ldap-server

Associates a specified LDAP server with this role policy. Use this command to configure the credentials needed to bind with the LDAP server.

When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details. This information is matched with the user-defined roles within the role policy. If a match is made, the user is assigned the role and allowed or denied access to the controller managed network.

You can associate two LDAP servers with a role policy, allowing failover in case the primary server is unreachable.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

ldap-server <1-2> host [<IP>|<FQDN>] bind-dn <BIND-DN> base-dn <BASE-DN> 
bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}

Parameters

ldap-server <1-2> host [<IP>|<FQDN>] bind-dn <BIND-DN> base-dn <BASE-DN> 
bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}
ldap-server <1-2>

Specify the LDAP server ID from 1 - 2.

The primary LDAP server (ID 1) is used to bind and query. The secondary LDAP server (ID 2) is for failover.

host [<IP>|<FQDN>] Specify the LDAP server‘s IP address or FQDN (Fully Qualified Domain Name).
bind-dn <BIND-DN> Specify the bind distinguished name (used for binding with the server).
base-dn <BASE-DN> Specify the base distinguished name (used for searching). This should not exceed 127 characters.
bind-password <PASSWORD> Specify the LDAP server password associated with the bind DN.
port <1-65535> Optional. Specify the LDAP server port from 1 - 65535. (default is 389).
server-type [active-directory| openldap]

The following keywords are common to the ‘port‘ parameter:

  • server-type – Optional. Specifies the LDAP server type

    • active-directory – Enables support for active directory attribute search. This is the default setting.

    • openldap – Enables support for openLDAP attribute search

Usage Guidelines

Use the ldap-query command to enable LDAP service on a role policy.

Use the show > role > ldap-stats command to view LDAP server status and state.

Examples

nx9500-6C8809(config-role-policy-test)#ldap-server 1 host 192.168.13.7 bind-dn
"CN=Administrator,CN=Users,DC=TechPub,DC=com" base-dn "CN=Administrator,CN=Users,
DC=TechPub,DC=com" bind-password 0 superuser port 2
nx9500-6C8809(config-role-policy-test)#
nx9500-6C8809(config-role-policy-test)#show context
role-policy test
 default-role use ip-access-list in test precedence 1
 ldap-query self
 ldap-deadperiod 100
 ldap-server 1 host 192.168.13.7 bind-dn CN=Administrator,CN=Users,DC=TechPub,
DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2
nx9500-6C8809(config-role-policy-test)#

Related Commands

no (role-policy-config-mode-command)

Removes or resets the LDAP server settings