HP 3PAR StoreServ 7400 2-node HP 3PAR StoreServ Storage Concepts Guide (OS 3.1 - Page 21

over the user's LDAP authentication data. User names not associated with local user names are authenticated using LDAP data. Additionally for local users, during authentication, the password supplied by the user must match the password assigned when that user was initially created or modified. The rights assigned to the user during authorization are the same rights associated with the user role assigned when that user was initially created or modified. See "HP 3PAR Storage System Users" (page 18) for additional information about user roles and rights. LDAP users can access the system using the same methods as a local users, although some user account creation and modification operations are unavailable. Do not create local and LDAP users with the same name. If local and LDAP users have the same name it can cause confusion about where access is controlled. For instructions on using LDAP with the storage system, refer to the HP 3PAR Command Line Interface Administrator's Manual. Another key difference between local users and LDAP users is that a local user's rights within the system are assigned on a case-by-case basis. An LDAP user's rights are dependent on that user's group association. In other words, groups are assigned specific rights within the system and an individual LDAP user's rights are dependent upon group membership. LDAP Server Data Organization LDAP server data consists of user information, which includes the user's group associations. Data can be previously existing data used for user account information, or can be data created for specific use with systems. Data on the LDAP server can be organized in two different ways: • As a list of groups associated with each user. • As a list of users associated with each group. The form in which data is organized is dependent on the type of LDAP server used and the tools used to maintain the data. Programs such as ldp.exe, which is a downloadable Windows Support Tool available from Microsoft, and ldapsearch, which is available for many UNIX and Linux systems, can be used to view data entries in the LDAP server. This can be useful when configuring the HP 3PAR LDAP client with your LDAP server as discussed in the Managing User Accounts and Connections chapter in the HP 3PAR Command Line Interface Administrator's Manual. LDAP and Domains LDAP is also available for systems using virtual domains for access control. As discussed in "HP 3PAR Virtual Domains" (page 24), the Domains facility enables finer grain rights over system objects such as volumes and hosts. Accessing objects on systems configured to use virtual domains requires rights in the domain in which those objects reside. Because the configuration of Domains can differ within an HP storage system, or from one server to another (in configurations with multiple servers), a user can have differing rights between domains in a single system, or across multiple systems. As discussed earlier in "LDAP Users" (page 20), LDAP users must follow a process of authentication and authorization in order to gain access to the system. With Domains in use, in addition to authentication with the system, LDAP users must also be authorized to access domains set up within the system. For additional information, see "LDAP Authentication and Authorization" (page 22). For instructions on setting up LDAP users on systems using Domains, see Chapter 4, Managing User Accounts and Connections in the HP 3PAR Command Line Interface Administrator's Manual. NOTE: Virtual domains require an HP 3PAR Virtual Domains Software license. For additional information about the license, see "HP 3PAR Software" (page 9). LDAP Server Data Organization 21