This command adds an LDAP server under an LDAP domain and configures the parameters for contacting the server.
domain_name |
Specifies the LDAP domain under which this server should be added. |
host_ipaddr |
Specifies a IP address for an LDAP server to add. |
host_name |
Specifies a DNS hostname for an LDAP server to add. |
server_port |
Specifies a port number for the LDAP service. The default port number is 389. |
client_ipaddr |
Specifies the LDAP client IP address, which should be set to the IP address of the interface that will connect to the LDAP server. |
vr_name |
Specifies the VR name for the interface that will connect to the LDAP server. The default VR for LDAP client connections is VR-Mgmt. |
encrypted sasl digest-md5 |
Specifies that the LDAP client uses Digest RSA Data Security, Inc. MD5 (Message-Digest algorithm 5) Message-Digest Algorithm encryption over SASL (Simple Authentication and Security Layer) to communicate with the LDAP server. Note that this mechanism encrypts only the password credentials, and the LDAP information exchange uses plain text. Note:
To support Digest RSA Data Security, Inc. MD5 Message-Digest Algorithm over SASL, the LDAP client (bind user) password must be stored using ‘reverse encryption,‘ and the host_name should be configured as the fully-qualified host name for the LDAP server. |
client-ipaddr is optional. If client-ipaddr is not specified, the LDAP client looks up the interface through which the LDAP server can be reached.
If vr_name is not specified, the LDAP client assumes it to be VR-Mgmt.
If "encrypted sasl digest-md5' is not specified, the LDAP client talks to the LDAP server using plain text.
You can configure up to 8 LDAP servers under one LDAP domain. The LDAP servers are contacted in the order of configuration. If the first server does not respond before the timeout period expires, the second server is contacted. This process continues until an LDAP server responds, and then the responding server marked as 'active'. Subsequent LDAP requests for that LDAP domain are sent to the 'active' server.
Note
If the switch cannot resolve the host name using a DNS server, the switch rejects the command and generates an error message.
As of 15.2, the "identity-management" keyword is now optional in this command.
The following command configures LDAP client access to LDAP server LDAP1 using encrypted authentication:
* Switch.6 # configure ldap add server LDAP1 client-ip 10.10.2.1 encrypted sasl digest-md5
The following command adds the LDAP server LDAPServer1.sales.XYZCorp.com under the domain sales.XYZCorp.com and configures the LDAP client to contact it over VR-Default. It also configures the LDAP client to communicate with the server using digest-md5 encryption over SASL.
configure ldap domain sales.XYZCorp.com add server LDAPServer1.sales.XYZCorp.com vr VR-Default encrypted sasl digest-md5
The following command adds the LDAP server 192.168.1.1 under the domain sales.XYZCorp.com and also configures the LDAP client to contact it through the interface 10.10.10.1 over VR-Mgmt.
configure ldap domain sales.XYZCorp.com add server 192.168.1.1 client-ip 10.10.10.1
This command was first available in ExtremeXOS 12.5.
This command was modified in ExtremeXOS 15.2 to make the identity management keyword optional.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.