STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide

V-237827

CAT I (High)

The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.

Rule ID

SV-237827r647890_rule

STIG

HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-000015CCI-000366CCI-000764

Discussion

Where strong account and password management capabilities are required, the 3PAR system is heavily dependent on its ability to use an AD server. Satisfies: SRG-OS-000001-GPOS-00001, SRG-OS-000104-GPOS-00051, SRG-OS-000480-GPOS-00227

Check Content

Determine if the system is configured for Active Directory (AD). 

Enter the following command:

cli% showauthparam

If the result returns an error, this is a finding.

If the resulting output does include the parameters "groups-dn", "group-obj", or "group-name-attr" then the host is setup for LDAP, this requirement is not applicable.

If the host is setup for Active Directory and these fields in the output are not configured, this is a finding.

ldap-server <ip address of AD server> 
ldap-server-hn <host name of AD server>

Next, verify that the AD authentication is operational by entering the following command:

cli% checkpassword <username>:
password: <Enter the password for username>

If the username and password used in checkpassword are known to be valid AD credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.

user <username> is authenticated and authorized

Note: The "checkpassword" command will not display authenticated information even if AD is properly configured, if the username and password are not entered correctly.

Fix Text

Use this series of commands to configure the host to use Active Directory:

cli% setauthparam -f ldap-server        <AD server IP address>
cli% setauthparam -f binding            simple
cli% setauthparam -f ldap-StartTLS      require
cli% setauthparam -f Kerberos-realm     <Kerberos realm, such as WIN2K12FOREST.THISDOMAIN.COM>
cli% setauthparam -f ldap-server-hn     <fully qualified domain name of AD server, such as adserver.thisdomain.com>
cli% setauthparam -f accounts-dn        CN=Users,DC=win2k12forest,DC=thisdomain,DC=com
cli% setauthparam -f user-dn-base       CN=Users,DC=win2k12forest,DC=thisdomain,DC=com
cli% setauthparam -f user-attr          WIN2K12FOREST\\
cli% setauthparam -f account-obj        user
cli% setauthparam -f account-name-attr  sAMAccountName
cli% setauthparam -f memberof-attr      memberOf
cli% setauthparam -f browse-map         "CN=<customer-assigned name of browse role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f edit-map           "CN=<customer-assigned name of edit role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f service-map        "CN=<customer-assigned name of service role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"
cli% setauthparam -f super-map          "CN=<customer-assigned name of super role>,CN=Users,DC=win2k12forest,DC=thisdomain,DC=com"