You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol).
After the directory service is configured, any user in the group can log in to the appliance. On the login window, the user:
In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:
CorpDir\pat
Authenticating users
When you add an authentication directory service to the appliance, you provide search criteria so that the appliance can find the group by its DN (Distinguished Name). For example, the following attribute values identify a group of administrators in a Microsoft Active Directory:
distinguishedName CN=Administrator,CN=Users,DC=example,DC=com
For more information on the search criteria, see Add Directory screen details.
To authenticate a user, CloudSystem appends the user name to the search criteria and sends the authentication request to the configured LDAP or Active Directory service.
In the CloudSystem Portal, authorization data, including the members and administrators of a project, is associated with the user name. Authorization data does not include the search criteria or directory service. This means that changing the search criteria or default directory in the CloudSystem Console can allow CloudSystem Portal users to view and change resources in projects for which they are not authorized.
|
|
IMPORTANT: When changing the default directory or search context in the CloudSystem Console, ensure that the original and new directories or search criteria do not use the same user name to identify different individuals. For example, |
|
|
For more information about LDAP and Active Directory configuration, see the HP CloudSystem Administrator Guide at Enterprise Information Library.
Adding a directory server
After configuring and adding a directory server, you can designate it as the default directory service.
After you add an authentication directory service and server
-
Allow both local logins and logins for user accounts authenticated by the directory service.
-
Disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.