LDAP over TLS NEW!

Lightweight Directory Access Protocol (LDAP) is used in Authentication, Accounting, and Authorization (AAA) server environments that consist of a centralized authentication server and multiple Network Access Servers (NAS) or clients. With LDAP support, management of SLX devices integrates seamlessly into these environments.

Transport Layer Security (TLS) is cryptographic protocol to provide communication security between client and server applications that communicate with each other over the network.

The certificate revocation status of the LDAP over TLS (LDAPS) client can be checked using OCSP. LDAPS protects communication when it is established.

By default, LDAPS uses port 636.

Support for LDAPS replaces support for startTLS mode. Consider the following as you use LDAPS:

Existing logged-in startTLS sessions are not terminated when the LDAPS server is configured.
The following configuration is not supported: two LDAP servers with the same IPv4 or IPv6 address (and the same VRF), with one server configured with startTLS and the other with LDAPS. The LDAP host and the VRF are the unique identifiers for each server configuration.
Unlike startTLS, LDAPS authentication fails without an imported CA certificate. For more information, see the crypto import command in the Extreme SLX-OS Command Reference.

Table 1. Related commands
Command	Function
ldap-server host	Configures an LDAP server to connect for external or remote authentication. The ldaps option specifies that LDAP over TLS is to be used.
ldap-server source-interface	Configures the LDAP server on specific VRF with source interface.
crypto import	Imports the Identity Certificate for security configuration. The ldapca option specifies that LDAP over TLS is to be used.
cipherset ldap	Displays the confirmation of LDAP cipher list configured successfully message and displays the cipher list.
show cipherset	Displays the configured LDAP cipher list.