3PAR InForm® OS 2.3.1 Concepts Guide (320-200112 Rev B, February 2010)

4.6
LDAP Authentication and Authorization
3PAR InForm OS Concepts Guide InForm OS Version 2.3.1
4.5.1.2 SASL Binding
In addition to simple binding, the InForm OS LDAP client also supports the PLAIN, DIGEST-MD5,
and GSSAPI SASL binding mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure
methods of authentication as user passwords are not sent to the LDAP server.
The PLAIN mechanism is similar to simple binding where the user’s user name and password
are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN
mechanism should only be used if there is a secure connection (SSL or TLS) to the LDAP
server.
The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user’s
identity. That ticket is then sent to the LDAP server for authentication.
With the DIGEST-MD5 mechanism, the LDAP server sends the InForm OS LDAP client one-
time data that is encrypted by the client and returned to the server in such a way that the
client proves it knows the user's password without having to send the user's password.
4.5.2 Authorization
Once an LDAP user has been authenticated, the next stage is authorization. The authorization
process determines what a user is allowed to do within the InServ system.
As discussed in LDAP Users on page 4.3, an LDAP user’s privileges are tied to that user’s group
membership, and a user can belong to multiple groups. Each group has an assigned privilege
level allowing super, service, edit, or browse privileges within the system (see Chapter 3, InServ
Storage Server Users for information about user privileges). The InForm OS LDAP client
performs group-to-privilege mapping using the following four mapping parameters:
super-map
service-map
edit-map
browse-map
Each group to which a user is a member is compared against the mapping parameters.
Mapping occurs sequentially with a group first compared to the super-map parameter. If no
NOTE: The SASL mechanism you can use is dependent on your LDAP server
configuration.