efa auth ldapconfig

Configures an external LDAP server for user validation and to fetch user groups

Syntax

efa auth ldapconfig { add | delete | update }{ --name ldap-name | --primary value |--host hostname | --port port-num | [--tls | --insecure-tls ] --cacert cert-loc | --timeout value | --bind-user-name dn | --bind-user-password pword |--user-search-base dn | --user-object-class obj-class | --user-login-attribute att-value | --user-role-attribute att-value |--user-role-attribute-key att-value | --user-member-attribute att-value | --group-search-base dn | --group-object-class obj-class | --group-attribute att-value | --group-member-user-attribute att-value | --group-member-mapping-attribute att-value}
efa auth ldapconfig show

Parameters

add | delete | update
Designates the type of action to perform for the LDAP configuration.
show
Displays the current LDAP server configuration.
--name ldap-name
Specify the name of the LDAP connection.
--primary value
Specify 1 when multiple LDAP connections are available.
--host hostname
Specify the host name or IP address of the host server.
--port port-num
Specify the port at which the LDAP server listens for connections.
--tls | --insecure-tls
Specify --tls to use LDAP over SSL and TLS. Specify --insecure-tls to use LDAP without certification verification.
--cacert cert-loc
Specify the location of the Certificate Authority certificate.
--timeout value
Specify the number of seconds that must elapse before the LDAP server is considered unreachable. The default is 5 seconds.
--bind-user-name dn
Specify the Distinguished Name (DN) of the user that you want to use to bind, search, and retrieve LDAP entries.
--bind-user-password pword
Specify the password of the bind user.
--user-search-base dn
Specify the DN of the node in the directory tree from which searches for user objects will start.
--user-object-class obj-class
Specify the name of the object class to use for user objects. The default is inetOrgPerson.
--user-login-attribute att-value
Specify the attribute that matches the user name part of credentials that users enter while logging in. The default is uid.
--user-role-attribute att-value
Specify the attribute from which the user role is read.
--user-role-attribute-key att-value
Specify the attribute that reads the role value from the role attribute.
--user-member-attribute att-value
Specify the attribute that reads the member of the group that the user is part of.
--group-search-base dn
Specify the DN of the node in the directory tree from which searches for group objects begins.
--group-object-class obj-class
Specify the name of the object class to use for group searches. The default is groupOfNames.
--group-attribute att-value
Specify the attribute that defines the search filter on a group. The default is cn.
--group-member-user-attribute att-value
Specify the name of the user attribute whose format matches the group members. The default is entrydn.
--group-member-mapping-attribute att-value
Specify the name of the group attribute that contains the members of a group. The default is member.

Usage Guidelines

You configure an LDAP server for user validation and to fetch user groups.

When a user is assigned EFA roles in LDAP, ensure that you define the --user-role-attribute parameter.

You can use key-value pairs to define one attribute value that assigns multiple roles to a user. Use the --user-role-attribute-key parameter for such a scenario.

When you use LDAP groups to assign roles to users, ensure that you define the --user-member-attribute parameter.

When LDAP groups are not in the same search base as the users in the groups, ensure that you define the following parameters.
  • --group-search-base
  • --group-object-class
  • --group-attribute
  • --group-member-user-attribute
  • --group-member-mapping-attribute

To configure LDAP for a deployment of EFA on a TPVM, see the "TPVM Management" section of the Extreme SLX-OS Management Configuration Guide.

Examples

This example configures the bind user name, the bind password, and the DN of the node from which searches start.

# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x 
--bind-user-name cn=admin,dc=extrnet,dc=com --bind-user-password password 
--user-search-base ou=people,dc=extrnet,dc=com

This example configures the --user-role-attribute parameter for a user that is assigned EFA roles in LDAP.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role 

This example assigns multiple roles to a user with one key-value pair. The role attribute for the user entry in LDAP has the value of datacenterowner:SystemAdmin,datacenterowner:FabricAdmin.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role 
--user-role-attribute-key  datacenterowner

This example configures the --user-member-attribute for a user entry in LDAP that has an attribute of memberOf.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-member-attribute memberOf

This example configures the attributes required when LDAP groups are not in the same search base as the users in the groups.

# ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=x,dc=com 
--group-search-base ou=groups,dc=x,dc=in --group-member-user-attribute dn 
--group-member-mapping-attribute memberUid --group-object-class posixGroup 

This example maps an LDAP group to an EFA role.

# efa auth rolemapping add --name <group name> --type GROUP --role SystemAdmin

This example configures LDAP Active Directory.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-object-class user 
--user-login-attribute sAMAccountName --user-member-attribute memberOf