Hp 1x1x16 - ip console switch kvm Quick start guide

LDAP directory services option for the HP IP Console Switch

integration note

Abstract.............................................................................................................................................. 2

Introduction......................................................................................................................................... 2

LDAP directory service option................................................................................................................ 3

Authenticate Only mode ................................................................................................................... 4

Open LDAP mode ............................................................................................................................ 5

Open LDAP Basic mode ................................................................................................................ 5

Open LDAP User Attribute mode .................................................................................................... 6

Open LDAP Group Attribute mode.................................................................................................. 6

Activating LDAP directory services ......................................................................................................... 7

Conclusion.......................................................................................................................................... 7

For more information............................................................................................................................ 8

Call to action ...................................................................................................................................... 8

Abstract

A keyboard/video/mouse (KVM) switch can provide localized access to a group of servers. An

intelligent KVM switch such as the HP IP Console Switch can provide system administrators centralized

management over a number of networked servers. This paper describes how the directory services

option available for the HP IP Console Switch allows administrators to use Microsoft®Active Directory

for more efficient switch management.

Introduction

The HP IP Console Switch provides KVM access and intelligent management functionality for a group

of servers. Using an OnScreen Display (OSD) interface included in the switch firmware and HP IP

Console Viewer software for remote console operation, a switch user can access and control a server

connected directly or tiered through another switch or a port expansion module. Access to a

particular server is controlled through the database of user accounts for the switch. The database

specifies user IDs, passwords, and access rights. The database is maintained by and contained within

the switch.

Figure 1. Standard HP IP Console Switch administration

Switch A

Switch B

Switch C

Switch B User Database

Switch C User Database

Switch A User Database

Remote

KVM

Console

Two types of switch users are recognized:

•Basic switch user – Has access to specific servers/ports, but cannot change switch user rights.

•Admin switch user – Has complete control of switch and access to all servers/ports, running either a

Microsoft®Windows®or Linux®operating system.

Since adding, changing, or deleting a switch user requires modifying the user database of each

affected switch, the standard administrative functionality of the HP IP Console Switch is best suited for

small-to-medium size networks where the number of switches and switch users is relatively small.

However, the high scalability of the HP IP Console Switch may lead network architects to build up a

system that requires a more efficient management solution.

LDAP directory service option

Servers running Microsoft Windows 2000 Server or Windows Server 2003 operating systems use

Microsoft Active Directory to manage all network users and resources such as computers, servers, and

printers. Active Directory is a directory service that provides authentication for network users and

manages relationships between users and resources.

The HP IP Console Switch supports a Lightweight Directory Access Protocol (LDAP) licensing option

that allows a system administrator to use the centralized management functionality of Active Directory

to manage console switches. By enabling the LDAP functionality of the switch, the system

administrator can manage switch users with the same efficiency as he or she does other network users

and resources (Figure 2).

Figure 2. Optional HP IP Console Switch administration with LDAP directory services

Switch A

Switch B

Switch C

ctive Directory

Domain user

Domain user w/switch A rights

Domain user w/switch B rights

Domain user w/switch C rights

Domain user

Domain Controller

Server

Remote

KVM

Console

Since Active Directory authenticates from a shared database, enabling LDAP yields the following

benefits:

•Simplified user access – A switch user can use the same ID and password for the switch that he or

she uses for the domain.

•Simplified account management – Switch users and network users are centrally managed by the

directory service on one machine. Any change is effective everywhere immediately.

•Quicker account changes – Deleting or disabling a switch user immediately removes his or her

access to all resources (including switches).

•More secure management – Password type and changes are enforced at the directory level.

The directory services option is activated by purchasing an LDAP license to obtain the LDAP key.

Once the administrator enters the LDAP key code during the switch configuration procedure, the LDAP

functionality can be enabled.

The directory services option can be configured to operate in one of two basic modes:

•Authenticate Only

•Open LDAP

NOTE:

In a system using LDAP, if the directory service of the domain controller is

unavailable, the built-in, console switch administrator account still has access

to the switch and all connected servers. The user, however, will still have to

log into connected servers.

Authenticate Only mode

In Authenticate Only mode, the directory services of the domain controller validates switch users,

while the switch itself grants access to the requested server. User data exists in the both the switch and

in the directory of the domain controller. Figure 3 shows how a switch user’s query is processed using

the Authenticate Only mode.

Figure 3. Query processing in Authenticate Only mode

Switch User Switch

1.Request to view

server console

Domain

Controller

Server

6.Switch response

5.If valid, switch grants

access to requested

server based on KVM

rights in switch.

If invalid, KVM

connection is denied.

4.Directory

response

3.Directory checks User

ID and password for

validity.

2.User ID + password

forwarded by LDAP

NOTE:

In the Authenticate Only mode, the user account data in the switch must

match exactly the user account data in the directory.

Open LDAP mode

In Open LDAP mode, the directory provides complete control of switch user access including user ID

and password as well as rights to individual servers and switches. Two types of queries can occur in

Open LDAP mode:

•Console switch query – An attempt by a switch user to perform an action requiring switch

administrative rights will result in the directory checking the user for administrator access.

•Server query – An attempt by a switch user to view the console of a specific server will result in the

directory checking to verify that the user has access rights to the requested server console.

Open LDAP mode can process switch user queries using one of three sub modes:

•Basic mode

•User Attribute mode

•Group Attribute mode

Open LDAP Basic mode

In Basic mode (Figure 4), only the user ID and password are checked against the directory. If the user

exists and the password is correct, then the user is given access without further validation.

NOTE:

For security reasons, HP recommends using Basic mode only for testing

connectivity.

Figure 4. Query processing in Open LDAP Basic mode

Switch User Switch

1.Request to view

server console

Domain

Controller

Server

5.Switch response

2.User ID + password

forwarded by LDAP

3.Directory checks User

ID and password for

validity.

4.Directory response

Open LDAP User Attribute mode

In User Attribute mode (Figure 5) the directory checks the user ID and password. If they are valid, the

directory uses an attribute in the notes field of the user object to determine access rights.

Figure 5. Query processing in Open LDAP User Attribute mode

Switch User Switch

1.Request to view

server console

5.Switch

response

2.User ID + password

forwarded by LDAP

3.Directory checks User ID and password and uses

notes attribute to determine access for validated

user.

User Attributes:

KVM Appliance Admin: can access any server

connected to the switch and can administer the

switch.

KVM User: can view any server

4.Directory

response

Domain

Controller

Server

Open LDAP Group Attribute mode

In Group Attribute mode (Figure 6), the directory validates users by validating the user ID and

password. It then checks user groups to determine switch user access.

Figure 6. Query processing in Open LDAP Group Attribute mode

Switch User Switch

1.Request to view

server console

Domain

Controller

Server

4.Directory

response

5.Switch response

2.User ID + password

+ server forwarded

by LDAP

3.Directory checks User ID and password,

then checks user groups to determine

access for validated user.

KVM Switch

Admin Group Windows Server

Admin Group

Linux®Server

dmin Grou

In Group Attribute mode, a user’s accessibility to systems is determined by the group listing. For

console switch queries, the directory checks for a group that contains both the user and the KVM

switch. For server queries, the directory checks for a group that contains the user and the server or the

user and the switch. Table 1 shows how the group listing affects the ability of the user.

Table 1. User abilities in Group Attribute mode

System

configuration

Group attribute Group list includes: Ability of user

Switch 1 providing

KVM connection to

Servers A, B, C

KVM User Switch 1, User A User A can view list of all

servers in configuration but

cannot access or view any

server.

Same as above KVM User Switch 1, Server B,

User A

User A can view list of all

servers in configuration but

can access only Server B.

Same as above KVM Appliance

Admin

User A, Server A User A can access only

Server A, not the switch.

Same as above KVM Appliance

Admin

User A, Switch 1 User A has full control of

Switch 1 and can access all

connected servers.

Activating LDAP directory services

With the purchase of the LDAP license key, all HP IP Console Switches have the ability to support

LDAP directory services. Existing IP Console Switches may require a firmware upgrade to achieve

LDAP support, while future IP Console Switches will ship with LDAP support built-in.

To initialize a system for LDAP directory services support, perform the following steps:

1. Upgrade all HP IP Console Switches with the latest firmware available from HP at

http://h18004.www1.hp.com/products/servers/proliantstorage/rack-options/kvm/soft-

firmware.html

2. Upgrade all applicable units to run HP IP Console Viewer 2.5 or later.

3. Purchase license key kit from a reseller or HP. License key kits are available for individual

switches, for multiple switches, and as a tracking license.

4. Install license key on the HP IP Console Switch.

5. Set up LDAP functionality.

NOTE:

In a system using LDAP, if Active Directory is unavailable, the built-in console

switch administrator account still has access rights to the switch and all

connected servers.

Conclusion

Because of its flexibility, the HP IP Console Switch can be used in network infrastructures of various

sizes. By enabling the LDAP option, a system administrator can efficiently manage numerous switches

from a single location and avoid the need to update the databases of individual switches.

For more information

More information about HP IP Console Switches is available at

http://h18004.www1.hp.com/products/servers/proliantstorage/rack-options/list.html#console.

More information about HP ProLiant servers is available at

www.hp.com/servers/proliant.

Call to action

Send comments about this paper to: [email protected].

herein is subject to change without notice. The only warranties for HP products and

services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or

omissions contained herein.

[Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

Linux is a U.S. registered trademark of Linus Torvalds.

TC041102IN, 11/2004

This manual suits for next models

Table of contents

Popular Switch manuals by other brands

Maiwe

Maiwe MISCOM8220G user manual

BT LiGo Setup & user guide

RF-Link

RF-Link HUK-1020 user manual

Cerio

Cerio PoE Series user guide

Profi-pumpe

Profi-pumpe FLUOMAC PS01121 operating instructions

3Com

3Com Switch 4070 Getting started guide

Extreme Networks

Extreme Networks Summit X460-24t specification

OTS

OTS IES8222MPpH-S-DR Quick installation guide

Cameron

Cameron 288A user manual

Inficon

Inficon VSC150 operating manual

TRENDnet

TRENDnet TK-409K Quick installation guide

FEDERAL PACIFIC

FEDERAL PACIFIC PSE 15 kV Instructions for operation

Comtrol

Comtrol RocketPort RPUSBSH Hardware documentation

EUCHNER

EUCHNER CTP-I.-AS Unicode Series operating instructions

IDT

IDT 89HPES48T12G2 user manual

Ruijie

Ruijie RG-ES08 Quick installation guide

ICS ELECTRONICS

ICS ELECTRONICS 9099 instruction manual

Murphy

Murphy L1100 Series Installation and operation manual

HP 1x1x16 - IP Console Switch KVM Quick start guide

Popular Switch manuals by other brands