HP 3PAR StoreServ 7450 4-node HP 3PAR Command Line Interface Administrator& - Page 22
Active Directory LDAP Configuration with SASL Binding, HP 3PAR StoreServ Storage Concepts Guide
View all HP 3PAR StoreServ 7450 4-node manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 22 highlights
Authentication is the process of using data from the LDAP server to verify a user's name and the supplied password. Authorization is the process of using data from the LDAP server to determine the user's group membership and rights in the system. By default, LDAP users cannot store an SSH public key using the HP 3PAR CLI setsshkey command. Instead, LDAP users can use the setsshkey command by using the allow-ssh-key parameter with the setauthparam command. Assigned rights, domains, and access to the system continues as when the setsshkey command was issued, regardless of any changes to the user's data in the LDAP server. For more information about using LDAP with HP 3PAR Storage systems, see the HP 3PAR StoreServ Storage Concepts Guide. CAUTION: Do not create local and LDAP users with the same name. If local and LDAP users have the same name it can cause confusion about where access is controlled. CAUTION: If the HP 3PAR storage system is operating in Common Criteria mode, do not configure the LDAP server to use an SSH key for authentication. HP 3PAR recommends that you set the allow-ssh-key parameter of the setauthparam CLI command to use the default value of 0 when configuring the LDAP server. This prevents an SSH key from being used for authentication when operating in CC mode. The user's public key must be stored using the setsshkey CLI command. Storing the user's public key allows the user's private key to be validated when entered for login attempts after the first successful LDAP authentication. Active Directory LDAP Configuration with SASL Binding To configure your system to use Active Directory with SASL binding, the following process must be performed (detailed instructions follow): • Configure connection parameters using the following commands: ◦ setauthparam ldap-server ◦ setauthparam ldap-server-hn ◦ setauthparam kerberos-realm • Configure binding (authentication) parameters using the following commands: ◦ setauthparam binding sasl ◦ setauthparam sasl-mechanism • Configure account location parameters using the following commands: ◦ setauthparam accounts-dn ◦ setauthparam account-obj user ◦ setauthparam account-name-attr sAMAccount ◦ setauthparam memberof-attr memberOf • Configure group-to-role mapping parameters using the following commands: ◦ setauthparam • Test the authentication/authorization for an Active Directory user account: ◦ checkpassword Each step in the process above is discussed in the following sections. Each section is followed by an example showing the implementation of the instructions described. 22 Managing User Accounts and Connections