efa auth ldapconfig

Adds, updates, or deletes an external LDAP server, or shows the current LDAP configuration.

Syntax

efa auth ldapconfig delete [--name ldap-name ]

efa auth ldapconfig show [--name ldap-name ]

Parameters

--name ldap-name: Specifies the name of the LDAP connection.
--primary value: Specifies 1 when multiple LDAP connections are available.
--host hostname: Specifies the host name, IPv4, or IPv6 address of the LDAP server.
--port port-num tls | insecure-tls: Specifies the port at which the LDAP server listens for connections.
Specify --tls to use LDAP over SSL and TLS. Specify --insecure-tls to use LDAP without certification verification.
--cacert cert-loc: Specifies the location of the Certificate Authority certificate.
--timeout value: Specifies the number of seconds that must elapse before the LDAP server is considered unreachable. The default is 5 seconds.
--bind-user-name dn: Specifies the Distinguished Name (DN) of the user that you want to use to bind, search, and retrieve LDAP entries.
--bind-user-password pword: Specifies the password of the bind user.
--user-search-base dn: Specifies the DN of the node in the directory tree from which searches for user objects will start.
--user-object-class obj-class: Specifies the name of the object class to use for user objects. The default is inetOrgPerson.
--user-login-attribute att-value: Specifies the attribute that matches the user name part of credentials that users enter while logging in. The default is uid.
--user-role-attribute att-value: Specifies the attribute from which the user role is read.
--user-role-attribute-key att-value: Specifies the attribute that reads the role value from the role attribute.
--user-member-attribute att-value: Specifies the attribute that reads the member of the group that the user is part of.
--group-search-base dn: Specifies the DN of the node in the directory tree from which searches for group objects begins.
--group-object-class obj-class: Specifies the name of the object class to use for group searches. The default is groupOfNames.
--group-attribute att-value: Specifies the attribute that defines the search filter on a group. The default is cn.
--group-member-user-attribute att-value: Specifies the name of the user attribute whose format matches the group members. The default is entrydn.
--group-member-mapping-attribute att-value: Specifies the name of the group attribute that contains the members of a group. The default is member.

Usage Guidelines

You configure an LDAP server for user validation and to fetch user groups.

When a user is assigned EFA roles in LDAP, ensure that you define the user-role-attribute parameter.

You can use key-value pairs to define one attribute value that assigns multiple roles to a user. Use the user-role-attribute-key parameter for such a scenario.

When you use LDAP groups to assign roles to users, ensure that you define the user-member-attribute parameter.

When LDAP groups are not in the same search base as the users in the groups, ensure that you define the following parameters.

group-search-base
group-object-class
group-attribute
group-member-user-attribute
group-member-mapping-attribute

To configure LDAP for a deployment of EFA on a TPVM, see the "TPVM Management" section of the Extreme SLX-OS Management Configuration Guide.

Examples

This example configures the bind user name, the bind password, and the DN of the node from which searches start.

# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x 
--bind-user-name cn=admin,dc=extrnet,dc=com --bind-user-password password 
--user-search-base ou=people,dc=extrnet,dc=com

This example configures the --user-role-attribute parameter for a user that is assigned EFA roles in LDAP.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role

This example assigns multiple roles to a user with one key-value pair. The role attribute for the user entry in LDAP has the value of datacenterowner:SystemAdmin,datacenterowner:FabricAdmin.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role 
--user-role-attribute-key  datacenterowner

This example configures the --user-member-attribute for a user entry in LDAP that has an attribute of memberOf.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-member-attribute memberOf

This example configures the attributes required when LDAP groups are not in the same search base as the users in the groups.

# ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=x,dc=com 
--group-search-base ou=groups,dc=x,dc=in --group-member-user-attribute dn 
--group-member-mapping-attribute memberUid --group-object-class posixGroup

This example maps an LDAP group to an EFA role.

# efa auth rolemapping add --name group1 --type GROUP --role SystemAdmin

This example configures LDAP Active Directory.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=y,dc=com 
--user-object-class user 
--user-login-attribute sAMAccountName --user-member-attribute memberOf