C H A P T E R 3 |
User Account Management |
Oracle Integrated Lights Out Manager (ILOM) 3.0 Getting Started Guide
|
||
Oracle Integrated Lights Out Manager (ILOM) 3.0 CLI Procedures Guide
|
||
Oracle Integrated Lights Out Manager (ILOM) 3.0 Web Interface Procedures Guide (820-6411) |
||
Oracle Integrated Lights Out Manager (ILOM) 3.0 Management Protocols Reference Guide (820-6413) |
||
The ILOM 3.0 Documentation Collection is available at: http://docs.sun.com/app/docs/prod/int.lights.mgr30#hic |
Apply the following general guidelines when you manage user accounts:
For more information and procedures for managing user accounts, see one of the following guides:
For ILOM 3.0, user roles are implemented to control user privileges. However, for backward compatibility, ILOM 2.x style user accounts (which have either Administrator or Operator privileges) are still supported.
ILOM 3.0 user accounts have defined roles that determine ILOM user access and rights. You can manage user accounts using the ILOM web interface or the CLI. The roles assigned to ILOM accounts are listed in TABLE 3-1.
A user who is assigned the Admin (a) role is authorized to view and change the state of ILOM configuration variables. With the exception of tasks that require Admin users to have User Management, Reset and Host Control and Console roles enabled. |
||
A user who is assigned the User Management (u) role is authorized to create and delete user accounts, change user passwords, change roles assigned to other users, and enable/disable the physical-access requirement for the default user account. This role also includes authorization to set up LDAP, LDAP/SSL, RADIUS, and Active Directory. |
||
A user who is assigned the Console (c) role is authorized to access the ILOM Remote Console and the SP console and to view and change the state of the ILOM console configuration variables. |
||
A user who is assigned the Reset and Host Control (r) role is authorized to operate the system, which includes power control, reset, hot-plug, enabling and disabling components, and fault management. This role maps very closely to the ILOM 2.0 user with Operator privileges. For more information about backward compatibility of ILOM 2.0 user roles, see Support for ILOM 2.x User Accounts. |
||
A user who is assigned the Read Only (o) role is authorized to view the state of the ILOM configuration variables but cannot make any changes. Users assigned this role can also change the password and the Session Time-Out setting for their own user account. |
||
A user who is assigned the Service (s) role can assist Sun service engineers in the event that on-site service is required. |
Single Sign On (SSO) is a convenient authentication service that enables you to log in to ILOM once to establish your credentials, thus reducing the number of times you need to enter your password to gain access to ILOM. Single Sign On is enabled by default. As with any authentication service, authentication credentials are passed over the network. If this is not desirable, consider disabling the SSO authentication service.
Traditionally, automation of password authentication is made possible by SSH key-based authentication. Prior to the implementation of the SSH key-based authentication feature, users who logged in to the ILOM SP using SSH were required to supply a password interactively. An automatic mechanism for password authentication is most beneficial when you have multiple systems that require a similar update.
The primary capabilities afforded by SSH key-based authentication are as follows:
Thus, SSH key-based authentication enables you to accomplish both of the above activities through the use of scripts that execute without manual intervention and that do not include embedded passwords.
Regarding the use and handling of SSH keys, ILOM enables users to add generated keys to individual user accounts on the SP.
For more information and procedures for adding and deleting SSH keys, see one of the following guides:
ILOM supports Active Directory, the distributed directory service included with Microsoft Windows Server operating systems. Like an LDAP directory service implementation, Active Directory is used to authenticate user credentials.
Active Directory provides both authentication of user credentials and authorization of user access levels to networked resources. Active Directory uses authentication to verify the identity of a user before that user can access system resources. Active Directory uses authorization to grant specific access privileges to a user in order to control a user’s rights to access networked resources. User access levels are configured or learned from the server based on the user’s group membership in a network domain, which is a group of hosts identified by a specific Internet name. A user can belong to more than one group. Active Directory authenticates users in the order in which the user’s domains were configured.
Once authenticated, the user’s authorization level can be determined in the following ways:
For more information and procedures for configuring Active Directory settings, see one of the following guides:
ILOM supports Lightweight Directory Access Protocol (LDAP) authentication for users, based on the OpenLDAP software. LDAP is a general-purpose directory service. A directory service is a centralized database for distributed applications designed to manage the entries in a directory. Thus, multiple applications can share a single user database. For more detailed information about LDAP, go to:
For more information and procedures for configuring LDAP settings, see one of the following guides:
LDAP/SSL offers enhanced security to LDAP users by way of Secure Socket Layer (SSL) technology. To configure LDAP/SSL in a SP, you need to enter basic data--such as primary server, port number, and certificate mode--and optional data such as alternate server or event or severity levels. You can enter this data using the LDAP/SSL configuration page of the ILOM web interface, the CLI, or SNMP.
For more information and procedures for configuring LDAP/SSL settings, see one of the following guides:
ILOM supports Remote Authentication Dial-In User Service (RADIUS) authentication. RADIUS is an authentication protocol that facilitates centralized user administration. RADIUS provides many servers shared access to user data in a central database, providing better security and easier administration. A RADIUS server can work in conjunction with multiple RADIUS servers and other types of authentication servers.
RADIUS is based on a client-server model. The RADIUS server provides the user authentication data and can grant or deny access, and the clients send user data to the server and receive an “accept” or “deny” response. In the RADIUS client-server model, the client sends an Access-Request query to the RADIUS server. When the server receives an Access-Request message from a client, it searches the database for that user's authentication information. If the user's information is not found, the server sends an Access-Reject message and the user is denied access to the requested service. If the user's information is found, the server responds with an Access-Accept message. The Access-Accept message confirms the user's authentication data and grants the user access to the requested service.
All transactions between the RADIUS client and server are authenticated by the use of a specific text string password known as a shared secret. The client and server must each know the shared secret because it is never passed over the network. You must know the shared secret to configure RADIUS authentication for ILOM.
In order to use RADIUS authentication with ILOM, you must configure ILOM as a RADIUS client.
For more information and procedures for configuring RADIUS settings, see one of the following guides:
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.