efa auth ldapconfig

Adds, updates, or deletes an external LDAP server, or shows the current LDAP configuration.

Syntax

efa auth ldapconfig delete [--name ldap-name ]

efa auth ldapconfig show [--name ldap-name ]

Parameters

--bind-user-name dn: Specifies the Distinguished Name (DN) of the user that you want to use to bind, search, and retrieve LDAP entries.
--bind-user-password pword: Specifies the password of the bind user.
--cacert cert-loc: Specifies the location of the Certificate Authority certificate.
--group-search-base dn: Specifies the DN of the node in the directory tree from which searches for group objects begins.
--group-object-class obj-class: Specifies the name of the object class to use for group searches. The default is groupOfNames.
--group-attribute att-value: Specifies the attribute that defines the search filter on a group. The default is cn.
--group-member-user-attribute att-value: Specifies the name of the user attribute whose format matches the group members. The default is entrydn.
--group-member-mapping-attribute att-value: Specifies the name of the group attribute that contains the members of a group. The default is member.
--host hostname: Specifies the host name, IPv4, or IPv6 address of the LDAP server.
--name ldap-name: Specifies the name of the LDAP connection.
--primary value: Specifies 1 when multiple LDAP connections are available.
--port port-num tls | insecure-tls: Specifies the port at which the LDAP server listens for connections.
Specify --tls to use LDAP over SSL and TLS. Specify --insecure-tls to use LDAP without certification verification.
--timeout value: Specifies the number of seconds that must elapse before the LDAP server is considered unreachable. The default is 5 seconds.
--user-search-base dn: Specifies the DN of the node in the directory tree from which searches for user objects will start.
--user-object-class obj-class: Specifies the name of the object class to use for user objects. The default is inetOrgPerson.
--user-login-attribute att-value: Specifies the attribute that matches the user name part of credentials that users enter while logging in. The default is uid.
--user-role-attribute att-value: Specifies the attribute from which the user role is read.
--user-role-attribute-key att-value: Specifies the attribute that reads the role value from the role attribute.
--user-member-attribute att-value: Specifies the attribute that reads the member of the group that the user is part of.

Usage Guidelines

You configure an LDAP server for user validation and to fetch user groups.

When a user is assigned XCO roles in LDAP, ensure that you define the user-role-attribute parameter.

You can use key-value pairs to define one attribute value that assigns multiple roles to a user. Use the user-role-attribute-key parameter for such a scenario.

When you use LDAP groups to assign roles to users, ensure that you define the user-member-attribute parameter.

When LDAP groups are not in the same search base as the users in the groups, ensure that you define the following parameters.

group-search-base
group-object-class
group-attribute
group-member-user-attribute
group-member-mapping-attribute

To configure LDAP for a deployment of XCO on a TPVM, see the "TPVM Management" section of the Extreme SLX-OS Management Configuration Guide.

Examples

This example configures the bind user name, the bind password, and the DN of the node from which searches start.

# efa auth ldapconfig add --name ldapconfig –- host 10.x.x.x 
--bind-user-name cn=admin,dc=extrnet,dc=com --bind-user-password password 
--user-search-base ou=people,dc=extrnet,dc=com

This example configures the --user-role-attribute parameter for a user that is assigned XCO roles in LDAP.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role

This example assigns multiple roles to a user with one key-value pair. The role attribute for the user entry in LDAP has the value of datacenterowner:SystemAdmin,datacenterowner:FabricAdmin.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-role-attribute role 
--user-role-attribute-key  datacenterowner

This example configures the --user-member-attribute for a user entry in LDAP that has an attribute of memberOf.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com --bind-user-password xxx 
--user-search-base ou=people,dc=y,dc=com --user-member-attribute memberOf

This example configures the attributes required when LDAP groups are not in the same search base as the users in the groups.

# ldapconfig add --name ldap1 --host 10.x.x.x --bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=x,dc=com 
--group-search-base ou=groups,dc=x,dc=in --group-member-user-attribute dn 
--group-member-mapping-attribute memberUid --group-object-class posixGroup

This example maps an LDAP group to an XCO role.

# efa auth rolemapping add --name group1 --type GROUP --role SystemAdmin

This example configures LDAP Active Directory.

# efa auth ldapconfig add --name ldap1 --host 10.x.x.x 
--bind-user-name cn=x,dc=y,dc=com 
--bind-user-password xxx --user-search-base ou=people,dc=y,dc=com 
--user-object-class user 
--user-login-attribute sAMAccountName --user-member-attribute memberOf