HP 3PAR StoreServ 7450 4-node HP 3PAR StoreServ Storage Concepts Guide (OS 3.1 - Page 22

LDAP Authentication and Authorization

As stated earlier, the user’s user name is first checked against the authentication data stored on

the local system. If the user’s name is not found, the LDAP authentication and authorization process

proceeds as follows:

•

The user’s user name and password are used to authenticate with the LDAP server.

•

The user’s group memberships are determined with the data on the LDAP server.

•

A list of groups is compared against mapping rules that specify each group’s associated roles.

•

If virtual domains is in use, the user’s group is mapped to a domain.

•

The user is assigned a system user role, and a domain if domains are in use.

Authentication

Users are authenticated with the LDAP server using a bind operation. The bind operation simply

authenticates the HP 3PAR OS LDAP client to the LDAP server. This authentication process is required

for all systems using LDAP, including systems using Domains. Several binding mechanisms are

supported by the HP 3PAR OS LDAP client.

NOTE:

The binding mechanism you can use is dependent on your LDAP server configuration.

Simple Binding

With simple binding, the user’s user name and password are sent to the LDAP server in plain text

and the LDAP server determines if the submitted password is correct. Simple binding is not

recommended unless a secure connection to the LDAP server is established with Secure Sockets

Layer (SSL) or Transport Layer Security (TLS).

SASL Binding

In addition to simple binding, the HP 3PAR OS LDAP client also supports the PLAIN, DIGEST-MD5,

and GSSAPI SASL binding mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure

methods of authentication as user passwords are not sent to the LDAP server.

•

The PLAIN mechanism is similar to simple binding where the user’s user name and password

are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN

mechanism should only be used if there is a secure connection (SSL or TLS) to the LDAP server.

•

The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user’s

identity. That ticket is then sent to the LDAP server for authentication.

•

With the DIGEST-MD5 mechanism, the LDAP server sends the HP 3PAR OS LDAP client one-time

data that is encrypted by the client and returned to the server in such a way that the client

proves it knows the user's password without having to send the user's password.

Authorization

Once an LDAP user has been authenticated, the next stage is authorization. The authorization

process determines what a user is allowed to do within the system.

As discussed in

“LDAP Users” (page 20)

, an LDAP user’s role is tied to that user’s group membership,

and a user can belong to multiple groups. Each group has an assigned role, see

“HP 3PAR Storage

System Users” (page 18)

for information about user roles. The HP 3PAR OS LDAP client performs

group-to-role mapping using the following four mapping parameters:

•

super-map

•

service-map

•

edit-map

•

browse-map

22

Lightweight Directory Access Protocol

Section	Page
HP 3PAR StoreServ Storage Concepts Guide	1
Contents	3
1 Overview	7
HP 3PAR Storage Concepts and Terminology	7
Physical Disks	8
Chunklets	8
Logical Disks	8
Common Provisioning Groups	8
Virtual Volumes	8
Fully-provisioned Virtual Volumes	8
Thinly-provisioned Virtual Volumes	8
Physical Copies	9
Virtual Copy Snapshots	9
Exporting Virtual Volumes	9
HP 3PAR Software	9
HP 3PAR Software Products and Features	10
HP 3PAR Software Licensing Requirements	13
2 HP 3PAR Storage System Users	18
User Accounts	18
Local User Authentication and Authorization	19
LDAP User Authentication and Authorization	19
Domain User Access	19
3 Lightweight Directory Access Protocol	20
Overview	20
Active Directory	20
OpenLDAP	20
LDAP Users	20
LDAP Server Data Organization	21
LDAP and Domains	21
LDAP Authentication and Authorization	22
Authentication	22
Simple Binding	22
SASL Binding	22
Authorization	22
Authorization on Systems Using Virtual Domains	23
4 HP 3PAR Virtual Domains	24
Overview	24
Domain Types	24
Domain Type	25
Users and Domain Rights	25
Object and Domain Association Rules	25
The Default and Current Domains	25
5 Ports and Hosts	27
Overview	27
About Ports	27
Port Location Formats	28
Port Target, Initiator, and Peer Modes	29
Active and Inactive Hosts	29
Adding and Removing Hosts	29
Managing Host Personas	30
Legacy Host Personas	31
The Host Explorer Software Agent	31
6 Chunklets	32
Overview	32
Physical Disk Chunklets	32
Spare Chunklets	32
7 Logical Disks	34
Overview	34
Logical Disks and Common Provisioning Groups	34
Logical Disk Types	34
RAID Types	35
RAID 0	35
RAID 1 and 10	35
RAID 5 and 50	36
RAID Multi-Parity	37
Logical Disk Size and RAID Types	38
8 Common Provisioning Groups	39
Overview	39
Precautions and Planning	39
Growth Increments, Warnings, and Limits	39
Growth Increment	40
Growth Warning	40
Growth Limit	40
System Guidelines for Creating CPGs	41
Volume Types Associated with CPGs	41
9 Virtual Volumes	42
Overview	42
Virtual Volume Types	42
Administrative Volumes	43
Fully-provisioned Virtual Volumes	43
Thinly Provisioned Virtual Volumes	43
TPVV Warnings and Limits	44
Virtual Volume Online Conversion	45
Physical Copies	45
Virtual Copy Snapshots	46
Virtual Copy Snapshot Relationships	46
Copy-on-Write Function	47
Copy-of and Parent Relationships	48
Exporting Virtual Volumes	48
VLUN Templates and Active VLUNs	49
VLUN Template Types	49
Host Sees	49
Host Set	49
Port Presents	49
Matched Set	50
10 Reclaiming Unused Space	51
Overview	51
Reclaiming Unmapped Logical Disk Space from CPGs	51
Reclaiming Unmapped Logical Disk Space from Volumes	52
Automatically Reclaiming Unused Snapshot Space from Volumes	52
Manually Reclaiming Unused Snapshot Space from Volumes	52
Deleted Volume Snapshot Space	52
Logical Disks and Chunklet Initialization	52
11 Enhanced Storage Applications	53
Overview	53
HP 3PAR mySnapshot Software	53
HP 3PAR Dynamic Optimization Software	53
HP 3PAR System Tuner Software	54
HP 3PAR Thin Conversion Software	55
Assessment	55
Data Preparation	55
Zeroing Unused Space	56
Creating a Physical Copy	56
HP 3PAR Thin Persistence Software	56
HP 3PAR Thin Copy Reclamation Software	56
HP 3PAR Virtual Lock Software	57
HP 3PAR Adaptive Optimization Software	57
HP 3PAR Peer Motion Software	58
Data Encryption	58
Priority Optimization	59
Automatic and Transparent Failover	59
12 HP 3PAR Storage System Hardware	61
Overview	61
Identifying System Components	61
Physical Disks	63
Drive Cage/Enclosure Models	64
HP M6710 Drive Enclosure	64
HP M6720 Drive Enclosure	64
DC4 Drive Cages and Ports and Cabling	64
DC3 Drive Cage and Ports and Cabling	65
Controller Nodes	66
Port Numbering	67
HP 3PAR StoreServ 7000 Controller Node Numbering	67
HP 3PAR StoreServ 10000 Controller Node Numbering	68
T-Class Controller Node Numbering	69
F-Class Controller Node Numbering	70
13 HP 3PAR SNMP Infrastructure	72
Overview	72
About SNMP	72
SNMP Managers	72
The HP 3PAR SNMP Agent	72
Standard Compliance	73
Supported MIBs	73
MIB-II	73
Exposed Objects	74
System Description	74
System Object ID	74
System Up Time	74
System Contact Information	74
System Name	75
System Location	75
The HP 3PAR MIB	75
alertNotify Traps	76
14 The HP 3PAR CIM API	78
Overview	78
About SMI-S	78
About the WBEM Initiative	78
HP 3PAR CIM Support	79
Standard Compliance	79
SMI-S Profiles	79
Supported Extensions	79
CIM Indications	79
15 Comparing HP 3PAR to EVA Terms	80
16 Support and Other Resources	81
Contacting HP	81
HP 3PAR documentation	81
Typographic conventions	84
HP 3PAR branding information	84
17 Documentation feedback	85
Glossary	86

HP 3PAR StoreServ 7450 4-node HP 3PAR StoreServ Storage Concepts Guide (OS 3.1 - Page 22

LDAP Authentication and Authorization, Authentication, Simple Binding

Page 22 highlights