User guide
11
sent via an encrypted channel to Active Directory. When iDRAC6 establishes an SSL connection with
Active Directory Domain Controller, it verifies the Domain Controller entity via SSL server authentication.
The root CA SSL certificate (which is used to sign all the Domain Controller SSL certificates) has been
imported to the iDRAC6. The iDRAC6 supports up to a 4096-bit root CA certificate and Domain
Controller SSL certificate.
NOTE: Dell strongly recommends following the Microsoft PKI best practices and using 4096-bit for the
root CA certificate and a 1024-bit for the Domain Controller certificate.
For an Active Directory user to have authority to access an iDRAC6, this user object or group has to be
added to the Dell Association object. A Dell privilege object with the right privilege setting also needs to
be added to the Dell Association object. Finally, a Dell RAC device object which represents iDRAC6 is
added to Dell Association object. The RAC device object name has to be configured to that iDRAC6.
The basis for searching Active Directory to authenticate and authorize the RAC User will be that there is
a member-memberOf relationship on the Association Object. Every member of a Group has a
corresponding Linked Attribute member called memberOf that is part of the User Class. When we
authenticate a user with LDAP, we can get the memberOf Attribute that will contain all of the Groups
that this user is a member of. We can then walk through these groups until we arrive at our
dellAssocationObject class.
Figure 3 Use of Extended Schema
Note that the user could be a member of multiple association object classes, so we must take this into
account in our query. When we find the dellAssocationObject Class that this user is a member of, we
will then access the dellProductMembers attribute and walk this in the reverse order to determine if the