Configure an External LDAP Server

You can configure an LDAP server for user validation and to fetch user groups.

LDAP supports three modes for fetching the roles assigned to a user.
  • The role is available as an attribute in the user Distinguished Name (DN) entry. Group attribute definition is not needed.
  • The user has a "memberOf" attribute or any appropriate group DN attribute to identify the groups assigned to the user. Assign the corresponding LDAP group to a role in XCO.
  • LDAP groups have user entries in their group definitions. Assign the LDAP groups to roles in XCO.
Note

Note

If you configure LDAP server over SSL, and use IP to connect to the server, ensure that the certificate includes the IP as part of the subject alternative names (SANs) for a successful connection.

For more information about commands and supported parameters, see ExtremeCloud Orchestrator Command Reference, 3.3.0 .

Basic Configuration

Attribute Description Default Value
name Unique identifier for LDAP configuration in XCO. -
host IPv4 or IPv6 Address/Hostname of the LDAP server. -
port Port at which the LDAP server is listening for connections. 389
timeout Duration in number of seconds before considering the server unreachable. 5
bind-user-name

Distinguished Name (DN) of the user that should be used to bind, search, and retrieve LDAP entries.

-
bind-user-password Password of the bind user.

TLS Configuration

Attribute Description Default Value
tls

Use LDAP over SSL/TLS.

-
cacert Local path to the CA certificate file for SSL verification. -
insecuretls Option to skip certificate validation while connecting to the LDAP server false

Authentication

Attribute Description Default Value
user-search-base Distinguished Name of the node in your directory tree from which to start searching for user objects. -
user-object-base Name of the object class used for user objects. inetOrgPerson
user-login-attribute Attribute whose value matches the username part of credentials entered by your users when logging in. uid

Examples

To enable LDAP for authentication in XCO with OpenLDAP, use the following command:

efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com 
--bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com

To enable LDAP for authentication in XCO with Windows AD, use the following command:

efa auth ldapconfig add --name ldap_winad --host 10.x.x.x --bind-user-name CN=ldapuser,CN=Users,DC=xxx,DC=com 
--bind-user-password ******* --user-search-base CN=Users,DC=xxx,DC=com --user-object-class user 
--user-login-attribute sAMAccountName

To use the same configuration with TLS enabled:

efa auth ldapconfig add --name ldap_winad --host 10.x.x.x –-tls –-cacert root-ca.pem --bind-user-name 
CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password ******* --user-search-base CN=Users,DC=xxx,DC=com 
--user-object-class user --user-login-attribute sAMAccountName

To skip certificate verification over the encrypted connection, use the following command:

efa auth ldapconfig add --name ldap_winad --host 10.x.x.x –-tls –-cacert root-ca.pem --insecuretls 
--bind-user-name CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password ******* 
--user-search-base CN=Users,DC=xxx,DC=com --user-object-class user --user-login-attribute sAMAccountName   

Authorization

There are multiple ways to define authorization for authenticated users.

  1. Assign roles to users using LDAP groups when users hold group membership details:
    Table 1.
    Attribute Description Default Value
    user-member-attribute Attribute to read the member of the group the user is part of. -

    Example

    In Windows AD, if the user has an attribute ‘memberOf‘ which gives the groups that he belongs to, then define ‘user-member-attribute‘

    efa auth ldapconfig add --name ldap_winad --host 10.x.x.x --bind-user-name 
    CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password ******* 
    --user-search-base CN=Users,DC=xxx,DC=com --user-object-class user 
    --user-login-attribute sAMAccountName –-user-member-attribute memberOf 
    Click to expand in new window
    LDAP screenshot

    These groups should be mapped to XCO roles using the role mapping command.

    efa auth rolemapping add --name CN=NMSAdmins,CN=Users,DC=etsuklab,DC=com --role SystemAdmin 
    --type group --auth-type LDAP --auth-identifier ldap_winad

    Assign roles for multiple groups, if required.

  2. Assign roles to users using LDAP groups when the groups are in a different search base:
    Attribute Description Default Value
    group-search-base Distinguished Name of the node in your directory tree from which to start searching for group objects. -
    group-object-class object class used for group objects. groupOfNames
    group-attribute Attribute to define search filter on group. cn
    group-member-user-attribute Name of the user attribute whose format matches the group members. entrydn
    group-member-mapping-attribute Name of the group attribute containing the members of a group. member
    efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com 
    --bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com --group-search-base 
    ou=groups,dc=extrnet,dc=com

    To override the defaults for different LDAP:

    efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com 
    --bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com --group-search-base 
    ou=groups,dc=extrnet,dc=com --group-member-user-attribute dn --group-member-mapping-attribute memberUid --group-object-class posixGroup

    Assign the required roles for the groups in XCO using the role mapping command.

  3. Assign roles to user from a custom attribute and XCO role defined with a key/value pair:
    Attribute Description Default Value
    user-role-attribute Attribute to read the role of user from. -
    user-role-attribute-key

    Attribute to read the role value from role attribute.

    -
    efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=admin,dc=extrnet,dc=com 
    --bind-user-password ******* --user-search-base ou=people,dc=extrnet,dc=com 
    --user-role-attribute role --user-role-attribute-key  rolename

    Here role is the custom schema defined in LDAP as an attribute for user and the rolename is where it holds the XCO role in LDAP.

    The role attribute for the user entry in LDAP has the value of rolename:SystemAdmin,rolename:FabricAdmin

  4. To defines roles in XCO and skip authorization in LDAP, add the required role for each user:
    efa auth rolemapping add --name=testuser --role=FabricAdmin --type=user --auth-type=ldap 
    --auth-identifier=ldap_xco