3PAR InForm® OS 2.2.4 Concepts Guide (320-200085 Rev B, March 2009)
4.5
LDAP Authentication and Authorization
InForm OS Version 2.2.4 3PAR InForm OS Concepts Guide
4.5 LDAP Authentication and Authorization
As stated earlier, the user’s user name is first checked against the authentication data stored on
the local InServ Storage Server. If the user’s name is not found, the LDAP authentication and
authorization process proceeds as follows:
■ The user’s user name and password are used to authenticate with the LDAP server.
■ The user’s group memberships are determined with the data on the LDAP server.
■ A list of groups is compared against mapping rules that specify each group’s associated
privilege level.
■ If 3PAR Domains is in use, the user’s group is mapped to a domain.
■ The user is assigned a privilege level within the InServ system; or if using Domains, within a
domain, or domains, in the InServ system.
4.5.1 Authentication
Users are authenticated with the LDAP server using a bind operation. The bind operation
simply authenticates the InForm OS LDAP client to the LDAP server. This authentication process
is required for all systems using LDAP, including systems using Domains. Several binding
mechanisms are supported by the InForm OS LDAP client.
4.5.1.1 Simple Binding
With simple binding, the user’s user name and password are sent to the LDAP server in plain
text and the LDAP server determines if the submitted password is correct. Simple binding is not
recommended unless a secure connection to the LDAP server is established with Secure Sockets
Layer (SSL) or Transport Layer Security (TLS).
4.5.1.2 SASL Binding
In addition to simple binding, the InForm OS LDAP client also supports the PLAIN, DIGEST-MD5,
and GSSAPI SASL binding mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure
methods of authentication as user passwords are not sent to the LDAP server.
NOTE: The SASL mechanism you can use is dependent on your LDAP server
configuration.