Ldap Server Data Organization; Ldap And Domains - HP 3PAR StoreServ 7200 2-node Manual

over the user's LDAP authentication data. User names not associated with local user names are
authenticated using LDAP data.
Additionally for local users, during authentication, the password supplied by the user must match
the password assigned when that user was initially created or modified. The rights assigned to the
user during authorization are the same rights associated with the user role assigned when that
user was initially created or modified. See
information about user roles and rights. LDAP users can access the system using the same methods
as a local users, although some user account creation and modification operations are unavailable.
Do not create local and LDAP users with the same name. If local and LDAP users have the same
name it can cause confusion about where access is controlled. For instructions on using LDAP with
the storage system, refer to the HP 3PAR Command Line Interface Administrator's Manual.
Another key difference between local users and LDAP users is that a local user's rights within the
system are assigned on a case-by-case basis. An LDAP user's rights are dependent on that user's
group association. In other words, groups are assigned specific rights within the system and an
individual LDAP user's rights are dependent upon group membership.

LDAP Server Data Organization

LDAP server data consists of user information, which includes the user's group associations. Data
can be previously existing data used for user account information, or can be data created for
specific use with systems. Data on the LDAP server can be organized in two different ways:
As a list of groups associated with each user.
As a list of users associated with each group.
The form in which data is organized is dependent on the type of LDAP server used and the tools
used to maintain the data. Programs such as ldp.exe, which is a downloadable Windows Support
Tool available from Microsoft, and ldapsearch, which is available for many UNIX and Linux
systems, can be used to view data entries in the LDAP server. This can be useful when configuring
the HP 3PAR LDAP client with your LDAP server as discussed in the Managing User Accounts and
Connections chapter in the HP 3PAR Command Line Interface Administrator's Manual.

LDAP and Domains

LDAP is also available for systems using virtual domains for access control. As discussed in
3PAR Virtual Domains" (page
objects such as volumes and hosts. Accessing objects on systems configured to use virtual domains
requires rights in the domain in which those objects reside. Because the configuration of Domains
can differ within an HP storage system, or from one server to another (in configurations with multiple
servers), a user can have differing rights between domains in a single system, or across multiple
systems.
As discussed earlier in
and authorization in order to gain access to the system. With Domains in use, in addition to
authentication with the system, LDAP users must also be authorized to access domains set up within
the system. For additional information, see
For instructions on setting up LDAP users on systems using Domains, see Chapter 4, Managing
User Accounts and Connections in the HP 3PAR Command Line Interface Administrator's Manual.
NOTE: Virtual domains require an HP 3PAR Virtual Domains Software license. For additional
information about the license, see
"HP 3PAR Storage System Users" (page 18)
24), the Domains facility enables finer grain rights over system
"LDAP Users" (page 20), LDAP users must follow a process of authentication
"LDAP Authentication and Authorization" (page
"HP 3PAR Software" (page
for additional
9).
LDAP Server Data Organization
"HP
22).
21