efa auth ldapconfig
Adds, updates, or deletes an external LDAP server, or shows the current LDAP configuration.
Syntax
Parameters
- --name ldap-name
- Specifies the name of the LDAP connection.
- --primary value
- Specifies 1 when multiple LDAP connections are available.
- --host hostname
- Specifies the host name, IPv4, or IPv6 address of the LDAP server.
- --port port-num tls | insecure-tls
- Specifies the port at which the LDAP server
listens for connections.
Specify --tls to use LDAP over SSL and TLS. Specify --insecure-tls to use LDAP without certification verification.
- --cacert cert-loc
- Specifies the location of the Certificate Authority certificate.
- --timeout value
- Specifies the number of seconds that must elapse before the LDAP server is considered unreachable. The default is 5 seconds.
- --bind-user-name dn
- Specifies the Distinguished Name (DN) of the user that you want to use to bind, search, and retrieve LDAP entries.
- --bind-user-password pword
- Specifies the password of the bind user.
- --user-search-base dn
- Specifies the DN of the node in the directory tree from which searches for user objects will start.
- --user-object-class obj-class
- Specifies the name of the object class to use for user objects. The default is inetOrgPerson.
- --user-login-attribute att-value
- Specifies the attribute that matches the user name part of credentials that users enter while logging in. The default is uid.
- --user-role-attribute att-value
- Specifies the attribute from which the user role is read.
- --user-role-attribute-key att-value
- Specifies the attribute that reads the role value from the role attribute.
- --user-member-attribute att-value
- Specifies the attribute that reads the member of the group that the user is part of.
- --group-search-base dn
- Specifies the DN of the node in the directory tree from which searches for group objects begins.
- --group-object-class obj-class
- Specifies the name of the object class to use for group searches. The default is groupOfNames.
- --group-attribute att-value
- Specifies the attribute that defines the search filter on a group. The default is cn.
- --group-member-user-attribute att-value
- Specifies the name of the user attribute whose format matches the group members. The default is entrydn.
- --group-member-mapping-attribute att-value
- Specifies the name of the group attribute that contains the members of a group. The default is member.
Usage Guidelines
You configure an LDAP server for user validation and to fetch user groups.
When a user is assigned EFA roles in LDAP, ensure that you define the user-role-attribute parameter.
You can use key-value pairs to define one attribute value that assigns multiple roles to a user. Use the user-role-attribute-key parameter for such a scenario.
When you use LDAP groups to assign roles to users, ensure that you define the user-member-attribute parameter.
- group-search-base
- group-object-class
- group-attribute
- group-member-user-attribute
- group-member-mapping-attribute
To configure LDAP for a deployment of EFA on a TPVM, see the "TPVM Management" section of the Extreme SLX-OS Management Configuration Guide.
Examples
This example configures the bind user name, the bind password, and the DN of the node from which searches start.
# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x --bind-user-name cn=admin,dc=extrnet,dc=com --bind-user-password password --user-search-base ou=people,dc=extrnet,dc=com
This example configures the --user-role-attribute parameter for a user that is assigned EFA roles in LDAP.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-role-attribute role
This example assigns multiple roles to a user with one key-value pair. The role
attribute for the user entry in LDAP has the value of
datacenterowner:SystemAdmin,datacenterowner:FabricAdmin
.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-role-attribute role --user-role-attribute-key datacenterowner
This example configures the --user-member-attribute for a user
entry in LDAP that has an attribute of memberOf
.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-member-attribute memberOf
This example configures the attributes required when LDAP groups are not in the same search base as the users in the groups.
# ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=x,dc=com --group-search-base ou=groups,dc=x,dc=in --group-member-user-attribute dn --group-member-mapping-attribute memberUid --group-object-class posixGroup
This example maps an LDAP group to an EFA role.
# efa auth rolemapping add --name group1 --type GROUP --role SystemAdmin
This example configures LDAP Active Directory.
# efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx --user-search-base ou=people,dc=y,dc=com --user-object-class user --user-login-attribute sAMAccountName --user-member-attribute memberOf