Authorization Rules For Managing Multiple Systems; Lightweight Directory Access Protocol (Ldap) - IBM FlashSystem A9000R Deployment Manual

Authorization rules for managing multiple systems

Use this information to understand authorization rules for managing multiple
systems.
Because user credentials are stored locally on each storage system, you must keep
the same user name and password on each separate IBM FlashSystem A9000 and
A9000R system to allow for quick transitions between systems in the IBM
Hyper-Scale Manager UI.
This approach is especially useful in remote mirroring configurations, where the
storage administrator is required to switch from source to target system. For more
information on mirroring, see IBM FlashSystem A9000R Product Overview, SC27-8559
on the IBM FlashSystem A9000R Knowledge Center website (ibm.com/support/
knowledgecenter/STJKN5).
To allow simultaneous access to multiple systems, the simplest approach is to have
corresponding passwords manually synchronized among those systems. The
storage administrator can easily switch between these systems for the activities
without needing to log on each time with another password. Each storage system
where the user was successfully authenticated is listed in the System view of the
UI.
For information about managing multiple systems in LDAP authentication mode,
see "Lightweight Directory Access Protocol (LDAP)."

Lightweight Directory Access Protocol (LDAP)

The IBM FlashSystem A9000R systems offer the capability to use LDAP
server-based user authentication.
For more detailed information about LDAP products, role mapping, defining on
your storage system, and more, see Security > LDAP with FlashSystem A9000 and
FlashSystem A9000R in the IBM FlashSystem A9000 and IBM FlashSystem A9000R:
Architecture, Implementation and Usage Redbook, SG24-8345.
When LDAP authentication is enabled, the storage system accesses a specified
LDAP directory to authenticate users whose credentials are maintained in the
LDAP directory (except for the admin, technician, maintenance, and development
users, which remain locally administered and maintained).
Important: As a preferred practice, the LDAP server and the FlashSystem A9000R
storage system must have their clocks synchronized to the same time source, be
registered, and be configured to use the same DNS servers.
Product selection
LDAP authentication of the storage system supports three LDAP server products:
v Microsoft Active Directory
v Oracle Directory Server Enterprise Edition
v OpenLDAP
The current skill set of your IT staff is always an important consideration when
choosing any products for centralized user authentication. If you have skills in
running a particular directory server, it might be a wise choice to standardize on
72
IBM FlashSystem A9000R Models 9835-415 and 9837-415 Deployment Guide