Integrity Servers
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO2 - Change password without User Admin priv?

 
Brad McCusker
Respected Contributor

ILO2 - Change password without User Admin priv?

Hello,

I'm working with some RX6600 and RX3600 servers, ILO2. We want to add a couple users to the MP and allow those users to only perform a subset of functions. We do not want them to be able to add/remove users so we do not give them "Local User Administration" privilege.

But, it seems that without "Local User Administration" privilege, they can't change their password. Is that right? Did I miss something?

I can't believe that they only way for a user to change his/her password is to have the user admin priv. If that is in fact reality, can anyone offer an explanation that would help explain why HP would design it this way?

Thanks in advance

Brad McCusker




Brad McCusker
Software Concepts International
3 REPLIES 3
Brad McCusker
Respected Contributor

Re: ILO2 - Change password without User Admin priv?

Wow - I thought for sure someone would have chimed in and reminded me about the x?x?x? command to change the passwords.

The fact that noone has said anything at all tells me that I am observing the expected behavior.
Brad McCusker
Software Concepts International
Stefan Stechemesser
Honored Contributor

Re: ILO2 - Change password without User Admin priv?

Hi Brad,

indeed there is no way to change any user setting (including the own password) if a user has not "Local User Administration" priviledges (no, I do not know why it was designed this way).
But if you assign this right, then this user can change also settings of other users.

Maybe LDAP authentication could be an option for you, but this would require the advanced pack license.


BR

Stefan
Sameer_Nirmal
Honored Contributor

Re: ILO2 - Change password without User Admin priv?

Yes, you are right in saying a user has to have "user" privilege to change his own password. As you mentioned already, you don't want to do that as the privilege gives a user to modify other user accounts.

Allow me to reply about the Stefan's previous response. Maybe someone can correct me if I am wrong.

I don't think LDAP will provide the help on the matter you are looking for. It would help to restrict the privilege/right based on a defined role. The restrictions are provided through specifying DNS name, IP address, ranges of IP addresses, or time. However use has to have "user" privilege/right anyway for the password change. This is because the rights are pre-defined in the iLO2 firmware itself.

Now why would HP design that way? It looks like the answer is for "security" and centralized control. Refer the iLO2 white paper available at http://h71028.www7.hp.com/ERC/downloads/c00767076.pdf

In case if the LDAP role based administration sounds good to you, you can try the 30 days free iLO Advance Evaluation license as mentioned in the document. Later, if you think it is useful and can be implemented in your environment, you can buy the permanent license.