ldap

Required Command-Line Mode = ConfigureRequired User Level = Admin

Use the ldap command to specify the LDAP servers to be used for authentication. You can specify multiple LDAP servers. Servers are used as fallbacks in the same order they are specifiedif the first server is unreachable, the second server is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.

Refer to the “LDAP” section in the GigaVUE Fabric Management Guide for examples of adding and configuring an LDAP server.

The ldap command has the following syntax:

ldap
   base-dn <string>
   bind-dn <string>
   bind-password <string>
   extra-user-params roles enable
   group-attribute <<string> | member | uniqueMember>
   group-dn <string>
   host <IPv4/IPv6 address or hostname> [order <order number> | last]
   login-attribute <<string> | uid | sAMAccountName>
   port <port number>
   referrals
   remote-user-group
      base-dn <base-dn string> map-to <local account>
      map <disable | enable>
   scope <one-level | subtree>

   ssl ca-list <none | default-ca-list>
      cert-verify mode <none | ssl | tls>
      ssl-port <port number>
   timeout-bind <seconds>
   timeout-search <seconds>
   version <2 | 3>

The following table describes the arguments for the ldap command. The key, retransmit, and timeout values can be specified both globally and on a per-host basis. Per-host values override any configured global values.

Argument

Description

base-dn <string>

Identifies the base distinguished name (location) of the user information in the LDAP server's schema. Specify this by identifying the organizational unit (ou) in the base DN. Provide the value as a string with no spaces. For example:

(config) # ldap base-dn "ou=People,dc=mycompany,dc=com"

This is a global setting. It cannot be configured on a per-host basis.

bind-dn <string>

Specifies the distinguished name (dn) on the LDAP server with which to bind. By default, this is left empty for anonymous login.

This is a global setting. It cannot be configured on a per-host basis.

bind-password <string>

Provides the credentials to be used for binding with the LDAP server. If bind-dn is undefined for anonymous login (the default), bind-password should also be undefined.

This is a global setting. It cannot be configured on a per-host basis.

extra-user-params roles enable

Enables the GigaVUE H Series node to accept user roles assigned in the LDAP server. Refer to the “Granting Roles with External Authentication Servers” in the GigaVUE Fabric Management Guide for details.

group-attribute <<string> | member | uniqueMember>

Specifies the name of the attribute to check for group membership. If you specify a value for group-dn, the attribute you name here will be checked to see whether it contains the user’s distinguished name as one of the values in the LDAP server.

This is a global setting. It cannot be configured on a per-host basis.

group-dn <string>

Specifies that membership in the named group-dn is required for successful login to the GigaVUE H Series node.

By default, the group-dn is left empty—group membership is not required for login to the system. If you do specify a group-dn, the attribute specified by the group-attribute argument must contain the user’s distinguished name as one of the values in the LDAP server or the user will not be logged in.

This is a global setting. It cannot be configured on a per-host basis.

host <IPv4/IPv6 address or hostname> [order <order number> | last]

Specifies the IP address (IPv4 or IPv6) or hostname of the LDAP server where authentication requests will be sent.

Examples:

(config) # ldap host 192.168.1.225

(config) # ldap host 2001:db8:a0b:12f0::66

(config) # ldap host www.MyCo.com

Servers are tried in the same order they are added to the list. Check the current order with the show ldap command. Then, use the host command with the order argument to change the order, if necessary. You can either specify a new order number for a host or move it to the bottom of the list with order last. For example:

(config) # ldap host 192.168.1.225 order last

login-attribute <<string> | uid | sAMAccountName>

Specifies the name of the LDAP attribute containing the login name. The default is sAMAccountName. You can also specify a custom string or uid (for User ID).

This is a global setting. It cannot be configured on a per-host basis.

port <port number>

Specifies the port number on which the LDAP server is running. If you do not specify a port, the default LDAP authentication port number of 389 is used.

This is a global setting. It cannot be configured on a per-host basis.

referrals

Enables LDAP referrals. If an LDAP server does not have a requested object, it can return a referral to another destination. You can toggle this option using no ldap referrals to specify whether the GigaVUE H Series node should accept the referral and query the suggested server.

remote-user-group   base-dn <base-dn string> map-to <local       account>   map <disable | enable>

Maps a remote user group to a local user account as follows:

base-dn—Specifies the base-dn of the remote user group. First specify the base-dn string, then the map-to keyword followed by the local account name.
map—Enables or disables the mapping policy of the remote user group.

Examples:

(config) # ldap remote-user-group map enable

(config) # ldap remote-user-group base-dn "CN=gvhd,OU=gigamontaps,DC=gigamondev,DC=com" map-to admin

(config) # ldap remote-user-group base-dn "CN=gvhd1,OU=gigamontaps,DC=gigamondev,DC=com" map-to admin

Note:  If a user account exists on the remote server as well as on the local device, the remote user will be mapped to the local account, regardless of the LDAP mapping policy.

scope <one-level | subtree>

Specifies the search scope for the user under the base distinguished name (dn):

subtree—Searches the base dn and all of its children. This is the default.
one-level—Searches only the immediate children of the base dn.

This is a global setting. It cannot be configured on a per-host basis.

ssl   ca-list <none | default-ca-list>   cert-verify   mode <none | ssl | tls>   ssl-port <port number>

Configures the GigaVUE H Series node’s use of SSL for communications with LDAP servers as follows:

ca-list—Configures LDAP to use a supplemental CA list. Set to default-ca-list to use the CA list configured with the crypto command. Set to none if you do not want to use a supplemental list.
cert-verify—Enables LDAP SSL/TLS certificate verification. Use no ssl cert-verify to disable.
mode—Enables SSL or TLS to secure communications with LDAP servers as follows:
o none—Does not use SSL or TLS to secure LDAP.
o ssl—Secures LDAP using SSL over the SSL port.
o tls—Secures LDAP using TLS over the default server port.
ssl-port—Configures LDAP SSL port number

timeout-bind <seconds>

Specifies how long the GigaVUE H Series node should wait for a response from an LDAP server to a bind request before declaring a timeout failure.

The valid range is 0-60 seconds. The default is 5 seconds.

timeout-search <seconds>

Specifies how long the GigaVUE H Series node should wait for a response from the LDAP server to a search request before declaring a timeout failure.

The valid range is 0-60 seconds. The default is 5 seconds.

version <2 | 3>

Specifies the version of LDAP to use. The default is version 3, which is the current standard. Some older servers still use version 2.

This is a global setting. It cannot be configured on a per-host basis.

Related Commands

The following table summarizes other commands related to the ldap command:

Task

Command

Displays the list of configured LDAP servers and related LDAP settings.

# show ldap

Resets user search base.

(config) # no ldap base-dn

Deletes DN to which to bind to the server.

(config) # no ldap bind-dn

Deletes bind credentials.

(config) # no ldap bind-password

Does not allow the LDAP server to include additional roles for a remotely authenticated user in the response.

(config) # no ldap extra-user-params roles enable

Resets group membership attribute to use default (member).

(config) # no ldap group-attribute

Deletes the distinguished name group required for authorization. The default is no authorization checks.

(config) # no ldap group-dn

Stops sending LDAP authentication requests to host with specified IPv4 or IPv6 address, or hostname.

(config) # no ldap host 1.1.1.1

(config) # no ldap host www.MyCo.com

Resets login name attribute to use the default.

(config) # no ldap login-attribute

Resets LDAP server port number to the default (389).

(config) # no ldap port

Disables LDAP referrals.

(config) # no ldap referrals

Deletes the mapping of a remote user group to a local account.

(config) # no ldap remote-user-group base-dn "ou=People,dc=mycompany,dc=com" map-to monitor

Resets user search scope to the default (subtree).

(config) # no ldap scope

Disables the use of a supplemental CA certificates list.

(config) # no ldap ssl ca-list

Disables LDAP SSL/TLS certificate verification.

(config) # no ldap ssl cert-verify

Resets LDAP SSL/TLS mode to the default.

(config) # no ldap ssl mode

Resets LDAP SSL port number to the default.

(config) # no ldap ssl ssl-port

Resets LDAP timeout for binding to a server.

(config) # no ldap timeout-bind

Resets LDAP timeout for searching for user information.

(config) # no ldap timeout-search

Resets LDAP version to the default.

(config) # no ldap version