HP 3PAR StoreServ 7400 2-node HP 3PAR StoreServ Storage Concepts Guide (OS 3.1 - Page 22
LDAP Authentication and Authorization, Authentication, Simple Binding
View all HP 3PAR StoreServ 7400 2-node manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 22 highlights
LDAP Authentication and Authorization As stated earlier, the user's user name is first checked against the authentication data stored on the local system. If the user's name is not found, the LDAP authentication and authorization process proceeds as follows: • The user's user name and password are used to authenticate with the LDAP server. • The user's group memberships are determined with the data on the LDAP server. • A list of groups is compared against mapping rules that specify each group's associated roles. • If virtual domains is in use, the user's group is mapped to a domain. • The user is assigned a system user role, and a domain if domains are in use. Authentication Users are authenticated with the LDAP server using a bind operation. The bind operation simply authenticates the HP 3PAR OS LDAP client to the LDAP server. This authentication process is required for all systems using LDAP, including systems using Domains. Several binding mechanisms are supported by the HP 3PAR OS LDAP client. NOTE: The binding mechanism you can use is dependent on your LDAP server configuration. Simple Binding With simple binding, the user's user name and password are sent to the LDAP server in plain text and the LDAP server determines if the submitted password is correct. Simple binding is not recommended unless a secure connection to the LDAP server is established with Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SASL Binding In addition to simple binding, the HP 3PAR OS LDAP client also supports the PLAIN, DIGEST-MD5, and GSSAPI SASL binding mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure methods of authentication as user passwords are not sent to the LDAP server. • The PLAIN mechanism is similar to simple binding where the user's user name and password are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN mechanism should only be used if there is a secure connection (SSL or TLS) to the LDAP server. • The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user's identity. That ticket is then sent to the LDAP server for authentication. • With the DIGEST-MD5 mechanism, the LDAP server sends the HP 3PAR OS LDAP client one-time data that is encrypted by the client and returned to the server in such a way that the client proves it knows the user's password without having to send the user's password. Authorization Once an LDAP user has been authenticated, the next stage is authorization. The authorization process determines what a user is allowed to do within the system. As discussed in "LDAP Users" (page 20), an LDAP user's role is tied to that user's group membership, and a user can belong to multiple groups. Each group has an assigned role, see"HP 3PAR Storage System Users" (page 18) for information about user roles. The HP 3PAR OS LDAP client performs group-to-role mapping using the following four mapping parameters: • super-map • service-map • edit-map • browse-map 22 Lightweight Directory Access Protocol