Manualshelf

HP 3PAR InForm OS 3.1.1 Concepts Guide

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
21222324252627282930
4 LDAP
Overview
The Lightweight Directory Access Protocol (LDAP) is a standard protocol for communication between
LDAP clients and LDAP directory servers. Data is stored as a directory hierarchy by the server and
clients add, modify, search, or remove the data. The data can be organized using standard schemas
understood by clients and servers from different vendors or by an application-specific schema used
only by a particular vendor or application.
The InForm OS contains an LDAP client that can be configured to use an LDAP server for
authentication and authorization of system users. In an environment where there are multiple systems
configured to use the same LDAP server in the same way, a single user with access to one system
server can access all of the environment’s systems with the same role.
Accessing objects on systems configured to use HP 3PAR Virtual Domains Software requires access
to the domain in which those objects reside. The configuration of domains may differ from one
system installation to the next. This results in differing levels of access over objects based on mapping
between the LDAP configuration and the individual system’s domain configuration.
The InForm OS LDAP client is designed to work with various LDAP servers and schemas for data
organization. However, only use with the Active Directory LDAP directory implementation is currently
supported.
Configuring the InForm OS to use LDAP can only be performed with the HP 3PAR InForm Command
Line Interface (CLI). Refer to the HP 3PAR InForm OS CLI Administrator’s Manual for instructions
on how to perform these tasks.
NOTE: At the current time, the OpenLDAP directory implementation is also available, however,
on a limited basis. Check with your local HP service representative for updates on availability.
NOTE: All LDAP related tasks are performed with the 3PAR InForm Command Line Interface (CLI).
Active Directory
Active Directory is an implementation of LDAP directory services by Microsoft for use in Windows
environments. An Active Directory server is both an LDAP and Kerberos server. When set up for
SASL binding (see “SASL Binding” (page 23)), the Active Directory server and Kerberos server are
used for both authorization and authentication of users.
OpenLDAP
OpenLDAP is an open source implementation of LDAP directory services developed by the OpenLDAP
Project. OpenLDAP includes a server, client library, and tools that are available for a wide variety
of operating systems. Different schemata can be used for user and group information with
OpenLDAP. For example, the Posix schema is typically used for user and group information in
Linux/Unix systems.
LDAP Users
User’s created with the InForm OS CLI who access the system using InForm OS CLI clients, or with
SSH, are authenticated and authorized directly on the system. These users are referred to as local
users. An LDAP user is similar to a local user, however an LDAP user is authenticated and authorized
using information from an LDAP server.
During authentication, if a user name is not recognized as a local user, that user’s name and
password are checked on the LDAP server. The local user’s authentication data takes precedence
over the user’s LDAP authentication data. User names not associated with local user names are
authenticated using LDAP data.
Overview 21