Manualshelf

3PAR InForm® OS 2.2.4 Concepts Guide (320-200085 Rev B, March 2009)

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
41424344454647484950
4.3
LDAP Server Data Organization
InForm OS Version 2.2.4 3PAR InForm OS Concepts Guide
During authentication, if a user name is not recognized as a local user, that user’s name and
password are checked on the LDAP server. Users existing as both a local user and LDAP use who
share the same user name, are authenticated by the InServ Storage Server. That is, the local
user’s authentication data takes precedence over the user’s LDAP authentication data. User
names not associated with local user names are authenticated using LDAP data.
Additionally for local users, during authentication, the password supplied by the user must
match the password assigned when that user was initially created or modified with the
createuser and setuser CLI commands. The privileges assigned to the user during
authorization are the same privileges associated with the user class assigned when that user
was initially created or modified (see Chapter 3, InServ Storage Server Users for additional
information about user types and user classes). The LDAP server is not used for any additional
password checking or assigning of privileges.
LDAP users can access the InServ server using the same methods as a local users, although some
operations and CLI commands and global options, such as
setuser, setuseracl, and -pwf,
are unavailable. LDAP users can use the
setpassword -file command like local users.
However, LDAP users access is limited to the system they were logged into when they saved
their password. For instructions on accessing the InServ Storage Server, refer to the InForm OS
CLI Administrator’s Manual.
Another key difference between local users and LDAP users is that a local user’s privileges
within the InServ system are assigned on a case-by-case basis. An LDAP user’s privileges are
dependent on that user’s group association. In other words, groups are assigned specific
privileges within the InServ system and an individual LDAP users privileges are dependent
upon group membership.
By default, LDAP users cannot store an SSH public key using the InForm CLI
setsshkey
command. Instead, LDAP users can use the
setsshkey command by using the allow-ssh-
key
parameter with the setauthparm command. Access (assigned privileges and domains) to
the InServ system continues as when the
setsshkey command was issued, regardless of any
changes to the user’s data in the LDAP server.
4.3 LDAP Server Data Organization
LDAP server data consists of user information, which includes the user’s group associations.
Data can be previously existing data used for user account information, or can be data created
for specific use with InServ Storage Servers. Data on the LDAP server can be organized in two
different ways: