can use the Hewlett Packard Enterprise
snap-ins to create LOM objects.
Hewlett Packard Enterprise recommends giving the LOM device objects meaningful names,
such as the device network address, DNS name, host server name, or serial number.
• Configure Lights-Out management devices
Every LOM device that uses the directory service to authenticate and authorize users must
be configured with the appropriate directory settings. In general, you can configure each
device with the appropriate directory server address, LOM object DN, and user contexts.
The server address is the IP address or DNS name of a local directory server or, for more
redundancy, a multihost DNS name.
Roles based on organizational structure
Often, administrators in an organization are placed in a hierarchy in which subordinate
administrators must assign rights independently of ranking administrators. In this case, it is useful
to have one role that represents the rights assigned by higher-level administrators, and to allow
subordinate administrators to create and manage their own roles.
Using existing groups
Many organizations have users and administrators arranged in groups. In many cases, it is
convenient to use the existing groups and associate them with one or more LOM role objects.
When the devices are associated with the role objects, the administrator controls access to the
Lights-Out devices associated with the role by adding or deleting members from the groups.
When you use Microsoft Active Directory, you can place one group within another (that is, use
nested groups). Role objects are considered groups and can include other groups directly. Add
the existing nested group directly to the role, and assign the appropriate rights and restrictions.
You can add new users to either the existing group or the role.
When you use trustee or directory rights assignments to extend role membership, users must
be able to read the LOM object that represents the LOM device. Some environments require that
the trustees of a role also be read trustees of the object to authenticate users successfully.
Using multiple roles
Most deployments do not require that the same user must be in multiple roles managing the
same device. However, these configurations are useful for building complex rights relationships.
When users build multiple-role relationships, they receive all rights assigned by every applicable
role. Roles can only grant rights, never revoke them. If one role grants a user a right, then the
user has the right, even if the user is in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights
assigned, and then creates additional roles to add rights. These additional rights are added under
specific circumstances or to a specific subset of the base role users.
For example, an organization might have two types of users: Administrators of the LOM device
or host server, and users of the LOM device. In this situation, it makes sense to create two roles,
one for the administrators and one for the users. Both roles include some of the same devices
Directory-enabled remote management (HPE Extended Schema configuration) 297