Ldap Authentication And Authorization; Authentication; Simple Binding; Sasl Binding - HP 3PAR StoreServ 7200 2-node Manual

LDAP Authentication and Authorization

As stated earlier, the user's user name is first checked against the authentication data stored on
the local system. If the user's name is not found, the LDAP authentication and authorization process
proceeds as follows:
The user's user name and password are used to authenticate with the LDAP server.
The user's group memberships are determined with the data on the LDAP server.
A list of groups is compared against mapping rules that specify each group's associated roles.
If virtual domains is in use, the user's group is mapped to a domain.
The user is assigned a system user role, and a domain if domains are in use.

Authentication

Users are authenticated with the LDAP server using a bind operation. The bind operation simply
authenticates the HP 3PAR OS LDAP client to the LDAP server. This authentication process is required
for all systems using LDAP, including systems using Domains. Several binding mechanisms are
supported by the HP 3PAR OS LDAP client.
NOTE: The binding mechanism you can use is dependent on your LDAP server configuration.

Simple Binding

With simple binding, the user's user name and password are sent to the LDAP server in plain text
and the LDAP server determines if the submitted password is correct. Simple binding is not
recommended unless a secure connection to the LDAP server is established with Secure Sockets
Layer (SSL) or Transport Layer Security (TLS).

SASL Binding

In addition to simple binding, the HP 3PAR OS LDAP client also supports the PLAIN, DIGEST-MD5,
and GSSAPI SASL binding mechanisms. Generally, DIGEST-MD5 and GSSAPI are more secure
methods of authentication as user passwords are not sent to the LDAP server.
The PLAIN mechanism is similar to simple binding where the user's user name and password
are sent directly to the LDAP server for authentication. As with simple binding, the PLAIN
mechanism should only be used if there is a secure connection (SSL or TLS) to the LDAP server.
The GSSAPI mechanism obtains a ticket from the Kerberos server which validates the user's
identity. That ticket is then sent to the LDAP server for authentication.
With the DIGEST-MD5 mechanism, the LDAP server sends the HP 3PAR OS LDAP client one-time
data that is encrypted by the client and returned to the server in such a way that the client
proves it knows the user's password without having to send the user's password.

Authorization

Once an LDAP user has been authenticated, the next stage is authorization. The authorization
process determines what a user is allowed to do within the system.
As discussed in
and a user can belong to multiple groups. Each group has an assigned role,
System Users" (page 18)
group-to-role mapping using the following four mapping parameters:
super-map
service-map
edit-map
browse-map
22 Lightweight Directory Access Protocol
"LDAP Users" (page 20), an LDAP user's role is tied to that user's group membership,
for information about user roles. The HP 3PAR OS LDAP client performs
see"HP 3PAR Storage