Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerDRAC4 Version 1.70
12345678910
PAGE 8 OF 17
Figure 1: Dell Extended Schema Active Directory Architecture
DRAC 4 authenticates against Active Directory using LDAP simple binding and queries Active
Directory objects using an SSL channel. All data (including user name and password) for
authentication are sent using an encrypted channel to Active Directory. When a DRAC 4
establishes an SSL connection with Active Directory Domain Controller, it verifies the Domain
Controller entity using SSL server authentication. The root CA SSL certificate (which is used to
sign all the Domain Controller SSL certificates) has been imported to the DRAC 4. DRAC 4
supports up to a 4096-bit root CA certificate and Domain Controller SSL certificate.
Note: Dell strongly recommends following the Microsoft PKI (Public Key Infrastructure) best
practices and using 4096-bit for the root CA certificate and a 1024-bit for the Domain
Controller certificate.
For an Active Directory user to have authority to access a DRAC 4, the user object or group
has to be added to the Dell Association object. A Dell privilege object with the right privilege
setting also needs to be added to the Dell Association object. Finally, a Dell RAC device object
which represents a DRAC 4 has to be added to the Dell Association object. The RAC device
object name has to be configured to the DRAC 4.
The basis for searching Active Directory to authenticate and authorize the RAC user is that
there is a member-memberOf relationship with the Association object. It is derived from the
group. Every member of a group has a corresponding Linked attribute member called
memberOf that is part of the User class.
To authenticate a user with LDAP, obtain the memberOf attribute that contains all the groups
the user is a member of. Of these groups, locate the ones that have the dellAssociationObject
class.
Note: The user can be a member of multiple Association object classes.
When the dellAssociationObject class that the user is a member of is found, look for the
dellProductMembers attribute. Look at this attribute to determine if the RacDevice being
authenticated is part of the attribute.
Note: dellProductMembers can be groups of RACs and will retain the member-memberOf
relationship.