HP Integrated Lights-Out Security, 7th edition
11
Login process using directory services with HP schema extensions
You can enable directory services to authenticate users and authorize user privileges for groups of
iLO management processors. iLO directory services uses the industry-standard Lightweight Directory
Access Protocol (LDAP/LDAPS). HP layers LDAP on top of SSL to transmit the directory services
information securely to the directory servers.
Figure 6 shows the steps for the login process using directory services.
Figure 6. Login process when using directory services
Login process using directory services with HP default schema
You can also control access to iLO using the HP Default Schema method (sometimes referred to as
Schema-free method). But you can use this only if you configure iLO with appropriate group names
and their associated privileges. iLO acquires the user’s name from the directory to determine group
membership. iLO then cross-references the group names with its locally stored names to determine
user privilege level.
The HP default schema login requires the user’s full distinguished name to look up his or her group
memberships. iLO cannot efficiently convert a username into the user’s DN. iLO creates an
IADsNameTranslate object and uses the Get method to retry the user’s DN. If you enable ActiveX, the
login script will call IADsNameTranslate to write the DN to a cookie. The login script gets the user’s
login credentials (user name and password), gets session information from iLO, and combines these
into a security cookie. iLO uses this cookie to ensure that the user has access to the pages and
resources he is trying to use.
Some IT organizations may prefer to disable ActiveX for security reasons. If you disable ActiveX in the
browser or if the call fails and the name used for login is a DN, then the login script will work. The
login script will also work if the name used is only a user object name. iLO combines the user object
name with a user context to build a DN. The HP Default login process reverts to the login process for
HP Schema if the IADsNameTranslate command is unavailable. See
http://msdn2.microsoft.com/en-
us/library/Aa706046.aspx for more information and examples.
NOTE
iLO 3 does not use ActiveX to do authentication and does not use
the IADsNameTranslate control.
Client Browser
iLO
Browser attaches,
goes to SSL
Login page returned
with session key
User enters login
credentials. Browse
creates cookie.
Cookie returned to
iLO with request for
index.
iLO extracts
credentials from
cookie.
iLO accesses
directory with
user credentials
and reads the
roles.
Directory service
returns only
roles user has
rights to.
iLO calculates
current user
privileges based
on roles.
Index (status
page) returned.
1
2
3
4
5
6
7
8
9