ProLiant Servers (ML,DL,SL)
Showing results for 
Search instead for 
Do you mean 

ILO HP Extended Schema LOM Object Distinguished Name Security Issues

Frequent Advisor

ILO HP Extended Schema LOM Object Distinguished Name Security Issues

[ Edited ]

We seem to be having a security issue around the LOM Object Distinguished Name assigned rights. We have a unique LOM Objects set up for servers loaded with Windows and servers Loaded with LINUX. These Targets devices in AD are populated with two of three roles (Admin, Windows Users, LINUX Users) based on the operating system. Each Role has a different AD security group assigned to it. Some of these users assigned to that group are nested into other AD groups. This was previously setup logically based on their role in the company.

 

WINDOWS TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

Windows Users Role

  • Login
  • Remote Console
  • Virtual Media

LINUX TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

LINUX Users Role

  • Login
  • Remote Console
  • Virtual Media

THE PROBLEM

Users assigned to the LINUX Users Role and Windows Users Role are getting the same right as Admins Role. Also, removing rights from Admins Role where the same rights are assigned to either Windows User Role or LINUX Users Rolls do not take effect unless I also remove the rights from Windows User Role or LINUX Users Role or remove the role Windows User Role or LINUX Users Role from the Target.

2 REPLIES
Honored Contributor Honored Contributor

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

[ Edited ]

What version of HP Directories Support for ProLiant Management Processors did you use to extend the schema?

 

Versions 3.00, 3.10 and 3.20 may allow inheritable permissions from the parent to propagate down to the HP Role objects. When this happens, non-admin users could log into iLO.

 

HP Directories Support for ProLiant Management Processors version 3.30 completely disables the propagation of inheritable permissions but, if you already extended the schema using one of the older versions mentioned above then, you will have to manually disable these inheritable permissions in your AD and edit out those unwanted permission on each role you have.

 

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006

 




__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
Highlighted
Frequent Advisor

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

I wasn't involved in the initial install. Our internal documentation says the Targets and Roles were created using the Hp Proliant Management Directories Support Software Snap-in provided in SP30658.exe.