Manualshelf

HP 3PAR InForm OS 3.1.1 CLI Administrator's Manual

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
41424344454647484950
rights within the system, all engineering group members have Edit rights within the
system, and all hardware group members have Browse rights within the system.
Configuring LDAP Connections on Systems Using Domains
LDAP is also available for systems using virtual domains for access control. The configuration
process is nearly identical to configuring LDAP on non-Domain systems, with the only difference
being an additional authorization step to map a user’s group to a domain. You can configure your
system to use SASL, GSSAPI, or SSL with domains. For information about LDAP and Domains, see
Chapter 4, LDAP, in the HP 3PAR InForm OS Concepts Guide.
CAUTION: If you are operating in Common Criteria mode, configure LDAP to do simple binding
over SSL. If you must use SASL binding, then only GSSAPI should be used in combination with
SASL. You must also disallow the use of SSH keys for authenticating LDAP users by setting the
allow-ssh-key parameter of the setauthparam CLI command to 0 when configuring the
LDAP server. To learn more about Common Criteria, see the HP 3PAR InForm OS Common Criteria
Administrator’s Reference.
To configure your system to use an Active Directory LDAP server using SASL binding, the following
process must be performed (detailed instructions follow):
Configure connection parameters using the following commands:
setauthparam ldap-server <IP_address>
setauthparam ldap-server-hn <DNS_HostName>
setauthparam kerberos-realm <LDAP_ServiceName>
Configure binding (authentication) parameters using the following commands:
setauthparam binding sasl
setauthparam sasl-mechanism <SASL_type>
Configure account location parameters using the following commands:
setauthparam accounts-dn <DN_path>
setauthparam account-obj user
setauthparam account-name-attr sAMAccount
setauthparam memberof-attr memberOf
checkpassword <user_name>
Configure group-to-role mapping parameters using the following command:
setauthparam <map_param> <map_value>
Configure group-to-domain mapping parameters using the following commands:
setauthparam group-obj group
setauthparam domain-name-attr <attribute>, and optionallysetauthparam
domain-name-prefix <prefix>
checkpassword <user_name>
The following instructions describe how to set up an Active Directory LDAP connection on a system
using Domains:
Configuring LDAP Connections on Systems Using Domains 43