beautypg.com

Ldap – H3C Technologies H3C S12500-X Series Switches User Manual

Page 21

background image

9

9.

The user enters the password.

10.

After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.

11.

If the authentication succeeds, the HWTACACS server sends back an authentication response to

indicate that the user has passed authentication.

12.

The HWTACACS client sends a user authorization request packet to the HWTACACS server.

13.

If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.

14.

Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.

15.

The HWTACACS client sends a start-accounting request to the HWTACACS server.

16.

The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.

17.

The user logs off.

18.

The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19.

The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.

157B

LDAP

The Lightweight Directory Access Protocol (LDAP) provides standard multi-platform directory service.

LDAP was developed on the basis of the X.500 protocol, and improves the read/write interactive access,

browse, and search functions of X.500. It is suitable for storing data that does not often change.
LDAP is typically used to store user information. For example, LDAP server software Active Directory

Server is used in Microsoft Windows operating systems to store the user information and user group
information for user login authentication and authorization.

344B

LDAP directory service

LDAP uses directories to maintain the organization information, personnel information, and resource

information. The directories are organized in a tree structure and include entries. An entry is a set of

attributes with distinguished names (DNs). The attributes are used to store information such as usernames,
passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly

used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun

ONE Directory Server.

345B

LDAP authentication and authorization

AAA can use LDAP to provide user authentication and authorization services. LDAP defines a set of

operations to implement its functions. The main operations for authentication and authorization are the

bind operation and search operation:

The bind operation allows an LDAP client to establish a connection with the LDAP server, obtain the
access rights to the LDAP server, and check the validity of user information.

The search operation constructs search conditions and obtains the directory resource information of
the LDAP server.

The basic LDAP authentication process is as follows: