2.1.2.3. LDAP
LDAP authorization is not supported by IBM Service Agreements. The following information
is provided for sites planning to use LDAP authorization with HPSS 7.1 as a site supported
feature.
An option for the authorization mechanism is to store HPSS security information in an LDAP directory.
LDAP (Lightweight Directory Access Protocol) is a standard for providing directory services over a
TCP/IP network. A server supporting the LDAP protocol provides a hierarchical view of a centralized
repository of data and provides clients with sophisticated search options. The LDAP software supported
by the HPSS LDAP authorization mechanism is IBM Tivoli Directory Server (Kerberos plug-in available
for AIX only) and OpenLDAP (Kerberos plug-in available for AIX and Linux). One advantage of using
the LDAP mechanism over the UNIX mechanism is that LDAP provides a central repository of
information that is used by all HPSS nodes; it doesn't have to be manually kept in sync.
The rest of this section deals with how to accomplish various administrative tasks if the LDAP
authorization mechanism is used.
2.1.2.3.1. LDAP Administrative Tasks
Working with Principals
• Creating a principal
A principal is an entity with credentials, like a user or a server. The most straightforward way to
create a new principal is to use the -add and -ldap options of the hpssuser utility. The utility will
prompt for any needed information and will drive the hpss_ldap_admin utility to create a new
principal entry in the LDAP server. To create a new principal directly with the
hpss_ldap_admin utility, use the following command at the prompt:
princ create -uid <uid> -name <name> -gid <gid> -home <home>
-shell <shell> [-uuid <uuid>]
If no UUID is supplied, one will be generated.
• Deleting a principal
Likewise, use the -del and -ldap options of the hpssuser utility to delete the named principal from
the LDAP server. To delete a named principal directly with the hpss_ldap_admin utility, use the
following command at the prompt:
princ delete [-uid <uid>] [-name <name>] [-gid <gid>]
[-uuid <uuid>]
You may supply any of the arguments listed. This command will delete any principal entries in
the LDAP information that have the indicated attributes.
Working with Groups
• Creating a group
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 23