Active Directory User Authentication - Hitachi G600 Administration Manual

Active Directory user authentication

Active Directory is an LDAP-compliant hierarchical database of objects. It is
very popular in enterprise environments and is becoming a de facto standard
for user authentication.
After Active Directory connection settings and groups have been configured
for the SMU, it will allow logins from enabled users who supply their Active
Directory name and password. This is typically the same name and password
that the user would use to log into Windows and other enterprise
applications. Unlike SMU local and RADIUS user names, Active Directory user
names are case-insensitive. Active Directory passwords are case-sensitive
and cannot be changed from the SMU; they are maintained in the Active
Directory server.
There are a number of benefits for SMU users. The administrator does not
need to maintain a separate set of user details, because the SMU can just
make use of the Active Directory enterprise user database. Users can login
using their usual name and password instead of having to remember a
separate set of credentials for the SMU. And instead of configuring access for
individual users, the SMU administrator just has to specify the Active
Directory groups whose members have login rights.
It is possible to assign more restrictive user levels and managed severs to
Active Directory users according to their group membership. So it is possible
to define a group of users who have only server level access, for example, or
access to a restricted set of managed HNAS servers.
Although the SMU supports RADIUS and Active Directory for external
authentication, they are mutually exclusive; it is not possible to have them
both configured for external authentication at the same time.
When a login attempt is made, the SMU first tries to authenticate the
credentials as a local user. If that fails, and Active Directory is configured,
they are authenticated as an Active Directory user.
Active Directory authentication requests are sent to servers in the configured
sequential order. If a successful connection cannot be made to the first
server, it attempts to contact the second server and so on. When a
connection is made and an authentication response received (either positive
or negative) it is treated as definitive. It does not then contact further
servers because all servers are assumed to have identical content.
Using Transport Layer Security (TLS) with Active Directory
authentication
Storage System User Administration Guide for Hitachi NAS Platform and VSP Gx00 and Fx00 with NAS Modules
SMU user authentication 29