Configures the LDAP server‘s settings. Configuring LDAP server allows users to login and authenticate from anywhere on the network.
Administrators have the option of using the local RADIUS server to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making RADIUS authorization more secure and efficient.
RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the local RADIUS server to free up resources and manage user credentials from a secure remote location. It is the local RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. A LDAP user database alone cannot perform such complex authorization checks.
ldap-server [dead-period|primary|secondary]
ldap-server dead-period <0-600>
ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME>
bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD>
{net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}
ldap-server dead-period <0-600>
|
dead-period <0-600> |
Sets an interval, in seconds, during which the
local server does not contact its LDAP server resource once its been defined
as unavailable. A dead period is only implemented when additional LDAP
servers are configured and available.
|
ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME>
bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD>
{net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}
|
ldap primary |
Configures the primary LDAP server settings |
|
ldap secondary |
Configures the secondary LDAP server settings |
|
host <IP> |
Specifies the LDAP host's IP address
|
|
port <1-65535> |
Configures the LDAP server port
|
|
login <LOGIN-NAME> |
Configures the login name of a user to access the LDAP server
|
|
bind-dn <BIND-DN> |
Configures a distinguished bind name. This is the DN (distinguished name) used to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.
|
|
base-dn <BASE-DN> |
Configures a distinguished base name. This is the DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with a specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the RDN (Relative Distinguished Name). It identifies an entry distinctly from any other entries that have the same parent
|
|
passwd [0 <PASSWORD>| 2 <ENCRYPTED-PASSWORD>|<PASSWORD>] |
Sets a valid password for the LDAP server.
|
|
passwd-attr <ATTR> |
Specify the LDAP server password attribute (should not exceed 63 characters). |
|
group-attr <ATTR> |
Specify a name to configure group attributes (should not exceed 31 characters). LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name. |
|
group-filter <FILTER> |
Specify a name for the group filter attribute (should not exceed 255 characters). This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service. |
|
group-membership <WORD> |
Specify a name for the group membership attribute (should not exceed 63 characters). This attribute is sent to the LDAP server when authenticating users. |
|
net-time <1-10> |
Optional. Select a value from 1 - 10 to configure the network timeout (number of seconds to wait for a response from the target primary or secondary LDAP server). The default is 10 seconds. |
| start-tls net-timeout <1-10> | Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using start_tls support on the external LDAP server. |
| tls-mode net-timeout <1-10> | Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using tls_mode support on the external LDAP server. |
nx9500-6C8809(config-radius-server-policy-test)#ldap-server dead-period 100
nx9500-6C8809(config-radius-server-policy-test)#ldap-server primary host 172.16.10.19 port 162 login test bind-dn bind-dn1 base-dn base-dn1 passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter groupfilter1
group-membership groupmembership1 net-timeout 2
nx9500-6C8809(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100 nx9500-6C8809(config-radius-server-policy-test)#
| no |
Disables the LDAP server parameters |