Directory groups

HPE Moonshot 1500 Chassis Management Module 2.0 directory groups are used with LDAP authentication.

Adding directory groups

Previously, all LDAP users were allowed to authenticate to the system even without an explicit group of users added to the system. Now, a group must be explicitly added with user privileges in order for members of that group to be able to login.

Prerequisites

Role: Administrator with chassis access

Procedure
  1. Click Administration in the navigation tree, and then click the Directory Groups tab.
  2. Click Add Group.
  3. Provide the following details in the Add Group section:

    • Group Name

    • Group SID

      When validating LDAP users, HPE Chassis Manager 2.0 looks up a users LDAP group by name and SID. The name is required, but the SID is optional. In some LDAP configurations, a SID is not generated. If the SID is available, it is better to enter it for redundancy.

  4. Select one of the available User Privileges:

    • Administrator

    • Operator

    • User

  5. Select one of the available Chassis & Slot Access. Determines what hardware subsection can be accessed. The predefined selections are:

    • All — user can access all blades, all switches, and make changes to chassis settings

    • Custom — the check boxes below allow selection of which blades, which switches and if the user can make changes to chassis settings.

    • None — user has no access to change anything, but can still read chassis settings. Blades and switches have no read or write access.

  6. To save the new directory group, click Add.

Example user group and admin group

Example user group:

Name: CN=Moonshot,OU=Groups,DC=ctxmoon,DC=net

Privileges: user

Example admin group:

Name: CN=Moonshot-Admins,OU=Groups,DC=ctxmoon,DC=net

Privileges: administrator

NOTE: Users that belong in either of these groups can login with LDAP Common Name, domain\username or email format like user@ctxmoon.net.

Editing directory groups

Prerequisites

Role: Administrator with chassis access

Procedure
  1. Click Administration in the navigation tree, and then click the Directory Groups tab.
  2. Click the edit icon associated with the group to be edited.
  3. Change the details in the Edit Directory Group section:

    • Group Name

    • Group SID

      When validating LDAP users, HPE Chassis Manager 2.0 looks up a users LDAP group by name and SID. The name is required, but the SID is optional. In some LDAP configurations, a SID is not generated. If the SID is available, it is better to enter it for redundancy.

  4. Change the details in the User Privileges section by selecting one of the following:

    • Administrator

    • Operator

    • User

  5. Select one of the available Chassis & Slot Access. Determines what hardware subsection can be accessed. The predefined selections are:

    • All — user can access all blades, all switches, and make changes to chassis settings

    • Custom — the check boxes below allow selection of which blades, which switches and if the user can make changes to chassis settings.

    • None — user has no access to change anything, but can still read chassis settings. Blades and switches have no read or write access.

  6. To save the directory group changes, click Save.

Removing directory groups

Prerequisites

Role: Administrator with chassis access

Procedure
  1. Click Administration in the navigation tree, and then click the Directory Groups tab.
  2. Select the check box next to the directory group that you want to delete.
  3. Click Remove Group.
  4. When prompted to confirm the request, click Remove.

    HPE Moonshot Chassis Manager 2.0 notifies you that the group was removed.

Directory group options

Each directory group includes a DN, SID, and account privileges. The SIDs of groups are compared to the SIDs for directory groups configured for HPE Moonshot Chassis Manager 2.0. If a user is a member of multiple groups, the user account is granted the privileges of all the groups.

When you add a directory group to HPE Moonshot Chassis Manager 2.0, configure the following values:

  • LDAP Group Name (Group DN)—Members of this group are granted the privileges set for the group. The specified group must exist in the directory, and users who need access to HPE Moonshot Chassis Manager 2.0 must be members of this group. Enter a DN from the directory (for example, CN=Group1, OU=Managed Groups, DC=domain, DC=extension).

    Shortened DNs are also supported (for example, Group1). The shortened DN is not a unique match. Hewlett Packard Enterprise recommends using the fully qualified DN.

  • Group SID (Security ID)— Security ID is used for directory group authorization. The standard format is S-1-5-2039349. This value is optional for LDAP configurations that do not support it.

  • Role— Defines the privileges asscoicated with a user (administrator, operator, or user).

  • Chassis access — Indicates whether a specified user can modify persistent system configuration.

  • Blades — If a custom access level is set for the specified user, this indicates which blades the user can access.

  • Switches — If a custom access level is set for the specified user, this indicates which switches the user can access.