User's Manual
Table Of Contents
- HP Remote Insight Lights-Out Edition II User Guide
- Notice
- Contents
- Operational overview
- Installing the RILOE II
- Configuring the RILOE II
- Using the RILOE II
- Accessing RILOE II for the first time
- Features of the RILOE II
- Managing the user and configuration settings of the RILOE II
- Using the Remote Console
- Terminal Services pass-through option
- Using virtual devices
- Resetting the RILOE II to the factory default settings
- Getting help
- Pocket PC access with RILOE II
- RILOE II security
- Systems Insight Manager integration
- Directory services
- Overview of directory integration
- Benefits of directory integration
- How directory integration works
- Advantages and disadvantages of schema-free and HP Extended
- Setup for Schema-free directory integration
- Setting up HP schema directory integration
- Features supported by HP schema directory integration
- Setting up directory services
- Directory services support
- Schema required software
- Schema installer
- Management snap-in installer
- Directory services for Active Directory
- Active Directory Lights-Out management
- Directory services for eDirectory
- User login using directory services
- Directory settings
- Directory-enabled remote management
- Scripting, command line, and utility options
- Overview of the Lights-Out DOS utility
- Lights-Out directories migration utilities
- Compatibility
- Pre-migration checklist
- HP Lights-Out directory package
- HPQLOMIG operation
- Finding management processors
- Upgrading firmware on management processors
- Selecting a directory access method
- Naming management processors
- Configuring directories when HP Extended schema is selected
- Configuring directories when schema-free integration is sele
- Setting up management processors for directories
- HPQLOMGC operation
- Lights-Out Configuration Utility
- Using Perl with the XML scripting interface
- HPONCFG
- Remote Insight command language
- RIBCL sample scripts
- RIBCL general guidelines
- XML header
- Data types
- Response definitions
- RIBCL
- LOGIN
- USER_INFO
- ADD_USER
- DELETE_USER
- GET_USER
- MOD_USER
- GET_ALL_USERS
- GET_ALL_USER_INFO
- RIB_INFO
- RESET_RIB
- GET_NETWORK_SETTINGS
- MOD_NETWORK_SETTINGS
- GET_GLOBAL_SETTINGS
- MOD_GLOBAL_SETTINGS
- CLEAR_EVENTLOG
- UPDATE_RIB_FIRMWARE
- GET_FW_VERSION
- HOTKEY_CONFIG
- DIR_INFO
- GET_DIR_CONFIG
- MOD_DIR_CONFIG
- SERVER_INFO
- RESET_SERVER
- INSERT_VIRTUAL_FLOPPY
- EJECT_VIRTUAL_FLOPPY
- COPY_VIRTUAL_FLOPPY
- GET_VF_STATUS
- SET_VF_STATUS
- GET_HOST_POWER_STATUS
- SET_HOST_POWER
- GET_VPB_CABLE_STATUS
- GET_ALL_CABLES_STATUS
- GET_TWOFACTOR_SETTINGS
- MOD_TWOFACTOR_SETTINGS
- Troubleshooting the RILOE II
- Supported client operating systems and browsers
- Supported hardware and software
- Server PCI Slot and Cable Matrix
- Network connection problems
- Alert and trap problems
- NetWare initialization errors
- Miscellaneous problems
- Accessing System Partition Utilities
- Inability to reboot the server
- Inability to upgrade the RILOE II firmware
- Incorrect time or date of entries in the event log
- Interpreting LED indicators
- Invalid Source IP address
- Login name and password problems
- Remote Console mouse control issue
- Resetting the RILOE II to Factory Default Settings
- Virtual Floppy media applet is unresponsive
- Video Problems
- Troubleshooting the host server
- Directory Services errors
- Directory Services schema
- Technical support
- Regulatory compliance notices
- Acronyms and abbreviations
- Index
Directory-enabled remote management 106
User restrictions
You can restrict access using address or time restrictions.
User address restrictions
Administrators can place network address restrictions on a directory user account, and these restrictions
are enforced by the directory server. Refer to the directory service documentation for details on the
enforcement of address restrictions on LDAP clients, such as a user logging in to a LOM device.
Network address restrictions placed on the user in the directory might not be enforced in the expected
manner if the directory user logs in through a proxy server. When a user logs in to a LOM device as a
directory user, the LOM device attempts authentication to the directory as that user, which means that
address restrictions placed on the user account apply when accessing the LOM device. However,
because the user is proxied at the LOM device, the network address of the authentication attempt is that
of the LOM device, not that of the client workstation.
IP address range restrictions
IP address range restrictions enable the administrator to specify network addresses that are granted or
denied access by the restriction. The address range is typically specified in a low-to-high range format. An
address range can be specified to grant or deny access to a single address. Addresses that fall within the
low to high IP address range meet the IP address restriction.
IP address and subnet mask restrictions
IP address and subnet mask restrictions enable the administrator to specify a range of addresses that are
granted or denied access by the restriction. This format has similar capabilities as an IP address range but
might be more native to your networking environment. An IP address and subnet mask range is typically
specified using a subnet address and address bit mask that identifies addresses that are on the same
logical network.
In binary math, if the bits of a client machine address, added with the bits of the subnet mask, match the
restriction subnet address, then the client machine meets the restriction.
DNS-based restrictions
DNS-based restrictions use the network naming service to examine the logical name of the client machine
by looking up machine names assigned to the client IP addresses. DNS restrictions require a functional
name server. If the name service goes down or cannot be reached, DNS restrictions cannot be matched
and will fail.
DNS-based restrictions can limit access to a single, specific machine name or to machines sharing a
common domain suffix. For example, the DNS restriction, www.hp.com, matches hosts that are assigned
the domain name www.hp.com. However, the DNS restriction, *.hp.com, matches any machine
originating from HP.
DNS restrictions can cause some ambiguity because a host can be multi-homed. DNS restrictions do not
necessarily match one-to-one with a single system.
Using DNS-based restrictions can create some security complications. Name service protocols are
insecure. Any individual with malicious intent and access to the network can place a rogue DNS service
on the network creating fake address restriction criteria. Organizational security policies should be taken
into consideration when implementing DNS-based address restrictions.
How user time restrictions are enforced
Administrators can place a time restriction on directory user accounts. Time restrictions limit the ability of
the user to log in (authenticate) to the directory. Typically, time restrictions are enforced using the time at