HP 3PAR StoreServ Concepts Guide: HP 3PAR OS 3.1.3

see “HP 3PAR Storage System Users” (page 19). LDAP users can access the system using the same
methods as local users, although some user account creation and modification operations are
unavailable. Do not create local and LDAP users with the same user name. If local and LDAP users
have the same user name, it can cause confusion about where access is controlled. For instructions
on using LDAP with the storage system, see the HP 3PAR Command Line Interface Administrator’s
Manual.
Another key difference between local users and LDAP users is that a local user’s rights to the system
are assigned on a case-by-case basis. An LDAP user’s rights depend on that user’s group association.
In other words, groups are assigned specific rights to the system, and an individual LDAP user’s
rights depend on group membership.
LDAP Server Data Organization
LDAP server data consists of user information, which includes the user’s group associations. Data
can be existing data used for user account information or data created for specific use with systems.
Data on the LDAP server can be organized in two different ways:
As a list of groups associated with each user.
As a list of users associated with each group.
The form in which data is organized depends on the type of LDAP server used and the tools used
to maintain the data. Programs such as ldp.exe, which is a downloadable Windows Support
Tool available from Microsoft, and ldapsearch, which is available for many UNIX and Linux
systems, can be used to view data entries in the LDAP server. This can be useful when configuring
the HP 3PAR LDAP client with your LDAP server, as discussed in the “Managing User Accounts
and Connections” chapter in the HP 3PAR Command Line Interface Administrator’s Manual.
LDAP and Domains
LDAP is also available for systems that use virtual domains for access control. As discussed in “HP
3PAR Virtual Domains” (page 25), by using domains, rights to system objects, such as volumes
and hosts, can be specifically defined. Accessing objects on systems configured to use virtual
domains requires rights in the domain in which those objects reside. Because domains can be
configured differently within an HP storage system, or from one server to another (in configurations
with multiple servers), a user can have different rights to domains in a single system, or across
multiple systems.
As discussed in “LDAP Users” (page 21), LDAP users must follow a process of authentication and
authorization to gain access to the system. With domains in use, LDAP users must also be authorized
to access domains set up within the system. For additional information, see “LDAP Authentication
and Authorization” (page 22).
For instructions on setting up LDAP users on systems using Domains, see “Managing User Accounts
and Connections” in the HP 3PAR Command Line Interface Administrator’s Manual.
NOTE: Virtual domains require an HP 3PAR Virtual Domains Software license. For additional
information about the license, see “HP 3PAR Software” (page 10).
LDAP Authentication and Authorization
The user’s user name is first checked against the authentication data stored on the local system. If
the user’s name is not found, the LDAP authentication and authorization process proceeds as
follows:
The user’s user name and password are used to authenticate with the LDAP server.
The user’s group memberships are determined from the data on the LDAP server.
A list of groups is compared against mapping rules that specify each group’s associated roles.
22 Lightweight Directory Access Protocol