Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues (1378 Views)
Reply
Frequent Advisor
Donald J Wood
Posts: 47
Registered: ‎04-01-2005
Message 1 of 3 (1,389 Views)

ILO HP Extended Schema LOM Object Distinguished Name Security Issues

[ Edited ]

We seem to be having a security issue around the LOM Object Distinguished Name assigned rights. We have a unique LOM Objects set up for servers loaded with Windows and servers Loaded with LINUX. These Targets devices in AD are populated with two of three roles (Admin, Windows Users, LINUX Users) based on the operating system. Each Role has a different AD security group assigned to it. Some of these users assigned to that group are nested into other AD groups. This was previously setup logically based on their role in the company.

 

WINDOWS TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

Windows Users Role

  • Login
  • Remote Console
  • Virtual Media

LINUX TARGETS

Admins ROLE

  • Login
  • Remote Console
  • Virtual Media
  • Server Reset and Power
  • Administer Local User Accounts
  • Administer Local Device Settings

LINUX Users Role

  • Login
  • Remote Console
  • Virtual Media

THE PROBLEM

Users assigned to the LINUX Users Role and Windows Users Role are getting the same right as Admins Role. Also, removing rights from Admins Role where the same rights are assigned to either Windows User Role or LINUX Users Rolls do not take effect unless I also remove the rights from Windows User Role or LINUX Users Role or remove the role Windows User Role or LINUX Users Role from the Target.

Honored Contributor
Oscar A. Perez
Posts: 644
Registered: ‎11-01-2005
Message 2 of 3 (1,381 Views)

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

[ Edited ]

What version of HP Directories Support for ProLiant Management Processors did you use to extend the schema?

 

Versions 3.00, 3.10 and 3.20 may allow inheritable permissions from the parent to propagate down to the HP Role objects. When this happens, non-admin users could log into iLO.

 

HP Directories Support for ProLiant Management Processors version 3.30 completely disables the propagation of inheritable permissions but, if you already extended the schema using one of the older versions mentioned above then, you will have to manually disable these inheritable permissions in your AD and edit out those unwanted permission on each role you have.

 

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006

 

Frequent Advisor
Donald J Wood
Posts: 47
Registered: ‎04-01-2005
Message 3 of 3 (1,378 Views)

Re: ILO HP Extended Schema LOM Object Distinguished Name Security Issues

I wasn't involved in the initial install. Our internal documentation says the Targets and Roles were created using the Hp Proliant Management Directories Support Software Snap-in provided in SP30658.exe.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.