Manualshelf

Installation Manual

ManualsBrandsHP ManualsComputers & AccessoriesHigh-End HP ProLiant DL360P G8 Server 2 x 2.90Ghz E5-2690 8C 192GB 8x Caddies (Certified Refurbished)
291292293294295296297298299300
DNS-based restrictions can limit access to a specific machine name or to machines that share
a common domain suffix. For example, the DNS restriction www.example.com matches hosts
that are assigned the domain name www.example.com. However, the DNS restriction
*.example.com matches any machine that originates from the example company.
DNS restrictions might cause ambiguity because a host can be multihomed. DNS restrictions do
not necessarily match one to one with a single system.
Using DNS-based restrictions might create security complications. Name service protocols are
not secure. Any individual who has malicious intent and access to the network can place a rogue
DNS service on the network and create a fake address restriction criterion. When implementing
DNS-based address restrictions, consider your organizational security policies.
User time restrictions
Time restrictions limit the ability of a user to log in (authenticate) to the directory. Typically, time
restrictions are enforced using the time at the directory server. If the directory server is located
in a different time zone, or if a replica in a different time zone is accessed, time-zone information
from the managed object can be used to adjust for relative time.
The directory server evaluates user time restrictions, but the determination might be complicated
by time-zone changes or the authentication mechanism.
Figure 9 User time restrictions
User time restrictions are
enforced by the directory
server
User
12
6
39
Client
Workstation
12
6
39
Directory
Server
12
6
39
LOM
12
6
39
Role access restrictions
Restrictions allow administrators to limit the scope of a role. A role grants rights only to users
who satisfy the role restrictions. Using restricted roles results in users who have dynamic rights
that can change based on the time of day or network address of the client.
When directories are enabled, access to an iLO system is based on whether the user has read
access to a role object that contains the corresponding iLO object. This includes, but is not limited
to, the members listed in the role object. If the role is configured to allow inheritable permissions
to propagate from a parent, members of the parent that have read access privileges will also
have access to iLO.
To view the access control list, navigate to Active Directory Users and Computers, open the
Properties page for the role object, and then click the Security tab. The Advanced View must
be enabled in MMC to view the Security tab.
Role-based time restrictions
Administrators can place time restrictions on LOM roles. Users are granted the rights specified
for the LOM devices listed in the role only if they are members of the role and meet the time
restrictions for the role.
Role-based time restrictions can be met only if the time is set on the LOM device. LOM devices
use local host time to enforce time restrictions. If the LOM device clock is not set, the role-based
300 Kerberos authentication and Directory services