You can configure an LDAP server for user
validation and to fetch user groups.
LDAP supports three modes for
fetching the roles assigned to a user.
The role is available as an
attribute in the user Distinguished Name (DN) entry. Group attribute definition
is not needed.
The user has a "memberOf"
attribute or any appropriate group DN attribute to identify the groups assigned
to the user. Assign the corresponding LDAP group to a role in XCO .
LDAP groups have user entries in
their group definitions. Assign the LDAP groups to roles in XCO .
Note
If you configure LDAP server over SSL, and use IP to connect to the server,
ensure that the certificate includes the IP as part of the subject alternative
names (SANs) for a successful connection.
For more information about commands and supported parameters, see
ExtremeCloud Orchestrator Command Reference,
3.3.0
.
Basic Configuration
Attribute
Description
Default Value
name
Unique identifier for LDAP configuration in XCO.
-
host
IPv4 or IPv6 Address/Hostname of the LDAP server.
-
port
Port at which the LDAP server is listening for
connections.
389
timeout
Duration in number of seconds before considering the server
unreachable.
5
bind-user-name
Distinguished Name (DN) of the user that should be used to bind,
search, and retrieve LDAP entries.
-
bind-user-password
Password of the bind user.
Attribute
Description
Default Value
tls
Use LDAP over SSL/TLS.
-
cacert
Local path to the CA certificate file for SSL
verification.
-
insecuretls
Option to skip certificate validation while connecting to the
LDAP server
false
Attribute
Description
Default Value
user-search-base
Distinguished Name of the node in your directory tree from which
to start searching for user objects.
-
user-object-base
Name of the object class used for user objects.
inetOrgPerson
user-login-attribute
Attribute whose value matches the username part of credentials
entered by your users when logging in.
uid
Examples
To enable LDAP for authentication in XCO with OpenLDAP, use the following command:
efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com
--bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com
To enable LDAP for authentication in XCO with Windows AD, use the following command:
efa auth ldapconfig add --name ldap_winad --host 10.x.x.x --bind-user-name CN=ldapuser,CN=Users,DC=xxx,DC=com
--bind-user-password ******* --user-search-base CN=Users,DC=xxx,DC=com --user-object-class user
--user-login-attribute sAMAccountName
To use the same configuration with TLS enabled:
efa auth ldapconfig add --name ldap_winad --host 10.x.x.x –-tls –-cacert root-ca.pem --bind-user-name
CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password ******* --user-search-base CN=Users,DC=xxx,DC=com
--user-object-class user --user-login-attribute sAMAccountName
To skip certificate verification over the encrypted connection, use the following command:
efa auth ldapconfig add --name ldap_winad --host 10.x.x.x –-tls –-cacert root-ca.pem --insecuretls
--bind-user-name CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password *******
--user-search-base CN=Users,DC=xxx,DC=com --user-object-class user --user-login-attribute sAMAccountName
Authorization
There are multiple ways to define authorization for authenticated users.
Assign roles to users using LDAP
groups when users hold group membership details:
Table 1.
Attribute
Description
Default Value
user-member-attribute
Attribute to read the member of the group the user is
part of.
-
Example
In Windows AD, if the user has an attribute ‘memberOf‘ which gives the groups that he belongs to, then define ‘user-member-attribute‘
efa auth ldapconfig add --name ldap_winad --host 10.x.x.x --bind-user-name
CN=ldapuser,CN=Users,DC=xxx,DC=com --bind-user-password *******
--user-search-base CN=Users,DC=xxx,DC=com --user-object-class user
--user-login-attribute sAMAccountName –-user-member-attribute memberOf
These groups should be mapped to XCO roles using the role mapping
command.
efa auth rolemapping add --name CN=NMSAdmins,CN=Users,DC=etsuklab,DC=com --role SystemAdmin
--type group --auth-type LDAP --auth-identifier ldap_winad
Assign roles for multiple groups, if required.
Assign roles to users using LDAP
groups when the groups are in a different search base:
Attribute
Description
Default Value
group-search-base
Distinguished Name of the node in your directory tree
from which to start searching for group objects.
-
group-object-class
object class used for group objects.
groupOfNames
group-attribute
Attribute to define search filter on group.
cn
group-member-user-attribute
Name of the user attribute whose format matches the group
members.
entrydn
group-member-mapping-attribute
Name of the group attribute containing the members of a
group.
member
efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com
--bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com --group-search-base
ou=groups,dc=extrnet,dc=com
To override the defaults for different LDAP:
efa auth ldapconfig add --name ldap_xco --host 10.x.x.x --bind-user-name cn=ldapuser,dc=xxx,dc=com
--bind-user-password ******* --user-search-base ou=people,dc=xxx,dc=com --group-search-base
ou=groups,dc=extrnet,dc=com --group-member-user-attribute dn --group-member-mapping-attribute memberUid --group-object-class posixGroup
Assign the required roles for the groups in XCO using the role mapping command.
Assign roles to user from a custom attribute and XCO role defined with a key/value pair:
Attribute
Description
Default Value
user-role-attribute
Attribute to read the role of user from.
-
user-role-attribute-key
Attribute to read the role value from role attribute.
-
efa auth ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=admin,dc=extrnet,dc=com
--bind-user-password ******* --user-search-base ou=people,dc=extrnet,dc=com
--user-role-attribute role --user-role-attribute-key rolename
Here role is the custom schema defined in LDAP as an attribute for user and the rolename is where it holds the XCO role in LDAP.
The role attribute for the user entry in LDAP has the value of rolename:SystemAdmin,rolename:FabricAdmin
To defines roles in XCO and skip authorization in LDAP, add the required role for each user:
efa auth rolemapping add --name=testuser --role=FabricAdmin --type=user --auth-type=ldap
--auth-identifier=ldap_xco