- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- ProLiant Servers (ML,DL,SL)
- >
- ILO HP Extended Schema LOM Object Distinguished Na...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2012 07:15 AM - edited 04-28-2012 07:29 AM
04-28-2012 07:15 AM - edited 04-28-2012 07:29 AM
ILO HP Extended Schema LOM Object Distinguished Name Security Issues
We seem to be having a security issue around the LOM Object Distinguished Name assigned rights. We have a unique LOM Objects set up for servers loaded with Windows and servers Loaded with LINUX. These Targets devices in AD are populated with two of three roles (Admin, Windows Users, LINUX Users) based on the operating system. Each Role has a different AD security group assigned to it. Some of these users assigned to that group are nested into other AD groups. This was previously setup logically based on their role in the company.
WINDOWS TARGETS
Admins ROLE
- Login
- Remote Console
- Virtual Media
- Server Reset and Power
- Administer Local User Accounts
- Administer Local Device Settings
Windows Users Role
- Login
- Remote Console
- Virtual Media
LINUX TARGETS
Admins ROLE
- Login
- Remote Console
- Virtual Media
- Server Reset and Power
- Administer Local User Accounts
- Administer Local Device Settings
LINUX Users Role
- Login
- Remote Console
- Virtual Media
THE PROBLEM
Users assigned to the LINUX Users Role and Windows Users Role are getting the same right as Admins Role. Also, removing rights from Admins Role where the same rights are assigned to either Windows User Role or LINUX Users Rolls do not take effect unless I also remove the rights from Windows User Role or LINUX Users Role or remove the role Windows User Role or LINUX Users Role from the Target.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2012 08:12 AM - edited 04-28-2012 08:16 AM
04-28-2012 08:12 AM - edited 04-28-2012 08:16 AM
Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues
What version of HP Directories Support for ProLiant Management Processors did you use to extend the schema?
Versions 3.00, 3.10 and 3.20 may allow inheritable permissions from the parent to propagate down to the HP Role objects. When this happens, non-admin users could log into iLO.
HP Directories Support for ProLiant Management Processors version 3.30 completely disables the propagation of inheritable permissions but, if you already extended the schema using one of the older versions mentioned above then, you will have to manually disable these inheritable permissions in your AD and edit out those unwanted permission on each role you have.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2012 10:48 AM
04-28-2012 10:48 AM
Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues
I wasn't involved in the initial install. Our internal documentation says the Targets and Roles were created using the Hp Proliant Management Directories Support Software Snap-in provided in SP30658.exe.