Users Guide
It is possible for a domain user, for example john_smith, to be a member of multiple directory groups, and also for those groups to be
assigned different roles. In this case, the user will receive the highest level role for all the directory groups the user is a member of.
• Example 1: The user is a member of three groups with admin, DM, and viewer roles. In this case, user becomes an administrator.
• Example 2: The user is a member of three DM groups and a viewer group. In this case, the user will become a DM with access to the
union of device groups across the three DM roles.
Directory services integration in OpenManage
Enterprise–Tech Release
Directory Services allows you to import directory groups from AD or LDAP for use on the console. To use Directory Services:
• Add a directory connection. See Adding directories for use with Directory Services.
• Import directory groups and map all users in the group to a specific role. See Importing the Active Directory users.
• For DM users, edit the directory group to add the groups the DM can manage. See Adding and editing OpenManage Enterprise–Tech
Release users.
Adding directories for use with Directory Services
1. Click Directory Services > Add.
2. In the Connect to Directory Service dialog box: , type a directory name, and then type FQDN or DNS server address.
a) Select the directory connection type.
b) Type a name for the directory connection.
c) Select DNS or Manual, and then type the relevant IP address prompted in the text box. Based on your selection, the fields in the
Advance Options section vary.
3. In Advanced Options, edit the default data, if necessary.
4. To verify the server authentication Certificate, select the Certificate Validation check box, and then browse through to select a
certificate file.
5. To test the connection, click Test connection.
6. Click Finish.
The directory is added and listed under Directory Services.
Setting the login security properties
NOTE:
To perform any tasks on OpenManage Enterprise–Tech Release, you must have necessary user privileges. See
Role-based OpenManage Enterprise–Tech Release user privileges.
NOTE: AD and LDAP directory users can be imported and assigned one of the OpenManage Enterprise–Tech Release
roles (Admin, DeviceManager, or Viewer). The Single-Sign-On (SSO) feature stops at login to the console. Actions run
on the devices require a privileged account on the device.
By clicking OpenManage Enterprise > Application Settings > Security, you can secure your OpenManage Enterprise–Tech Release
either by specifying login IP range or login lockout policy.
1. Expand Login IP Range:
a. To specify the IP address range that must be allowed to access OpenManage Enterprise–Tech Release, select the Enable IP
Range check box.
b. In the IP Range Address (CIDR) box, type the range of IP addresses separated by a comma.
c. Click Apply. To reset to default properties, click Discard.
2. In the Login Lockout Policy section:
a. Select the By User Name check box to prevent a specific user name from logging in to OpenManage Enterprise–Tech Release.
b. Select the By IP address check box to prevent a specific IP address from logging in to OpenManage Enterprise–Tech Release.
c. In the Lockout Fail Count box, type the number of unsuccessful attempts after which OpenManage Enterprise–Tech Release
must prevent the user from further logging in. By default, 3 attempts.
d. In the Lockout Fail Window box, type the duration for which OpenManage Enterprise–Tech Release must display information
about a failed attempt.
Managing OpenManage Enterprise–Tech Release appliance settings
89