Server Management - Remote Server Management
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO 1.50 Directory Authentication - AD Domain Admins access?

SOLVED
Go to solution
Derek_31
Valued Contributor

iLO 1.50 Directory Authentication - AD Domain Admins access?

After doing some testing with iLO 1.50 and AD user/role integration, I found something weird.

It appears, from my testing, that if a user is a Windows Domain Administrator, that they have full iLO admin rights, regardless of them being any role member.

If I remove their domain admin rights and verify they aren't in any iLO roles, iLO doesn't even let them login, which is what I would expect.

I also verified that the domain admins group wasn't a member of any iLO role, or role group.

I find this troubling, since I don't want all domain admins to always have full iLO admin rights.

Have I misconfigured something, or is this the desired HP behavior?
4 REPLIES
Junior Yharte
Trusted Contributor

Re: iLO 1.50 Directory Authentication - AD Domain Admins access?

All iLO access should be granted from the role created. These settings are the same as the local user settings (non directory). Verify that you are actually logging in as a directory user and not the local Administrator account for iLO. Another way to verify is to use the test page and see what the results are. Let me know if you still see problems.
Derek_31
Valued Contributor

Re: iLO 1.50 Directory Authentication - AD Domain Admins access?

I'm certainly logging in as a directory user and it is allowing full domain admin access, and that user is not a member of any iLO role.

For non-domain admins the role access method is in force. I can send a screen shot of the directory test to a private e-mail address.
Junior Yharte
Trusted Contributor
Solution

Re: iLO 1.50 Directory Authentication - AD Domain Admins access?

I had to go try this to make sure I understood what you are seeing and how to explain it to you, so here goes. First of all, Domain Administrators can always just create more roles, create users, modify existing roles, change user passwords, or modify LOM objects to give them back the rights they need. So no matter what you do, there will always be a way back in unless you remove them from the DA list. With that said... we're trying to prevent an
Administrator from being included in a specific role, which happens because the Administrator has the rights to read the role object as it's owner. You can solve the problem by:

1) Changing the owner of the role to something other than the Administrators Group; perhaps a specific administrator. This may be the best solution.

2) Removing the "read" rights granted to administrators (often the "Creator/OWNER" security principal) on the security tab of the role object.

3) Adding a specific "Deny" "read" for that user to the role, using the security tab of the role object.

4) Adding a "Deny" "read" or removing "read" rights for the particular "hpqLOMRight*" attributes of the role object, using the "Advanced" features of the security tab of the role object. This has the advantage of allowing the administrator to manage the membership and restrictions of the role (though not the rights assigned), without granting them rights.

Derek_31
Valued Contributor

Re: iLO 1.50 Directory Authentication - AD Domain Admins access?

Thanks!