V-237825

Discussion

Where strong account and password management capabilities are required, the 3PAR system is heavily dependent on its ability to use an LDAP server. Satisfies: SRG-OS-000001-GPOS-00001, SRG-OS-000104-GPOS-00051, SRG-OS-000480-GPOS-00227

Check Content

Determine if the system is configured for LDAP.

Enter the following command:

cli% showauthparam

If the output indicates an error, this is a finding.

If the resulting output does not include group parameters "groups-dn", "group-obj", or "group-name-attr" then the host is configured to use Active Directory and this requirement is not applicable. 

If the host is using LDAP and the following fields of the output are not configured, this is a finding.

ldap-server <ip address of LDAP server> 
ldap-server-hn <host name of LDAP server>

Next, verify that the LDAP authentication is operational by entering the following command:

cli% checkpassword <username>
password: <Enter the password for username>

If the username and password used in "checkpassword" are known to be valid LDAP credentials, and the following text is NOT displayed at the end of the resulting output, this is a finding.

user <username> is authenticated and authorized

Note: The "checkpassword" command will not display authenticated information even if LDAP is properly configured, if the username and password are not entered correctly.