LDAP authentication logic

The LDAP authentication process consists of several key steps.

  1. The LDAP server and system parameters must be defined.
  2. A storage system user must be defined on that LDAP server. The storage system uses this user when searching for authenticated users. This user is later on referred to as system's configured service account.
  3. The LDAP user requires an attribute in which the values of the storage system user roles are stored.
  4. Mapping between LDAP user attributes and storage system user roles must be defined.
  5. LDAP authentication must be enabled on the storage system.
Once LDAP is configured and enabled, the predefined user is granted with login credentials authenticated by the LDAP server, rather than the storage system itself.
Figure 1. Login to a specified LDAP directory
After the user logs on to the storage system, the LDAP server logs on to a specified LDAP directory and uses the retrieved membership data to associate the user with a role.

User validation

During the login, the system validates the user as follows:
Figure 2. The way the system validates users through issuing LDAP searches
The way the system validates users through issuing LDAP searches
Issuing a user search
The system issues an LDAP search for the user's entered username. The request is submitted on behalf of the system's configured service account and the search is conducted for the LDAP server, base DN and reference attribute as specified in the storage system LDAP configuration.
The base DN specified in the storage system LDAP configuration serves as a reference starting point for the search – instructing LDAP to locate the value submitted (the username) in the attribute specified.
If a single user is found - issuing a storage system role search
The system issues a second search request, this time submitted on behalf of the user (with the user's credentials), and will search for storage system roles associated with the user, based on the storage system LDAP configuration settings.
If a single storage system role is found - permission is granted
The system inspects the rights associated with that role and grant login to the user. The user's permissions are in correspondence with the role associated by the storage system, base on the storage system LDAP configuration.
If no storage system role is found for the user, or more than one role was found
If the response by LDAP indicates that the user is either not associated with a storage system role (no user role name is found in the referenced LDAP attribute for the user), or is actually associated with more than a single role (multiple roles names are found) – login will fail and a corresponding message will be returned to the user.
If no such user was found, or more than one user were found
If LDAP returns no records (indicating no user with the username was found) or more than a single record (indicating that the username submitted is not unique), the login request fails and a corresponding message is returned to the user.