Adds, updates, or deletes an external LDAP server, or shows the current LDAP configuration.
Specify --tls to use LDAP over SSL and TLS. Specify --insecure-tls to use LDAP without certification verification.
You configure an LDAP server for user validation and to fetch user groups.
When a user is assigned EFA roles in LDAP, ensure that you define the user-role-attribute parameter.
You can use key-value pairs to define one attribute value that assigns multiple roles to a user. Use the user-role-attribute-key parameter for such a scenario.
When you use LDAP groups to assign roles to users, ensure that you define the user-member-attribute parameter.
To configure LDAP for a deployment of EFA on a TPVM, see the "TPVM Management" section of the Extreme SLX-OS Management Configuration Guide.
This example configures the bind user name, the bind password, and the DN of the node from which searches start.
# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x --bind-user-name cn=admin,dc=extrnet,dc=com --bind-user-password password --user-search-base ou=people,dc=extrnet,dc=com
This example configures the --user-role-attribute parameter for a user that is assigned EFA roles in LDAP.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-role-attribute role
This example assigns multiple roles to a user with one key-value pair. The role
attribute for the user entry in LDAP has the value of
datacenterowner:SystemAdmin,datacenterowner:FabricAdmin
.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-role-attribute role --user-role-attribute-key datacenterowner
This example configures the --user-member-attribute for a user
entry in LDAP that has an attribute of memberOf
.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-member-attribute memberOf
This example configures the attributes required when LDAP groups are not in the same search base as the users in the groups.
# ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=x,dc=com --group-search-base ou=groups,dc=x,dc=in --group-member-user-attribute dn --group-member-mapping-attribute memberUid --group-object-class posixGroup
This example maps an LDAP group to an EFA role.
# efa auth rolemapping add --name group1 --type GROUP --role SystemAdmin
This example configures LDAP Active Directory.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-object-class user --user-login-attribute sAMAccountName --user-member-attribute memberOf