User authorization

A Lightweight Directory Access Protocol (LDAP) server provides SAN File System with the necessary authentication and authorization for powerful and flexible role-based security. When you issue an administrative request, communication occurs with an LDAP server to authenticate your user ID and password and to verify that the user ID has authority to issue that particular request. Each user ID is assigned a user role that gives that user a specific level of access to administrative operations. After authenticating the user ID, the administrative server interacts with the metadata server to process the request.

The administrative agent relies on the LDAP server to authenticate and authorize each administrative operation based on your authentication model. This function requires that the LDAP service be readily available when an administrative command is issued. If the LDAP server cannot be reached, the administrative operation fails with an authentication error. Therefore, you must ensure that your LDAP server has high availability.

The administrative agent uses an LDAP cache, so not every operation requires an LDAP query. But when a cache entry expires or is manually cleared, the next operation queries the LDAP server. The administrative agent does not automatically retry LDAP queries; therefore, an LDAP connection failure always results in an authentication error.

Parent topic: Administrative security

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2