About directory service authentication

You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol).

After the directory service is configured, any user in the group can log in to the appliance. On the login window, the user:

Enters their user name (typically, the Common-Name attribute, CN).
Enters their password.
Selects the authentication directory service. This box appears only if you have added an authentication directory service to the appliance.


	NOTE: If you are using an external authentication directory service: In the CloudSystem Console, the role assignment (for example, Infrastructure administrator) is made to the group, rather than to individual users. In the CloudSystem Portal, roles are assigned to users, and groups are not recognized. The CloudSystem Portal is configured automatically based on the default directory set in the CloudSystem Console.

In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:

CorpDir\pat

Authenticating users

When you add an authentication directory service to the appliance, you provide search criteria so that the appliance can find the group by its DN (Distinguished Name). For example, the following attribute values identify a group of administrators in a Microsoft Active Directory:

distinguishedName     CN=Administrator,CN=Users,DC=example,DC=com

For more information on the search criteria, see Add Directory screen details.

To authenticate a user, CloudSystem appends the user name to the search criteria and sends the authentication request to the configured LDAP or Active Directory service.

In the CloudSystem Portal, authorization data, including the members and administrators of a project, is associated with the user name. Authorization data does not include the search criteria or directory service. This means that changing the search criteria or default directory in the CloudSystem Console can allow CloudSystem Portal users to view and change resources in projects for which they are not authorized.


	IMPORTANT: When changing the default directory or search context in the CloudSystem Console, ensure that the original and new directories or search criteria do not use the same user name to identify different individuals. For example, `smith.lab.users.example1.com`, `smith.marketing.users.example1.com`, and `smith.marketing.users.example2.com` are all authenticated as the user name `smith`.

For more information about LDAP and Active Directory configuration, see the HP CloudSystem Administrator Guide at Enterprise Information Library.

Adding a directory server

After configuring and adding a directory server, you can designate it as the default directory service.

After you add an authentication directory service and server

You can:

Allow local logins only, which is the default.
Allow both local logins and logins for user accounts authenticated by the directory service.
Disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.

See also

prev	up	next
About Security	home	Access to the appliance console