Manualshelf

Users Guide

ManualsBrandsDell ManualsActive System ManageriDRAC7 with Lifecycle Controller Version 2.40.40.40
131132133134135136137138139140
To use the Extended Schema securely, Dell recommends not enabling inheritance on Dell Association objects within the extended
schema implementation.
Active directory schema extensions
The Active Directory data is a distributed database of attributes and classes. The Active Directory schema includes the rules that
determine the type of data that can be added or included in the database. The user class is one example of a class that is stored in
the database. Some example user class attributes can include the user’s rst name, last name, phone number, and so on. You can
extend the Active Directory database by adding your own unique attributes and classes for specic requirements. Dell has extended
the schema to include the necessary changes to support remote management authentication and authorization using Active
Directory.
Each attribute or class that is added to an existing Active Directory Schema must be dened with a unique ID. To maintain unique IDs
across the industry, Microsoft maintains a database of Active Directory Object Identiers (OIDs) so that when companies add
extensions to the schema, they can be guaranteed to be unique and not to conict with each other. To extend the schema in
Microsoft's Active Directory, Dell received unique OIDs, unique name extensions, and uniquely linked attribute IDs for the attributes
and classes that are added into the directory service:
Extension is: dell
Base OID is: 1.2.840.113556.1.8000.1280
RAC LinkID range is: 12070 to 12079
Overview of iDRAC schema extensions
Dell has extended the schema to include an Association, Device, and Privilege property. The Association property is used to link
together the users or groups with a specic set of privileges to one or more iDRAC devices. This model provides an administrator
maximum exibility over the dierent combinations of users, iDRAC privileges, and iDRAC devices on the network without much
complexity.
For each physical iDRAC device on the network that you want to integrate with Active Directory for authentication and
authorization, create at least one association object and one iDRAC device object. You can create multiple association objects, and
each association object can be linked to as many users, groups of users, or iDRAC device objects as required. The users and iDRAC
user groups can be members of any domain in the enterprise.
However, each association object can be linked (or, may link users, groups of users, or iDRAC device objects) to only one privilege
object. This example allows an administrator to control each user’s privileges on specic iDRAC devices.
iDRAC device object is the link to iDRAC rmware for querying Active Directory for authentication and authorization. When iDRAC is
added to the network, the administrator must congure iDRAC and its device object with its Active Directory name so that users can
perform authentication and authorization with Active Directory. Additionally, the administrator must add iDRAC to at least one
association object for users to authenticate.
The following gure shows that the association object provides the connection that is needed for the authentication and
authorization.
Figure 2. Typical setup for active directory objects
135