configure ldap domain add server

configure ldap {domain domain_name} add server [host_ipaddr | host_name] {server_port} {client-ip client_ipaddr} {vr vr_name} {encrypted sasl digest-md5}

Description

This command adds an LDAP server under an LDAP domain and configures the parameters for contacting the server.

Syntax Description

domain_name

Specifies the LDAP domain under which this server should be added.

host_ipaddr

Specifies a IP address for an LDAP server to add.

host_name

Specifies a DNS hostname for an LDAP server to add.

server_port

Specifies a port number for the LDAP service. The default port number is 389.

client_ipaddr

Specifies the LDAP client IP address, which should be set to the IP address of the interface that will connect to the LDAP server.

vr_name

Specifies the VR name for the interface that will connect to the LDAP server. The default VR for LDAP client connections is VR-Mgmt.

encrypted sasl digest-md5

Specifies that the LDAP client uses Digest RSA Data Security, Inc. MD5 Message-Digest Algorithm encryption over SASL (Simple Authentication and Security Layer) to communicate with the LDAP server. Note that this mechanism encrypts only the password credentials, and the LDAP information exchange uses plain text.

Note:

To support Digest RSA Data Security, Inc. MD5 Message-Digest Algorithm over SASL, the LDAP client (bind user) password must be stored using ‘reverse encryption,‘ and the host_name should be configured as the fully-qualified host name for the LDAP server.

Default

client-ipaddr is optional. If client-ipaddr is not specified, the LDAP client looks up the interface through which the LDAP server can be reached.

If vr_name is not specified, the LDAP client assumes it to be VR-Mgmt.

If "encrypted sasl digest-md5' is not specified, the LDAP client talks to the LDAP server using plain text.

Usage Guidelines

You can configure up to 8 LDAP servers under one LDAP domain. The LDAP servers are contacted in the order of configuration. If the first server does not respond before the timeout period expires, the second server is contacted. This process continues until an LDAP server responds, and then the responding server marked as 'active'. Subsequent LDAP requests for that LDAP domain are sent to the 'active' server.

Note

Note

If the switch cannot resolve the host name using a DNS server, the switch rejects the command and generates an error message.

As of 15.2, the "identity-management" keyword is now optional in this command.

Example

The following command configures LDAP client access to LDAP server LDAP1 using encrypted authentication:

* Switch.6 # configure ldap add server LDAP1 client-ip 10.10.2.1
encrypted sasl digest-md5

The following command adds the LDAP server LDAPServer1.sales.XYZCorp.com under the domain sales.XYZCorp.com and configures the LDAP client to contact it over VR-Default. It also configures the LDAP client to communicate with the server using digest-md5 encryption over SASL.

configure ldap domain sales.XYZCorp.com add server LDAPServer1.sales.XYZCorp.com vr VR-Default encrypted sasl digest-md5

The following command adds the LDAP server 192.168.1.1 under the domain sales.XYZCorp.com and also configures the LDAP client to contact it through the interface 10.10.10.1 over VR-Mgmt.

configure ldap domain sales.XYZCorp.com add server 192.168.1.1 client-ip 10.10.10.1

History

This command was first available in ExtremeXOS 12.5.

This command was modified in ExtremeXOS 15.2 to make the identity management keyword optional.

Platform Availability

This command is available on all Universal switches supported in this document.