Server Management - Remote Server Management
1748156 Members
3900 Online
108758 Solutions
New Discussion юеВ

Privileges of group accounts (iLO)

 
SOLVED
Go to solution
Tim Dekker
Occasional Advisor

Privileges of group accounts (iLO)

Hello,

I am trying to configure ILO's.

The XML Script is like this:

RIBCL VERSION="2.27">




















The "User" (DIR_GRPACCT2) get the privilege to login to iLO und to monitor the server.
That means:
Administer Group Accounts: Prohibited
Remote Console Access: Prohibited
Virtual Power and Reset: Prohibited
Virtual Media: Prohibited
Configure iLO 2 Settings: Prohibited

What is the value of
Value = 1 allows administering Group Accounts, Value = 2 allows access to remote console, and so on.
What is the value, if all is prohibited? I tried "0", "". I know you can prohibite all of the settings via browser, but there has to be a setting for configuring via script.
14 REPLIES 14
SamMan
Advisor

Re: Privileges of group accounts (iLO)

Leaving the as is should do what you need.

How I obtained this information is I configured a group in the browser to disable all features. Then using the Get_Directory.XML file in the iLO Script examples I launched CPQLOCFG.EXE and I was able to see the Group privileges and this is what I received for my Test Group:


Tim Dekker
Occasional Advisor

Re: Privileges of group accounts (iLO)

@SamMan: You're right. I did it the same way with the same results, but when i try to configure ILO with the xml-script, i receive a mistake that "" is wrong. it doesn't know this command.
SamMan
Advisor
Solution

Re: Privileges of group accounts (iLO)

@Tim,
I tested this and this is what I have come up with. I definitely see what you mean by not recognizing the command. So I just removed that line and sure enough I checked the "Users" group on the web browser as well as ran the Get_Directory.XML using CPQLOCFG.exe and MyTestGroup was there. I can't confirm this, but it seems like by default the Users, Custom1, Custom2, etc.. have ALL options Prohibited until you enable them. Try this and see what yo get.
Tim Dekker
Occasional Advisor

Re: Privileges of group accounts (iLO)

@ SamMan: Excellent idea. I did it the way you suggested and it works. Suer it would be better to know the command to set all privileges to "prohibited".
However, thank you!
Tim Dekker
Occasional Advisor

Re: Privileges of group accounts (iLO)

There lasts a problem. When there is for example 1 group account with all rights allowed and I want to overwrite it like you described (leaving out the line "DIR_GRPACCT..." for setting all privileges to prohibited), it doesn't change anything. The pre-configured privileges will be taken. So the groupm account is allowed to do everything, even though the script doesn't give any privileges.
SamMan
Advisor

Re: Privileges of group accounts (iLO)

Man I have been banging my head on this one.
My assumptions towards HP's thinking and design of the iLO Group Account privileges are that if you were to prohibit a group of all privileges then just remove the Group's Security Group Distinguished Name. Now I haven't been able to find out a way to script the name removal but you can script a rename of the Security Group Distinguished Name. Renaming it to "Disabled" or random characters ("c-Mh!&hgTe"). I tested this and it works for me.
From what I can tell in your original post you are wanting to give user in the Administrators group on your domain full privileges and keep those in the Users group out. So by setting your Security Group Distinguished Name as "CN=Administrators,OU=Accounts,OU=domain,DC=domain,DC=com" and not have any other groups setup you will succeed in this as the iLO will only authenticate users from that group. This is how we do it at our company. We have a specific group that server admins are assigned to and only those select users are able to login to the iLO, no one else.

I do agree that if something can be done in the browser then it should be able to be done via XML script. Unfortunately I don't think HP has done this.
[Glaubig]
Occasional Visitor

Re: Privileges of group accounts (iLO)

I have successfully set DIR_GRPACCT_X when X is 3, 4, 5, or 6 to an empty string "". For some reason it doesn't work on the first two, but only on older iLO boards (version 1). Later versions of iLO actually reject the empty string entirely. I'm on current firmware as of 6/8/2011 and my iLO environment spans RILOE II through iLO 3.

iLO 3 appears to add an additional permission 6 for a login only privilege that appears to address this problem exactly, to be able to grant a login only session without granting additional privileges. In addition, granting other permissions 1-5 automatically assigns 6. The web GUI is the only option.

However this it isn't available in iLO 2 or earlier and isn't even documented in a PDF I pulled down from May 2011! Examples in the doc have options that aren't even mentioned in the descriptions immediately following the example!

Hey, HP if you're monitoring this, can we get a little consistency here?! If we can set options via a command line, we should be able to unset them and they should be documented. iLO 1 and earlier versions aside, there doesn't appear to be any reason directory settings can't at least be consistent in iLO2 and iLO3.
Oscar A. Perez
Honored Contributor

Re: Privileges of group accounts (iLO)

What firmware versions do you have?

We fixed the empty string issue when removing Directory Group Names and Privileges via XML script in iLO2 2.05 and iLO3 1.20

Latest versions are iLO2 2.06 and iLO3 1.25



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
[Glaubig]
Occasional Visitor

Re: Privileges of group accounts (iLO)

Oscar, your response is timely, and after I just got done upgrading everyting to 2.05 and 1.20 in iLO2 and iLO3 respectively.

I've downloaded the firmware and will let you know results of testing.

Can you confirm please if simply assigning the empty string will work now for removing permissions? Also, there was another portion of my previous post where I had indicated iLO 1 devices would always accept the empty string, but it would silently fail the entire RIBCL command if attempts were made to set privilieges on groups 1 or 2 to an empty string. Setting empty strings on groups 3 to 6 would work as expected.