In binary math, if the bits of a client machine address, combined with the bits of the subnet mask, match
the subnet address in the restriction, the client meets the restriction.
DNS-based restrictions
DNS-based restrictions use the network name service to examine the logical name of the client machine
by looking up machine names assigned to the client IP addresses. DNS restrictions require a functional
name server. If the name service goes down or cannot be reached, DNS restrictions cannot be matched
and the client machine fails to meet the restriction.
DNS-based restrictions can limit access to a specific machine name or to machines that share a common
domain suffix. For example, the DNS restriction
www.example.com
matches hosts that are assigned the
domain name
www.example.com
. However, the DNS restriction
*.example.com
matches any machine
that originates from the
example
company.
DNS restrictions might cause ambiguity because a host can be multihomed. DNS restrictions do not
necessarily match one to one with a single system.
Using DNS-based restrictions might create security complications. Name service protocols are not
secure. Any individual who has malicious intent and access to the network can place a rogue DNS
service on the network and create a fake address restriction criterion. When implementing DNS-based
address restrictions, consider your organizational security policies.
User time restrictions
Time restrictions limit the ability of a user to log in (authenticate) to the directory. Typically, time
restrictions are enforced using the time at the directory server. If the directory server is located in a
different time zone, or if a replica in a different time zone is accessed, time-zone information from the
managed object can be used to adjust for relative time.
The directory server evaluates user time restrictions, but the determination might be complicated by time-
zone changes or the authentication mechanism.
User time restrictions are
enforced by the directory
server
User
12
6
3
9
Client
Workstation
12
6
3
9
Directory
Server
12
6
3
9
LOM
12
6
3
9
Figure 11: User time restrictions
Role access restrictions
Restrictions allow administrators to limit the scope of a role. A role grants rights only to users who satisfy
the role restrictions. Using restricted roles results in users who have dynamic rights that can change
based on the time of day or network address of the client.
When directories are enabled, access to an iLO system is based on whether the user has read access to
a role object that contains the corresponding iLO object. This includes, but is not limited to, the members
listed in the role object. If the role is configured to allow inheritable permissions to propagate from a
parent, members of the parent that have read access privileges will also have access to iLO.
330
DNS-based restrictions