- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- Privileges of group accounts (iLO)
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-27-2010 01:59 AM
тАО05-27-2010 01:59 AM
I am trying to configure ILO's.
The XML Script is like this:
RIBCL VERSION="2.27">
The "User" (DIR_GRPACCT2) get the privilege to login to iLO und to monitor the server.
That means:
Administer Group Accounts: Prohibited
Remote Console Access: Prohibited
Virtual Power and Reset: Prohibited
Virtual Media: Prohibited
Configure iLO 2 Settings: Prohibited
What is the value of
Value = 1 allows administering Group Accounts, Value = 2 allows access to remote console, and so on.
What is the value, if all is prohibited? I tried "0", "". I know you can prohibite all of the settings via browser, but there has to be a setting for configuring via script.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-28-2010 08:59 AM
тАО06-28-2010 08:59 AM
Re: Privileges of group accounts (iLO)
How I obtained this information is I configured a group in the browser to disable all features. Then using the Get_Directory.XML file in the iLO Script examples I launched CPQLOCFG.EXE and I was able to see the Group privileges and this is what I received for my Test Group:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2010 02:24 AM
тАО07-16-2010 02:24 AM
Re: Privileges of group accounts (iLO)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-16-2010 07:29 AM
тАО07-16-2010 07:29 AM
SolutionI tested this and this is what I have come up with. I definitely see what you mean by not recognizing the command. So I just removed that line
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-09-2010 11:10 PM
тАО08-09-2010 11:10 PM
Re: Privileges of group accounts (iLO)
However, thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2010 12:53 AM
тАО08-11-2010 12:53 AM
Re: Privileges of group accounts (iLO)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-11-2010 09:37 AM
тАО10-11-2010 09:37 AM
Re: Privileges of group accounts (iLO)
My assumptions towards HP's thinking and design of the iLO Group Account privileges are that if you were to prohibit a group of all privileges then just remove the Group's Security Group Distinguished Name. Now I haven't been able to find out a way to script the name removal but you can script a rename of the Security Group Distinguished Name. Renaming it to "Disabled" or random characters ("c-Mh!&hgTe"). I tested this and it works for me.
From what I can tell in your original post you are wanting to give user in the Administrators group on your domain full privileges and keep those in the Users group out. So by setting your Security Group Distinguished Name as "CN=Administrators,OU=Accounts,OU=domain,DC=domain,DC=com" and not have any other groups setup you will succeed in this as the iLO will only authenticate users from that group. This is how we do it at our company. We have a specific group that server admins are assigned to and only those select users are able to login to the iLO, no one else.
I do agree that if something can be done in the browser then it should be able to be done via XML script. Unfortunately I don't think HP has done this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-08-2011 07:46 AM
тАО06-08-2011 07:46 AM
Re: Privileges of group accounts (iLO)
iLO 3 appears to add an additional permission 6 for a login only privilege that appears to address this problem exactly, to be able to grant a login only session without granting additional privileges. In addition, granting other permissions 1-5 automatically assigns 6. The web GUI is the only option.
However this it isn't available in iLO 2 or earlier and isn't even documented in a PDF I pulled down from May 2011! Examples in the doc have options that aren't even mentioned in the descriptions immediately following the example!
Hey, HP if you're monitoring this, can we get a little consistency here?! If we can set options via a command line, we should be able to unset them and they should be documented. iLO 1 and earlier versions aside, there doesn't appear to be any reason directory settings can't at least be consistent in iLO2 and iLO3.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-08-2011 08:10 AM
тАО06-08-2011 08:10 AM
Re: Privileges of group accounts (iLO)
We fixed the empty string issue when removing Directory Group Names and Privileges via XML script in iLO2 2.05 and iLO3 1.20
Latest versions are iLO2 2.06 and iLO3 1.25
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-09-2011 12:10 PM
тАО06-09-2011 12:10 PM
Re: Privileges of group accounts (iLO)
I've downloaded the firmware and will let you know results of testing.
Can you confirm please if simply assigning the empty string will work now for removing permissions? Also, there was another portion of my previous post where I had indicated iLO 1 devices would always accept the empty string, but it would silently fail the entire RIBCL command if attempts were made to set privilieges on groups 1 or 2 to an empty string. Setting empty strings on groups 3 to 6 would work as expected.