HP 3PAR Command Line Interface Administrator's Manual: HP 3PAR OS 3.1.2 (QR482-96525, September 2013)

ManualsBrandsHP ManualsStorageHP 3PAR StoreServ 7450 2-node Base

2. Configure the group-to-domain mapping parameters, as follows:

• Issue the setauthparam domain-name-attr <attribute> command, where

<attribute> is the name of an attribute that holds the potential domain name. A

common parameter to specify as the <attribute> is name.

• (Optional.) Issue the setauthparam domain-name-prefix <prefix> command,

where <prefix> is the start point of the domain name search within the information returned

from the domain-name-attr <attribute> parameter described above. An example

parameter to specify as the <prefix> is SystemDomain=.

3. Issue the checkpassword command to verify that the users have the roles you assigned for

the desired groups and the group-to-domain mapping is correct. Use a member of a specific

group to verify the role.

Example using only the domain-name-attr parameter:

system cli% setauthparam domain-name-attr name

The example above corresponds to the first bullet in Step 2. As shown, name is the attribute used

as the basis of the domain name search.

system1 cli% checkpassword 3PARuser

...

+ search result: memberOf: CN=Software,CN=Users,DC=3par,DC=com

+ search result: memberOf: CN=Eng,CN=Users,DC=3par,DC=com

+ search result: memberOf: CN=Golfers,CN=Users,DC=3par,DC=com

+ mapping rule: edit mapped to by CN=Software,CN=Users,DC=3par,DC=com

+ rule match: edit mapped to by CN=Software,CN=Users,DC=3par,DC=com

+ mapping rule: browse mapped to by CN=Eng,CN=Users,DC=3par,DC=com

+ rule match: browse mapped to by CN=Eng,CN=Users,DC=3par,DC=com

+ searching LDAP using:

search base: CN=Software Group,CN=Users,DC=3par,DC=com

filter: (objectClass=group)

for attributes: name

+ search result DN: CN=Software Group,CN=Users,DC=3par,DC=com

+ search result: name: Software Group

+ group "CN=Software Group,CN=Users,DC=3par,DC=com" has potential domain Software_Group

(transformed from "Software Group")

+ searching LDAP using:

search base: CN=Eng,CN=Users,DC=hq,DC=3par,DC=com

filter: (objectClass=group)

for attributes: name

+ search result DN: CN=Eng,CN=Users,DC=hq,DC=3par,DC=com

+ search result: name: Engineering

+ group "CN=Eng,CN=Users,DC=hq,DC=3par,DC=com" has potential domain Engineering

+ domain match: Engineering mapped to browse

+ domain match: Software_Group mapped to edit

user 3PARuser is authenticated and authorized

The example above corresponds to Step 3 and displays the following:

• 3PARuser is found to be a member of the Software group with Edit rights. The Software

group is mapped to the Software_Group domain. 3PARuser is assigned Edit rights within

the Software domain.

• 3PARuser is also found to be a member of the Eng group with Browse rights. The Eng group

is mapped to the Engineering domain. 3PARuser is assigned Browse rights within the Eng

domain.

Configuring LDAP Connections on Systems Using Domains 39