Manualshelf

HP 3PAR StoreServ Concepts Guide: HP 3PAR OS 3.1.3

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
21222324252627282930
If virtual domains are in use, the user’s group is mapped to a domain.
The user is assigned a system user role and a domain, if domains are in use.
LDAP Authentication
Users are authenticated with the LDAP server by using a bind operation. The bind operation
authenticates the HP 3PAR OS LDAP client to the LDAP server. This authentication process is required
for all systems that use LDAP, including systems using domains. Several binding mechanisms are
supported by the HP 3PAR OS LDAP client.
NOTE: The binding mechanism you can use depends on your LDAP server configuration.
Simple Binding
With simple binding, the user’s user name and password are sent to the LDAP server in plain text,
and the LDAP server determines whether the submitted password is correct. Simple binding is not
recommended unless a secure connection to the LDAP server is established with secure sockets
layer (SSL) or transport layer security (TLS).
SASL Binding
The HP 3PAR OS LDAP client also supports the PLAIN, DIGEST-MD5, and GSSAPI SASL binding
mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure methods of authentication,
because user passwords are not sent to the LDAP server.
The PLAIN mechanism is similar to simple binding where the user’s user name and password
are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN
mechanism should be used only if there is a secure connection (SSL or TLS) to the LDAP server.
The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user’s
identity. That ticket is then sent to the LDAP server for authentication.
With the DIGEST-MD5 mechanism, the LDAP server sends the HP 3PAR OS LDAP client one-time
data that is encrypted by the client and returned to the server in such a way that the client
proves it knows the user's password without having to send the user's password.
LDAP Authorization
After an LDAP user has been authenticated, the next stage is authorization. The authorization
process determines what a user is allowed to do within the system.
As discussed in “LDAP Users (page 21), an LDAP user’s role is tied to that user’s group membership,
and a user can belong to multiple groups. Each group has an assigned role. For information about
user roles, see “HP 3PAR Storage System Users” (page 19). The HP 3PAR OS LDAP client performs
group-to-role mapping using the following four mapping parameters:
super-map
service-map
edit-map
browse-map
create-map
basic_edit-map
3PAR_AO-map
3PAR_RM-map
Each group of which a user is a member is compared against the mapping parameters. Mapping
occurs sequentially. A group is first compared to the super-map parameter; if no match is made,
the group is then compared with the service-map parameter, and so on. For example, if a match
LDAP Authentication and Authorization 23