ldap-server

Configures the LDAP server‘s settings. Configuring LDAP server allows users to login and authenticate from anywhere on the network.

Administrators have the option of using the local RADIUS server to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making RADIUS authorization more secure and efficient.

RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the local RADIUS server to free up resources and manage user credentials from a secure remote location. It is the local RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. A LDAP user database alone cannot perform such complex authorization checks.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ldap-server [dead-period|primary|secondary]
ldap-server dead-period <0-600>
ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> 
bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] 
passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> 
{net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}

Parameters

ldap-server dead-period <0-600>

dead-period <0-600>

Sets an interval, in seconds, during which the local server does not contact its LDAP server resource once its been defined as unavailable. A dead period is only implemented when additional LDAP servers are configured and available.
  • <0-600> – Specify a value from 0 - 600 seconds. The default is 300 seconds.
ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> 
bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] 
passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> 
{net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}

ldap primary

Configures the primary LDAP server settings

ldap secondary

Configures the secondary LDAP server settings

host <IP>

Specifies the LDAP host's IP address

  • <IP> – Specify the LDAP server's IP address.

port <1-65535>

Configures the LDAP server port

  • <1-65535> – Specify a port between 1 - 65535.

login <LOGIN-NAME>

Configures the login name of a user to access the LDAP server

  • <LOGIN-NAME> – Specify a login ID (should not exceed 127 characters).

bind-dn <BIND-DN>

Configures a distinguished bind name. This is the DN (distinguished name) used to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.

  • <BIND-DN> – Specify a bind name (should not exceed 127 characters)

base-dn <BASE-DN>

Configures a distinguished base name. This is the DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with a specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the RDN (Relative Distinguished Name). It identifies an entry distinctly from any other entries that have the same parent

  • <BASE-DN> – Specify a base name (should not exceed 127 characters).

passwd [0 <PASSWORD>| 2 <ENCRYPTED-PASSWORD>|<PASSWORD>]

Sets a valid password for the LDAP server.

  • 0 <PASSWORD> – Sets an UNENCRYPTED password

  • 2 <PASSWORD> – Sets an ENCRYPTED password

  • <PASSWORD> – Sets the LDAP server bind password, specified UNENCRYPTED, with a maximum size of 31 characters

passwd-attr <ATTR>

Specify the LDAP server password attribute (should not exceed 63 characters).

group-attr <ATTR>

Specify a name to configure group attributes (should not exceed 31 characters).

LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name.

group-filter <FILTER>

Specify a name for the group filter attribute (should not exceed 255 characters).

This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service.

group-membership <WORD>

Specify a name for the group membership attribute (should not exceed 63 characters).

This attribute is sent to the LDAP server when authenticating users.

net-time <1-10>

Optional. Select a value from 1 - 10 to configure the network timeout (number of seconds to wait for a response from the target primary or secondary LDAP server). The default is 10 seconds.

start-tls net-timeout <1-10> Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using start_tls support on the external LDAP server.
tls-mode net-timeout <1-10> Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using tls_mode support on the external LDAP server.

Examples

nx9500-6C8809(config-radius-server-policy-test)#ldap-server dead-period 100
nx9500-6C8809(config-radius-server-policy-test)#ldap-server primary host 172.16.10.19 port 162 login test bind-dn bind-dn1 base-dn base-dn1 passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter groupfilter1 
group-membership groupmembership1 net-timeout 2
nx9500-6C8809(config-radius-server-policy-test)#show context
radius-server-policy test
 authentication eap-auth-type tls
 crl-check
 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2
 ldap-server dead-period 100nx9500-6C8809(config-radius-server-policy-test)#

Related Commands

no

Disables the LDAP server parameters