Dell has extended the schema to include an
Association,
Device, and
Privilege property. The
Association property is used to link together the users or groups with a specific
set of privileges to one or more RAC devices. This model provides
an administrator maximum flexibility over the different combinations
of users, RAC privileges, and RAC devices on the network without much
complexity.
When there are two CMCs on the network that you want to integrate
with Active Directory for authentication and authorization, create
at least one association object and one RAC device object for each
CMC. You can create multiple association objects, and each association
object can be linked to as many users, groups of users, or RAC device
objects as required. The users and RAC device objects can be members
of any domain in the enterprise.
However, each association object can be linked (or, may link users,
groups of users, or RAC device objects) to only one privilege object.
This example allows an administrator to control each user’s privileges
on specific CMCs.
The RAC device object is the link to RAC firmware for querying
Active Directory for authentication and authorization. When a RAC
is added to the network, the administrator must configure the RAC
and its device object with its Active Directory name so that users
can perform authentication and authorization with Active Directory.
Additionally, the administrator must add the RAC to at least one association
object for users to authenticate.
The following figure shows that the association object provides
the connection that is needed for the authentication and authorization.
- NOTE: The RAC privilege object
applies to DRAC 4, DRAC 5, and CMC.
You can create as many or as few association objects as required.
However, you must create at least one Association Object, and you
must have one RAC device object for each RAC (CMC) on the network
that you want to integrate with Active Directory.
The Association Object allows as many or as few users and/or groups
as well as RAC Device Objects. However, the Association Object only
includes one Privilege Object per Association Object. The Association
Object connects the
Users who have
Privileges on RACs
(CMCs).
Additionally, you can configure Active Directory objects in a single
domain or in multiple domains. For example, you have two CMCs (RAC1
and RAC2) and three existing Active Directory users (user1, user2,
and user3). You want to give user1 and user2 an administrator privilege
to both CMCs and give user3 a login privilege to the RAC2 card. The
following figure illustrates how you set up the Active Directory objects
in this scenario.
When adding Universal Groups from separate domains, create an Association
Object with Universal Scope. The Default Association objects created
by the Dell Schema Extender Utility are Domain Local Groups and does
not work with Universal Groups from other domains.
To configure the objects for the single domain scenario:
- Create two Association Objects.
- Create two RAC Device Objects, RAC1 and RAC2, to represent the
two CMCs.
- Create two Privilege Objects, Priv1 and Priv2, in which Priv1
has all privileges (administrator) and Priv2 has login privilege.
- Group user1 and user2 into Group1.
- Add Group1 as Members in Association Object 1 (A01), Priv1 as
Privilege Objects in A01, and RAC1, RAC2 as RAC Devices in A01.
- Add User3 as Members in Association Object 2 (A02), Priv2 as Privilege
Objects in A02, and RAC2 as RAC Devices in A02.
The following figure provides an example of Active Directory objects
in multiple domains. In this scenario, you have two CMCs (RAC1 and
RAC2) and three existing Active Directory users (user1, user2, and
user3). User1 is in Domain1, and user2 and user 3 are in Domain2.
In this scenario, configure user1 and user 2 with administrator privileges
to both CMCs and configure user3 with login privileges to the RAC2
card.
To configure the objects for the multiple domain scenario:
- Ensure that the domain forest function is in Native or Windows
2003 mode.
- Create two Association Objects, A01 (of Universal scope) and A02,
in any domain. The figure Setting Up Active Directory Objects in Multiple
Domains shows the objects in Domain2.
- Create two RAC Device Objects, RAC1 and RAC2, to represent the
two CMCs.
- Create two Privilege Objects, Priv1 and Priv2, in which Priv1
has all privileges (administrator) and Priv2 has login privilege.
- Group user1 and user2 into Group1. The group scope of Group1 must
be Universal.
- Add Group1 as Members in Association Object 1 (A01), Priv1 as
Privilege Objects in A01, and RAC1, RAC2 as RAC Devices in A01.
- Add User3 as Members in Association Object 2 (A02), Priv2 as Privilege
Objects in A02, and RAC2 as RAC Devices in A02.