HPE Community
ProLiant Servers (ML,DL,SL)
1752278 Members
4672 Online
108786 Solutions
New Discussion

ILO HP Extended Schema LOM Object Distinguished Name Security Issues

 
Donald J Wood
Frequent Advisor

‎04-28-2012 07:15 AM - edited ‎04-28-2012 07:29 AM

‎04-28-2012 07:15 AM - edited ‎04-28-2012 07:29 AM

ILO HP Extended Schema LOM Object Distinguished Name Security Issues

We seem to be having a security issue around the LOM Object Distinguished Name assigned rights. We have a unique LOM Objects set up for servers loaded with Windows and servers Loaded with LINUX. These Targets devices in AD are populated with two of three roles (Admin, Windows Users, LINUX Users) based on the operating system. Each Role has a different AD security group assigned to it. Some of these users assigned to that group are nested into other AD groups. This was previously setup logically based on their role in the company.

 

WINDOWS TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

Windows Users Role

  • Login
  • Remote Console
  • Virtual Media

LINUX TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

LINUX Users Role

  • Login
  • Remote Console
  • Virtual Media

THE PROBLEM

Users assigned to the LINUX Users Role and Windows Users Role are getting the same right as Admins Role. Also, removing rights from Admins Role where the same rights are assigned to either Windows User Role or LINUX Users Rolls do not take effect unless I also remove the rights from Windows User Role or LINUX Users Role or remove the role Windows User Role or LINUX Users Role from the Target.

0 Kudos
Reply
2 REPLIES 2
Oscar A. Perez
Honored Contributor

‎04-28-2012 08:12 AM - edited ‎04-28-2012 08:16 AM

‎04-28-2012 08:12 AM - edited ‎04-28-2012 08:16 AM

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

What version of HP Directories Support for ProLiant Management Processors did you use to extend the schema?

 

Versions 3.00, 3.10 and 3.20 may allow inheritable permissions from the parent to propagate down to the HP Role objects. When this happens, non-admin users could log into iLO.

 

HP Directories Support for ProLiant Management Processors version 3.30 completely disables the propagation of inheritable permissions but, if you already extended the schema using one of the older versions mentioned above then, you will have to manually disable these inheritable permissions in your AD and edit out those unwanted permission on each role you have.

 

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Donald J Wood
Frequent Advisor

‎04-28-2012 10:48 AM

‎04-28-2012 10:48 AM

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

I wasn't involved in the initial install. Our internal documentation says the Targets and Roles were created using the Hp Proliant Management Directories Support Software Snap-in provided in SP30658.exe.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.