Manualshelf

HP 3PAR InForm OS 3.1.1 Concepts Guide

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
21222324252627282930
Additionally for local users, during authentication, the password supplied by the user must match
the password assigned when that user was initially created or modified. The rights assigned to the
user during authorization are the same rights associated with the user role assigned when that
user was initially created or modified. See “HP 3PAR Storage System Users” (page 19) for additional
information about user roles and rights. LDAP users can access the system using the same methods
as a local users, although some user account creation and modification operations are unavailable.
Do not create local and LDAP users with the same name. If local and LDAP users have the same
name it can cause confusion about where access is controlled. For instructions on using LDAP with
the storage system, refer to the HP 3PAR InForm OS CLI Administrator’s Manual.
Another key difference between local users and LDAP users is that a local user’s rights within the
system are assigned on a case-by-case basis. An LDAP user’s rights are dependent on that user’s
group association. In other words, groups are assigned specific rights within the system and an
individual LDAP user’s rights are dependent upon group membership.
LDAP Server Data Organization
LDAP server data consists of user information, which includes the user’s group associations. Data
can be previously existing data used for user account information, or can be data created for
specific use with systems. Data on the LDAP server can be organized in two different ways:
As a list of groups associated with each user.
As a list of users associated with each group.
The form in which data is organized is dependent on the type of LDAP server used and the tools
used to maintain the data. Programs such as ldp.exe, which is a downloadable Windows Support
Tool available from Microsoft, and ldapsearch, which is available for many UNIX and Linux
systems, can be used to view data entries in the LDAP server. This can be useful when configuring
the InForm OS LDAP client with your LDAP server as discussed in Chapter 4, Managing User
Accounts and Connections, in the InForm OS CLI Administrator’s Manual.
LDAP and Domains
LDAP is also available for systems using virtual domains for access control. As discussed in “HP
3PAR Virtual Domains” (page 25), the Domains facility enables finer grain rights over system
objects such as volumes and hosts. Accessing objects on systems configured to use virtual domains
requires rights in the domain in which those objects reside. Because the configuration of Domains
can differ within an HP Storage System, or from one server to another (in configurations with
multiple servers), a user can have differing rights between domains in a single system, or across
multiple systems.
As discussed earlier in “LDAP Users (page 21), LDAP users must follow a process of authentication
and authorization in order to gain access to the system. With Domains in use, in addition to
authentication with the system, LDAP users must also be authorized to access domains set up within
the system. For additional information, see “LDAP Authentication and Authorization (page 23).
For instructions on setting up LDAP users on systems using Domains, see Chapter 4, Managing
User Accounts and Connections in the InForm OS CLI Administrator’s Manual.
NOTE: Virtual domains require an HP 3PAR Virtual Domains Software license. For additional
information about the license, see “Optional Software Features (page 16).
22 LDAP