3PAR InForm® OS 2.3.1 Concepts Guide (320-200112 Rev B, February 2010)

4.5

LDAP Authentication and Authorization

InForm OS Version 2.3.1 3PAR InForm OS Concepts Guide

4.5 LDAP Authentication and Authorization

As stated earlier, the user’s user name is first checked against the authentication data stored on

the local InServ Storage Server. If the user’s name is not found, the LDAP authentication and

authorization process proceeds as follows:

■ The user’s user name and password are used to authenticate with the LDAP server.

■ The user’s group memberships are determined with the data on the LDAP server.

■ A list of groups is compared against mapping rules that specify each group’s associated

privilege level.

■ If 3PAR Virtual Domains is in use, the user’s group is mapped to a domain.

■ The user is assigned a privilege level within the InServ system; or if using Domains, within a

domain, or domains, in the InServ system.

4.5.1 Authentication

Users are authenticated with the LDAP server using a bind operation. The bind operation

simply authenticates the InForm OS LDAP client to the LDAP server. This authentication process

is required for all systems using LDAP, including systems using Domains. Several binding

mechanisms are supported by the InForm OS LDAP client.

4.5.1.1 Simple Binding

With simple binding, the user’s user name and password are sent to the LDAP server in plain

text and the LDAP server determines if the submitted password is correct. Simple binding is not

recommended unless a secure connection to the LDAP server is established with Secure Sockets

Layer (SSL) or Transport Layer Security (TLS).

NOTE: 3PAR Virtual Domains requires a 3PAR Virtual Domains license. For

additional information about the license, see Optional Software Features on

page 2.8.