Users Guide
Back to Contents Page
Using Microsoft®Active Directory®
DellOpenManage™Version5.1InstallationandSecurityUser'sGuide
Controlling Access to Your Network
Extending the Active Directory Schema
Controlling Access to Your Network
If you use Active Directory service software, you can configure it to control access to your network. Dell has modified the Active Directory database to support
remotemanagementauthenticationandauthorization.DellOpenManage™ITAssistantandDellOpenManageServerAdministrator,aswellasDell™remote
access controllers, can now interface with Active Directory. With this tool, you can add and control users and privileges from one central database.
Active Directory Schema Extensions
The Active Directory data exists in a distributed database of Attributes and Classes. An example of a Active Directory Class is the User class. Some example
Attributes of the user class might be the user's first name, last name, phone number, and so on. Every Attribute or Class that is added to an existing Active
Directory schema must be defined with a unique ID. To maintain unique IDs throughout the industry, Microsoft maintains a database of Active Directory Object
Identifiers (OIDs).
The Active Directory schema defines the rules for what data can be included in the database. To extend the schema in Active Directory, Dell received unique
OIDs, unique name extensions, and unique linked attribute IDs for the new attributes and classes in the directory service.
Dell extension is: dell
Dell base OID is: 1.2.840.113556.1.8000.1280
Dell LinkID range is: 12070 to 12079
The Active Directory OID database maintained by Microsoft can be viewed at msdn.microsoft.com/certification/ADAcctInfo.asp by entering our extension,
dell.
Overview of the Active Directory Schema Extensions
Dell created Classes, or groups of objects, that can be configured by the user to meet their unique needs. New Classes in the schema include an Association,
aProduct,andaPrivilegeclass.AnAssociationobjectlinkstheusersorgroupstoagivensetofprivilegesandtosystems(ProductObjects)inyournetwork.
This model gives an administrator control over the different combinations of users, privileges, and systems or RAC devices on the network, without
addingcomplexity.
Active Directory Object Overview
For each of the systems that you want to integrate with Active Directory for authentication and authorization, there must be at least one Association Object
and one Product Object. The Product Object represents the system. The Association Object links it with users and privileges. You can create as many
Association Objects as you need.
Each Association Object can be linked to as many users, groups of users, and Product Objects as desired. The users and Product Objects can be from any
domain. However, each Association Object may only link to one Privilege Object. This behavior allows an Administrator to control which users have which rights
on specific systems.
The Product Object links the system to Active Directory for authentication and authorization queries. When a system is added to the network, the
Administrator must configure the system and its product object with its Active Directory name so that users can perform authentication and authorization with
Active Directory. The Administrator must also add the system to at least one Association Object in order for users to authenticate.
Figure8-1 illustrates that the Association Object provides the connection that is needed for all of the authentication and authorization.
Figure 8-1. Typical Setup for Active Directory Objects
NOTE: UsingActiveDirectorytorecognizeDellRemoteAccessController(DRAC),ITAssistant,orServerAdministratorusersissupportedonthe
Microsoft Windows®2000andWindowsServer™2003operatingsystems.