Active Directory And Ldap/Ssl - Fujitsu SPARC Enterprise M3000 Product Notes

Active Directory and LDAP/SSL

The XCP 1091 release introduces support for the Active Directory
features.
Active Directory is a distributed directory service from Microsoft
■
Like an LDAP directory service, it is used to authenticate users.
LDAP/SSL offers enhanced security to LDAP users by way of Secure Socket
■
Layer (SSL) technology. It uses LDAP directory service to authenticate users.
Note – For security reasons, XSCF uses only LDAP over SSL protocol(LDAPS) to
communicate with an Active Directory server or an LDAP/SSL server.
Active Directory and LDAP/SSL each provides both authentication of user
credentials and authorization of the user access level to networked resources. They
use authentication to verify the identity of users before they can access system
resources, and to grant specific access privileges to users in order to control their
rights to access networked resources.
User privileges are either configured on XSCF or learned from a server based on
each user's group membership in a network domain. A user can belong to more than
one group. User domain is the authentication domain used to authenticate a user.
Active Directory authenticates users in the order in which the users' domains are
configured.
Once authenticated, user privileges can be determined in the following ways:
In the simplest case, user's privileges are determined directly through the Active
■
Directory or LDAP/SSL configuration on the XSCF. There is a defaultrole
parameter for both Active Directory and LDAP/SSL. If this parameter is
configured or set, all users authenticated via Active Directory or LDAP/SSL are
assigned privileges set in this parameter. Setting up users in an Active Directory
or LDAP/SSL server requires only a password with no regard to group
membership.
If the defaultrole parameter is not configured or set, user privileges are learned
■
from the Active Directory or LDAP/SSL server based on the user's group
membership. On XSCF, the group parameter must be configured with the
corresponding group name from the Active Directory or LDAP/SSL server. Each
group has privileges associated with it which are configured on the XSCF. A
user's group membership is used to determine the user's privileges once
authenticated.
Three types of groups can be configured: administrator, operator, and custom. To
configure an administrator or operator group, only group name is required.
1. Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
2 SPARC Enterprise M3000 Server Product Notes for XCP Version 1091 • April 2010
®1
and LDAP/SSL
®1
Corporation.