efa auth ldapconfig
Configures an external LDAP server for
user validation and to fetch user groups
Syntax
efa auth ldapconfig
{
add
|
delete
|
update
}{
--name
ldap-name
|
--primary
value
|--host
hostname
|
--port
port-num
|
[--tls
|
--insecure-tls
]
--cacert
cert-loc
|
--timeout
value
|
--bind-user-name
dn
|
--bind-user-password
pword
|--user-search-base
dn
|
--user-object-class
obj-class
|
--user-login-attribute
att-value
|
--user-role-attribute
att-value
|--user-role-attribute-key
att-value
|
--user-member-attribute
att-value
|
--group-search-base
dn
|
--group-object-class
obj-class
|
--group-attribute
att-value
|
--group-member-user-attribute
att-value
|
--group-member-mapping-attribute
att-value}
Parameters
- add
|
delete
|
update
- Designates the type of action to perform for the LDAP configuration.
- show
- Displays the current LDAP server configuration.
- --name
ldap-name
- Specify the name of the LDAP connection.
- --primary
value
- Specify 1 when multiple LDAP connections are
available.
- --host
hostname
- Specify the hostname or IP address of the
host server.
- --port
port-num
- Specify the port at which the LDAP server listens for connections.
- --tls
|
--insecure-tls
- Specify --tls to use LDAP over SSL and TLS. Specify
--insecure-tls to use LDAP without certification
verification.
- --cacert
cert-loc
- Specify the location of the Certificate Authority certificate.
- --timeout
value
- Specify the number of seconds that must elapse before the LDAP server is
considered unreachable. The default is 5 seconds.
- --bind-user-name
dn
- Specify the Distinguished Name (DN) of the user that you want to use to
bind, search, and retrieve LDAP entries.
- --bind-user-password
pword
- Specify the password of the bind user.
- --user-search-base
dn
- Specify the DN of the node in the directory tree from which searches for
user objects will start.
- --user-object-class
obj-class
- Specify the name of the object class to use for user objects. The default is
inetOrgPerson.
- --user-login-attribute
att-value
- Specify the attribute that matches the user name part of credentials that
users enter while logging in. The default is uid.
- --user-role-attribute
att-value
- Specify the attribute from which the user role is read.
- --user-role-attribute-key
att-value
- Specify the attribute that reads the role value from the role attribute.
- --user-member-attribute
att-value
- Specify the attribute that reads the member of the group that the user is
part of.
- --group-search-base
dn
- Specify the DN of the node in the directory tree from which searches for
group objects begins.
- --group-object-class
obj-class
- Specify the name of the object class to use for group searches. The default
is groupOfNames.
- --group-attribute
att-value
- Specify the attribute that defines the search filter on a group. The default
is cn.
- --group-member-user-attribute
att-value
- Specify the name of the user attribute whose format matches the group
members. The default is entrydn.
- --group-member-mapping-attribute
att-value
- Specify the name of the group attribute that contains the members of a
group. The default is member.
Usage Guidelines
You configure an LDAP server for user validation and to fetch user groups.
To configure LDAP for a deployment of EFA on a TPVM, see the "TPVM Management" section of the
Extreme SLX-OS Management
Configuration Guide.
Examples
This example configures the bind user name, the bind password, and the DN of the node from
which searches start.
# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x --bind-user-
name cn=admin,dc=extrnet,dc=com --bind-user-password password --user-search-
base ou=people,dc=extrnet,dc=com
