HP 1x1x16 - IP Console Switch KVM Quick start guide
LDAP directory services option for the HP IP Console Switch
integration note
Abstract.............................................................................................................................................. 2
Introduction......................................................................................................................................... 2
LDAP directory service option................................................................................................................ 3
Authenticate Only mode ................................................................................................................... 4
Open LDAP mode ............................................................................................................................ 5
Open LDAP Basic mode ................................................................................................................ 5
Open LDAP User Attribute mode .................................................................................................... 6
Open LDAP Group Attribute mode.................................................................................................. 6
Activating LDAP directory services ......................................................................................................... 7
Conclusion.......................................................................................................................................... 7
For more information............................................................................................................................ 8
Call to action ...................................................................................................................................... 8
Abstract
A keyboard/video/mouse (KVM) switch can provide localized access to a group of servers. An
intelligent KVM switch such as the HP IP Console Switch can provide system administrators centralized
management over a number of networked servers. This paper describes how the directory services
option available for the HP IP Console Switch allows administrators to use Microsoft®Active Directory
for more efficient switch management.
Introduction
The HP IP Console Switch provides KVM access and intelligent management functionality for a group
of servers. Using an OnScreen Display (OSD) interface included in the switch firmware and HP IP
Console Viewer software for remote console operation, a switch user can access and control a server
connected directly or tiered through another switch or a port expansion module. Access to a
particular server is controlled through the database of user accounts for the switch. The database
specifies user IDs, passwords, and access rights. The database is maintained by and contained within
the switch.
Figure 1. Standard HP IP Console Switch administration
Switch A
Switch B
Switch C
Switch B User Database
Switch C User Database
Switch A User Database
Remote
KVM
Console
Two types of switch users are recognized:
•Basic switch user – Has access to specific servers/ports, but cannot change switch user rights.
•Admin switch user – Has complete control of switch and access to all servers/ports, running either a
Microsoft®Windows®or Linux®operating system.
Since adding, changing, or deleting a switch user requires modifying the user database of each
affected switch, the standard administrative functionality of the HP IP Console Switch is best suited for
small-to-medium size networks where the number of switches and switch users is relatively small.
However, the high scalability of the HP IP Console Switch may lead network architects to build up a
system that requires a more efficient management solution.
2
LDAP directory service option
Servers running Microsoft Windows 2000 Server or Windows Server 2003 operating systems use
Microsoft Active Directory to manage all network users and resources such as computers, servers, and
printers. Active Directory is a directory service that provides authentication for network users and
manages relationships between users and resources.
The HP IP Console Switch supports a Lightweight Directory Access Protocol (LDAP) licensing option
that allows a system administrator to use the centralized management functionality of Active Directory
to manage console switches. By enabling the LDAP functionality of the switch, the system
administrator can manage switch users with the same efficiency as he or she does other network users
and resources (Figure 2).
Figure 2. Optional HP IP Console Switch administration with LDAP directory services
Switch A
Switch B
Switch C
A
ctive Directory
Domain user
Domain user w/switch A rights
Domain user w/switch B rights
Domain user w/switch C rights
Domain user
Domain Controller
Server
Remote
KVM
Console
Since Active Directory authenticates from a shared database, enabling LDAP yields the following
benefits:
•Simplified user access – A switch user can use the same ID and password for the switch that he or
she uses for the domain.
•Simplified account management – Switch users and network users are centrally managed by the
directory service on one machine. Any change is effective everywhere immediately.
•Quicker account changes – Deleting or disabling a switch user immediately removes his or her
access to all resources (including switches).
•More secure management – Password type and changes are enforced at the directory level.
The directory services option is activated by purchasing an LDAP license to obtain the LDAP key.
Once the administrator enters the LDAP key code during the switch configuration procedure, the LDAP
functionality can be enabled.
3
The directory services option can be configured to operate in one of two basic modes:
•Authenticate Only
•Open LDAP
NOTE:
In a system using LDAP, if the directory service of the domain controller is
unavailable, the built-in, console switch administrator account still has access
to the switch and all connected servers. The user, however, will still have to
log into connected servers.
Authenticate Only mode
In Authenticate Only mode, the directory services of the domain controller validates switch users,
while the switch itself grants access to the requested server. User data exists in the both the switch and
in the directory of the domain controller. Figure 3 shows how a switch user’s query is processed using
the Authenticate Only mode.
Figure 3. Query processing in Authenticate Only mode
Switch User Switch
1.Request to view
server console
Domain
Controller
Server
6.Switch response
5.If valid, switch grants
access to requested
server based on KVM
rights in switch.
If invalid, KVM
connection is denied.
4.Directory
response
3.Directory checks User
ID and password for
validity.
2.User ID + password
forwarded by LDAP
NOTE:
In the Authenticate Only mode, the user account data in the switch must
match exactly the user account data in the directory.
4
Open LDAP mode
In Open LDAP mode, the directory provides complete control of switch user access including user ID
and password as well as rights to individual servers and switches. Two types of queries can occur in
Open LDAP mode:
•Console switch query – An attempt by a switch user to perform an action requiring switch
administrative rights will result in the directory checking the user for administrator access.
•Server query – An attempt by a switch user to view the console of a specific server will result in the
directory checking to verify that the user has access rights to the requested server console.
Open LDAP mode can process switch user queries using one of three sub modes:
•Basic mode
•User Attribute mode
•Group Attribute mode
Open LDAP Basic mode
In Basic mode (Figure 4), only the user ID and password are checked against the directory. If the user
exists and the password is correct, then the user is given access without further validation.
NOTE:
For security reasons, HP recommends using Basic mode only for testing
connectivity.
Figure 4. Query processing in Open LDAP Basic mode
Switch User Switch
1.Request to view
server console
Domain
Controller
Server
5.Switch response
2.User ID + password
forwarded by LDAP
3.Directory checks User
ID and password for
validity.
4.Directory response
5
Open LDAP User Attribute mode
In User Attribute mode (Figure 5) the directory checks the user ID and password. If they are valid, the
directory uses an attribute in the notes field of the user object to determine access rights.
Figure 5. Query processing in Open LDAP User Attribute mode
Switch User Switch
1.Request to view
server console
5.Switch
response
2.User ID + password
forwarded by LDAP
3.Directory checks User ID and password and uses
notes attribute to determine access for validated
user.
User Attributes:
KVM Appliance Admin: can access any server
connected to the switch and can administer the
switch.
KVM User: can view any server
4.Directory
response
Domain
Controller
Server
Open LDAP Group Attribute mode
In Group Attribute mode (Figure 6), the directory validates users by validating the user ID and
password. It then checks user groups to determine switch user access.
Figure 6. Query processing in Open LDAP Group Attribute mode
Switch User Switch
1.Request to view
server console
Domain
Controller
Server
4.Directory
response
5.Switch response
2.User ID + password
+ server forwarded
by LDAP
3.Directory checks User ID and password,
then checks user groups to determine
access for validated user.
KVM Switch
Admin Group Windows Server
Admin Group
Linux®Server
A
dmin Grou
p
6
In Group Attribute mode, a user’s accessibility to systems is determined by the group listing. For
console switch queries, the directory checks for a group that contains both the user and the KVM
switch. For server queries, the directory checks for a group that contains the user and the server or the
user and the switch. Table 1 shows how the group listing affects the ability of the user.
Table 1. User abilities in Group Attribute mode
System
configuration
Group attribute Group list includes: Ability of user
Switch 1 providing
KVM connection to
Servers A, B, C
KVM User Switch 1, User A User A can view list of all
servers in configuration but
cannot access or view any
server.
Same as above KVM User Switch 1, Server B,
User A
User A can view list of all
servers in configuration but
can access only Server B.
Same as above KVM Appliance
Admin
User A, Server A User A can access only
Server A, not the switch.
Same as above KVM Appliance
Admin
User A, Switch 1 User A has full control of
Switch 1 and can access all
connected servers.
Activating LDAP directory services
With the purchase of the LDAP license key, all HP IP Console Switches have the ability to support
LDAP directory services. Existing IP Console Switches may require a firmware upgrade to achieve
LDAP support, while future IP Console Switches will ship with LDAP support built-in.
To initialize a system for LDAP directory services support, perform the following steps:
1. Upgrade all HP IP Console Switches with the latest firmware available from HP at
http://h18004.www1.hp.com/products/servers/proliantstorage/rack-options/kvm/soft-
firmware.html
2. Upgrade all applicable units to run HP IP Console Viewer 2.5 or later.
3. Purchase license key kit from a reseller or HP. License key kits are available for individual
switches, for multiple switches, and as a tracking license.
4. Install license key on the HP IP Console Switch.
5. Set up LDAP functionality.
NOTE:
In a system using LDAP, if Active Directory is unavailable, the built-in console
switch administrator account still has access rights to the switch and all
connected servers.
Conclusion
Because of its flexibility, the HP IP Console Switch can be used in network infrastructures of various
sizes. By enabling the LDAP option, a system administrator can efficiently manage numerous switches
from a single location and avoid the need to update the databases of individual switches.
7
For more information
More information about HP IP Console Switches is available at
http://h18004.www1.hp.com/products/servers/proliantstorage/rack-options/list.html#console.
More information about HP ProLiant servers is available at
www.hp.com/servers/proliant.
Call to action
© 2004 Hewlett-Packard Development Company, L.P. The information contained
herein is subject to change without notice. The only warranties for HP products and
services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or
omissions contained herein.
[Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.
Linux is a U.S. registered trademark of Linus Torvalds.
TC041102IN, 11/2004
This manual suits for next models
2
Table of contents
Other HP Switch manuals
HP
HP ProCurve 2510-48 User manual
HP
HP 445860-B21 - 10Gb Ethernet BL-c Switch User manual
HP
HP 6400cl User manual
HP
HP 5920 User manual
HP
HP v1810g User manual
HP
HP 6125G Instruction Manual
HP
HP StorageWorks 2/16 - SAN Switch User manual
HP
HP GbE2c - Blc Layer 2/3 Fiber SFP Option User guide
HP
HP StorageWorks 2/16 - SAN Switch User manual
HP
HP ProCurve 3500yl Series User manual
HP
HP 445860-B21 - 10Gb Ethernet BL-c Switch Operating manual
HP
HP 5130 EI Switch Series User manual
HP
HP Officejet Pro 7500 Series User manual
HP
HP StorageWorks 8/40 - SAN Switch Quick user guide
HP
HP 316095-B21 - StorageWorks Edge Switch 2/24 Instruction Manual
HP
HP A5120 EI Series User manual
HP
HP GbE2c - Blc Layer 2/3 Fiber SFP Option User manual
HP
HP ProCurve 3500yl Series Owner's manual
HP
HP A12500 Assembly instructions
HP
HP StorageWorks SN6000 User manual
