ldap
Required Command-Line Mode = ConfigureRequired User Level = Admin
Use the ldap command to specify the LDAP servers to be used for authentication. You can specify multiple LDAP servers. Servers are used as fallbacks in the same order they are specified—if the first server is unreachable, the second server is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.
Refer to the “LDAP” section in the GigaVUE Fabric Management Guide for examples of adding and configuring an LDAP server.
The ldap command has the following syntax:
ldap
base-dn <string>
bind-dn <string>
bind-password <string>
extra-user-params roles enable
group-attribute <<string> | member | uniqueMember>
group-dn <string>
host <IPv4/IPv6 address or hostname> [order <order number> | last]
login-attribute <<string> | uid | sAMAccountName>
port <port number>
referrals
remote-user-group
base-dn <base-dn string> map-to <local account>
map <disable | enable>
scope <one-level | subtree>
ssl ca-list <none | default-ca-list>
cert-verify mode <none | ssl | tls>
ssl-port <port number>
timeout-bind <seconds>
timeout-search <seconds>
version <2 | 3>
The following table describes the arguments for the ldap command. The key, retransmit, and timeout values can be specified both globally and on a per-host basis. Per-host values override any configured global values.
Argument |
Description |
|||||||||||||||||||||
base-dn <string> |
Identifies the base distinguished name (location) of the user information in the LDAP server's schema. Specify this by identifying the organizational unit (ou) in the base DN. Provide the value as a string with no spaces. For example: (config) # ldap base-dn "ou=People,dc=mycompany,dc=com" This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
bind-dn <string> |
Specifies the distinguished name (dn) on the LDAP server with which to bind. By default, this is left empty for anonymous login. This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
bind-password <string> |
Provides the credentials to be used for binding with the LDAP server. If bind-dn is undefined for anonymous login (the default), bind-password should also be undefined. This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
extra-user-params roles enable |
Enables the GigaVUE H Series node to accept user roles assigned in the LDAP server. Refer to the “Granting Roles with External Authentication Servers” in the GigaVUE Fabric Management Guide for details. |
|||||||||||||||||||||
group-attribute <<string> | member | uniqueMember> |
Specifies the name of the attribute to check for group membership. If you specify a value for group-dn, the attribute you name here will be checked to see whether it contains the user’s distinguished name as one of the values in the LDAP server. This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
group-dn <string> |
Specifies that membership in the named group-dn is required for successful login to the GigaVUE H Series node. By default, the group-dn is left empty—group membership is not required for login to the system. If you do specify a group-dn, the attribute specified by the group-attribute argument must contain the user’s distinguished name as one of the values in the LDAP server or the user will not be logged in. This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
host <IPv4/IPv6 address or hostname> [order <order number> | last] |
Specifies the IP address (IPv4 or IPv6) or hostname of the LDAP server where authentication requests will be sent. Examples: (config) # ldap host 192.168.1.225 (config) # ldap host 2001:db8:a0b:12f0::66 (config) # ldap host www.MyCo.com Servers are tried in the same order they are added to the list. Check the current order with the show ldap command. Then, use the host command with the order argument to change the order, if necessary. You can either specify a new order number for a host or move it to the bottom of the list with order last. For example: (config) # ldap host 192.168.1.225 order last |
|||||||||||||||||||||
login-attribute <<string> | uid | sAMAccountName> |
Specifies the name of the LDAP attribute containing the login name. The default is sAMAccountName. You can also specify a custom string or uid (for User ID). This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
port <port number> |
Specifies the port number on which the LDAP server is running. If you do not specify a port, the default LDAP authentication port number of 389 is used. This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
referrals |
Enables LDAP referrals. If an LDAP server does not have a requested object, it can return a referral to another destination. You can toggle this option using no ldap referrals to specify whether the GigaVUE H Series node should accept the referral and query the suggested server. |
|||||||||||||||||||||
remote-user-group base-dn <base-dn string> map-to <local account> map <disable | enable> |
Maps a remote user group to a local user account as follows:
Examples: (config) # ldap remote-user-group map enable (config) # ldap remote-user-group base-dn "CN=gvhd,OU=gigamontaps,DC=gigamondev,DC=com" map-to admin (config) # ldap remote-user-group base-dn "CN=gvhd1,OU=gigamontaps,DC=gigamondev,DC=com" map-to admin Note: If a user account exists on the remote server as well as on the local device, the remote user will be mapped to the local account, regardless of the LDAP mapping policy. |
|||||||||||||||||||||
scope <one-level | subtree> |
Specifies the search scope for the user under the base distinguished name (dn):
This is a global setting. It cannot be configured on a per-host basis. |
|||||||||||||||||||||
ssl ca-list <none | default-ca-list> cert-verify mode <none | ssl | tls> ssl-port <port number> |
Configures the GigaVUE H Series node’s use of SSL for communications with LDAP servers as follows:
|
|||||||||||||||||||||
timeout-bind <seconds> |
Specifies how long the GigaVUE H Series node should wait for a response from an LDAP server to a bind request before declaring a timeout failure. The valid range is 0-60 seconds. The default is 5 seconds. |
|||||||||||||||||||||
timeout-search <seconds> |
Specifies how long the GigaVUE H Series node should wait for a response from the LDAP server to a search request before declaring a timeout failure. The valid range is 0-60 seconds. The default is 5 seconds. |
|||||||||||||||||||||
version <2 | 3> |
Specifies the version of LDAP to use. The default is version 3, which is the current standard. Some older servers still use version 2. This is a global setting. It cannot be configured on a per-host basis. |
Related Commands
The following table summarizes other commands related to the ldap command:
Task |
Command |
Displays the list of configured LDAP servers and related LDAP settings. |
# show ldap |
Resets user search base. |
(config) # no ldap base-dn |
Deletes DN to which to bind to the server. |
(config) # no ldap bind-dn |
Deletes bind credentials. |
(config) # no ldap bind-password |
Does not allow the LDAP server to include additional roles for a remotely authenticated user in the response. |
(config) # no ldap extra-user-params roles enable |
Resets group membership attribute to use default (member). |
(config) # no ldap group-attribute |
Deletes the distinguished name group required for authorization. The default is no authorization checks. |
(config) # no ldap group-dn |
Stops sending LDAP authentication requests to host with specified IPv4 or IPv6 address, or hostname. |
(config) # no ldap host 1.1.1.1 (config) # no ldap host www.MyCo.com |
Resets login name attribute to use the default. |
(config) # no ldap login-attribute |
Resets LDAP server port number to the default (389). |
(config) # no ldap port |
Disables LDAP referrals. |
(config) # no ldap referrals |
Deletes the mapping of a remote user group to a local account. |
(config) # no ldap remote-user-group base-dn "ou=People,dc=mycompany,dc=com" map-to monitor |
Resets user search scope to the default (subtree). |
(config) # no ldap scope |
Disables the use of a supplemental CA certificates list. |
(config) # no ldap ssl ca-list |
Disables LDAP SSL/TLS certificate verification. |
(config) # no ldap ssl cert-verify |
Resets LDAP SSL/TLS mode to the default. |
(config) # no ldap ssl mode |
Resets LDAP SSL port number to the default. |
(config) # no ldap ssl ssl-port |
Resets LDAP timeout for binding to a server. |
(config) # no ldap timeout-bind |
Resets LDAP timeout for searching for user information. |
(config) # no ldap timeout-search |
Resets LDAP version to the default. |
(config) # no ldap version |