Manualshelf

3PAR InForm® OS 2.2.4 Concepts Guide (320-200085 Rev B, March 2009)

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software
41424344454647484950
4.6
LDAP Authentication and Authorization
3PAR InForm OS Concepts Guide InForm OS Version 2.2.4
The PLAIN mechanism is similar to simple binding where the user’s user name and password
are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN
mechanism should only be used if there is a secure connection (SSL or TLS) to the LDAP
server.
The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user’s
identity. That ticket is then sent to the LDAP server for authentication.
With the DIGEST-MD5 mechanism, the LDAP server sends the InForm OS LDAP client one-
time data that is encrypted by the client and returned to the server in such a way that the
client proves it knows the user's password without having to send the user's password.
4.5.2 Authorization
Once an LDAP user has been authenticated, the next stage is authorization. The authorization
process determines what a user is allowed to do within the InServ system.
As discussed in LDAP Users on page 4.2, an LDAP user’s privileges are tied to that user’s group
membership, and a user can belong to multiple groups. Each group has an assigned privilege
level allowing super, service, edit, or browse privileges within the system (see Chapter 3, InServ
Storage Server Users for information about user privileges). The InForm OS LDAP client
performs group-to-privilege mapping using the following four mapping parameters:
super-map
service-map
edit-map
browse-map
Each group to which a user is a member is compared against the mapping parameters.
Mapping occurs sequentially with a group first compared to the
super-map parameter. If no
match is made, the group is then compared with the
service-map parameter, and so on. For
example, if a match is made for group A with the
super-map parameter, the user belonging
to group A is authorized with super level privileges for the system.
With this process, a user can be authenticated, but not authorized if no group membership
exists. In this case, the user is subsequently denied access to the system.
4.5.3 Authorization on Systems Using 3PAR Domains
As discussed in Authorization on page 4.6, a user’s group association determines that user’s
privileges within the system. On systems using 3PAR Domains, this process is taken one step