HP IO Accelerator for BladeSystem c-Class Role mapping

Role mapping

Connection and User Mapping configure the way a username is mapped to an LDAP entry. Role Mapping configures the ways in which users are granted roles.

Role Mapping Rules are used to place a user into one or more roles in the HP IO Accelerator Management Tool: User, Device Admin, or Server Admin.

Each role mapping is essentially an LDAP search specification along with a Role. When the search specification is true (returns one or more entries) for a user, then that user is granted the Role.

To create a new role mapping:

1.Click Add Role Mapping.

2.Enter a name for this mapping in the Name field. This name lets you identify the role mapping later if you decide to edit it. For example: Administrators.

3.Enter a DN in the Search Base DN field.

This could be the DN of some container, or a specific DN such as that of a group, for example,

CN=administrators,OU=groups,DC=example,DC=com. The special value ${dn can be used to set the search base DN to the user's LDAP entry. This is useful when creating a role mapping based of the user's attributes, such as memberOf.

4.Enter an LDAP search filter in the Search Filter field.

The search filter can contain the special values ${username,}which is replaced by the name the user logged in with, or ${dn}, which is replaced by the DN of the logged-in user's LDAP entry). For example, a search filter of (member=${dn}) matches true for entries where there is a member attribute that has the logged-in user's DN as a value (common in group entries).

5.Set the Scope.

If the Search Base DN names a specific entry in the LDAP tree, the scope should be Base level; otherwise it should be either Subtree or One level.

6.Choose the Role to be granted to users meeting the search criteria. For example, if the search criteria matches true for users who are listed in and LDAP group entry full of administrators, set the role to Server Admin.

7.Click Add Role Mapping.

Example Role Mappings

Following are some examples of role mappings that might be configured for different LDAP directory deployments:

Members of the Administrator group are in role Server Admin

1.Set the Search Base DN field to the Administrators group entry. For example:

CN=administrators,OU=groups,DC=example,DC=com.

2.Set the Search Filter: (member=${dn})" (typical for AD) or (uniqueMember=${dn}) (typical for

non-AD). If you are unsure which attribute holds the members of the group, you can use the search filter

((member=${dn})(uniqueMember=${dn})).

3.Set the Scope to Base level.

4.Set the Role to Server Admin.

Members of the Administrator group are in role Server Admin (alternate AD config)

Adding and editing LDAP providers 28