Manualshelf

HP 3PAR OS 3.1.3 CLI Administrator's Manual

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
21222324252627282930
Authentication is the process of using data from the LDAP server to verify a user’s name and the
supplied password. Authorization is the process of using data from the LDAP server to determine
the user’s group membership and rights in the system.
By default, LDAP users cannot store an SSH public key using the HP 3PAR CLI setsshkey
command. Instead, LDAP users can use the setsshkey command by using the allow-ssh-key
parameter with the setauthparam command. Assigned rights, domains, and access to the system
continues as when the setsshkey command was issued, regardless of any changes to the user’s
data in the LDAP server. For more information about using LDAP with HP 3PAR Storage systems,
see the HP 3PAR StoreServ Storage Concepts Guide.
CAUTION: Do not create local and LDAP users with the same name. If local and LDAP users have
the same name it can cause confusion about where access is controlled.
Active Directory LDAP Configuration with SASL Binding
To configure your system to use Active Directory with SASL binding, the following process must be
performed (detailed instructions follow):
Configure connection parameters using the following commands:
setauthparam ldap-server <IP_address>
setauthparam ldap-server-hn <DNS_HostName>
setauthparam kerberos-realm <LDAP_ServiceName>
Configure binding (authentication) parameters using the following commands:
setauthparam binding sasl
setauthparam sasl-mechanism <SASL_type>
Configure account location parameters using the following commands:
setauthparam accounts-dn <dn_path>
setauthparam account-obj user
setauthparam account-name-attr sAMAccountName
setauthparam memberof-attr memberOf
Configure group-to-role mapping parameters using the following commands:
setauthparam <map_param> <map_value>
Test the authentication/authorization for an Active Directory user account:
checkpassword <user_name>
Each step in the process above is discussed in the following sections. Each section is followed by
an example showing the implementation of the instructions described.
NOTE: The examples used to illustrate the procedures described for Active Directory LDAP
configuration with SASL binding specifically use GSSAPI as the SASL binding mechanism.
As you will see, a single user is used to determine group hierarchies and path structures used in
the system, which are then used to complete the LDAP configuration.
Configuring Connection Parameters
To configure connection parameters:
Configuring LDAP Connections 25