Server Management - Remote Server Management
cancel
Showing results for 
Search instead for 
Did you mean: 

Using HP Roles with iLO2 LDAP integration

branfarm
Advisor

Using HP Roles with iLO2 LDAP integration

Hi there,

I have Active Directory extended with the HP management schemas and I have followed all the necessary steps to configure LDAP authentication to AD. My setup even works, for the most part. My problem is that I created two roles, and no matter what I do, users get the combination of permissions from both roles.

In my setup, I created two roles:

-- iLOAdmins (Full Control)
-- iLOUsers (Login Only)

I have assigned users to each role, and each role is assigned to the iLO device I would like to manage. Whenever I login with a user from the iLOUsers group, they earn full admin rights. If I delete or remove the iLOAdmins role, then they only have login permissions. It seems like iLO is combining permissions unnecessarily.

Can anyone help with this issue?

Thanks in advance,

--Brandon
4 REPLIES
pratap m keshava
Trusted Contributor

Re: Using HP Roles with iLO2 LDAP integration

You need to create two separate set of users; one set belonging to iLOAdmins and other set belonging to iLOUsers. Users need to be part of only one of the Roles. Users of particular group will get permissions assigned for that Role.

When users are part of multiple roles, users will get combination of all the permissions set for each role. I don't think it is wise for iLO to randomly decide to provide permissions set for a Role when user is part of multiple Roles. Is there a way to decide which Roles should be given preference given a combination of Roles?
branfarm
Advisor

Re: Using HP Roles with iLO2 LDAP integration

Thanks for the reply. When I said I assigned users to each role, I should've clarified and said that I assigned seperate users to each role -- I definitely don't have one user assigned to both roles. For one of my tests, I had no users assigned to the iLOAdmins role, and I had my user assigned to the iLOUsers role. When I did the directory settings test, it showed both roles, and granted me full admin permissions.
pratap m keshava
Trusted Contributor

Re: Using HP Roles with iLO2 LDAP integration

Ok, now it is more clear.

Is it happening only with test settings? Which permissions are assigned when the user logs into iLO2? Say if a member of iLOUsers logs into iLO2 which permission is he getting?

What is the version of iLO2 you are using and which directory server?
branfarm
Advisor

Re: Using HP Roles with iLO2 LDAP integration

It seems like no matter what group a user is a member of, they get the permissions from both groups. For example, user JSmith is assigned to be in the iLOUsers group, but when he logs in he gets admin rights.

Keep in mind though, that both sets of permissions are only inherited when both roles are assigned to the device i'm testing on. If I remove the device from the iLOAdmin group, and only have it associated with the iLOUsers group, then Jsmith (iLOUsers) gets the correct permissions. If both iLOAdmins and iLOUsers have the device associated, then Jsmith will get admin permissions even though he's not a member of the iLOAdmins group.