Configuring LDAP schemes
Configuration task list
Tasks at a glance |
|---|
Configuring an LDAP server:
|
(Optional.) Configuring an LDAP attribute map |
(Required.) Creating an LDAP scheme |
(Required.) Specifying the LDAP authentication server |
(Optional.) Specifying the LDAP authorization server |
(Optional.) Specifying an LDAP attribute map for LDAP authorization |
Creating an LDAP server
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an LDAP server and enter LDAP server view. | ldap server server-name | By default, no LDAP servers exist. |
Configuring the IP address of the LDAP server
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | System-view | N/A |
2. Enter LDAP server view. | ldap server server-name | N/A |
3. Configure the IP address of the LDAP server. | { ip ip-address | ipv6 ipv6-address } [ port port-number ] [ vpn-instance vpn-instance-name ] | By default, an LDAP server does not have an IP address. You can configure either an IPv4 address or an IPv6 address for an LDAP server. The most recent configuration takes effect. |
Specifying the LDAP version
Specify the LDAP version on the NAS. The device supports LDAPv2 and LDAPv3. The LDAP version specified on the device must be consistent with the version specified on the LDAP server.
To specify the LDAP version:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP server view. | ldap server server-name | N/A |
3. Specify the LDAP version. | protocol-version { v2 | v3 } | By default, LDAPv3 is used. A Microsoft LDAP server supports only LDAPv3. |
Setting the LDAP server timeout period
If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. Then, the device tries the backup authentication or authorization method. If no backup method is configured in the ISP domain, the device considers the authentication or authorization attempt a failure.
To set the LDAP server timeout period:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP server view. | ldap server server-name | N/A |
3. Set the LDAP server timeout period. | server-timeout time-interval | By default, the LDAP server timeout period is 10 seconds. |
Configuring administrator attributes
To configure the administrator DN and password for binding with the LDAP server during LDAP authentication:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP server view. | ldap server server-name | N/A |
3. Specify the administrator DN. | login-dn dn-string | By default, no administrator DN is specified. The administrator DN specified on the device must be the same as the administrator DN configured on the LDAP server. |
4. Configure the administrator password. | login-password { cipher | simple } string | By default, no administrator password is specified. |
Configuring LDAP user attributes
To authenticate a user, an LDAP client must complete the following operations:
Establish a connection to the LDAP server.
Obtain the user DN from the LDAP server.
Use the user DN and the user's password to bind with the LDAP server.
LDAP provides a DN search mechanism for obtaining the user DN. According to the mechanism, an LDAP client sends search requests to the server based on the search policy determined by the LDAP user attributes of the LDAP client.
The LDAP user attributes include:
Search base DN.
Search scope.
Username attribute.
Username format.
User object class.
If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN.
To configure LDAP user attributes:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP server view. | ldap server server-name | N/A |
3. Specify the user search base DN. | search-base-dn base-dn | By default, no user search base DN is specified. |
4. (Optional.) Specify the user search scope. | search-scope { all-level | single-level } | By default, the user search scope is all-level. |
5. (Optional.) Specify the username attribute. | user-parameters user-name-attribute { name-attribute | cn | uid } | By default, the username attribute is cn. |
6. (Optional.) Specify the username format. | user-parameters user-name-format { with-domain | without-domain } | By default, the username format is without-domain. |
7. (Optional.) Specify the user object class. | user-parameters user-object-class object-class-name | By default, no user object class is specified, and the default user object class on the LDAP server is used. The default user object class for this command varies by server model. |
Configuring an LDAP attribute map
Configure an LDAP attribute map to define a list of LDAP-AAA attribute mapping entries. To apply the LDAP attribute map, specify the name of the LDAP attribute map in the LDAP scheme used for authorization.
The LDAP attribute map feature enables the device to convert LDAP attributes obtained from an LDAP authorization server to device-recognizable AAA attributes based on the mapping entries. Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.
To configure an LDAP attribute map:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an LDAP attribute map and enter LDAP attribute map view. | ldap attribute-map map-name | By default, no LDAP attribute maps exist. |
3. Configure a mapping entry. | map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group | By default, an LDAP attribute map does not have any mapping entries. Repeat this command to configure multiple mapping entries. |
Creating an LDAP scheme
You can configure a maximum of 16 LDAP schemes. An LDAP scheme can be used by multiple ISP domains.
To create an LDAP scheme:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an LDAP scheme and enter LDAP scheme view. | ldap scheme ldap-scheme-name | By default, no LDAP schemes exist. |
Specifying the LDAP authentication server
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP scheme view. | ldap scheme ldap-scheme-name | N/A |
3. Specify the LDAP authentication server. | authentication-server server-name | By default, no LDAP authentication server is specified. |
Specifying the LDAP authorization server
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP scheme view. | ldap scheme ldap-scheme-name | N/A |
3. Specify the LDAP authorization server. | authorization-server server-name | By default, no LDAP authorization server is specified. |
Specifying an LDAP attribute map for LDAP authorization
Specify an LDAP attribute map for LDAP authorization to convert LDAP attributes obtained from the LDAP authorization server to device-recognizable AAA attributes.
You can specify only one LDAP attribute map in an LDAP scheme.
To specify an LDAP attribute map for LDAP authorization:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter LDAP scheme view. | ldap scheme ldap-scheme-name | N/A |
3. Specify an LDAP attribute map. | attribute-map map-name | By default, no LDAP attribute map is specified. |
Displaying and maintaining LDAP
Execute display commands in any view.
Task | Command |
|---|---|
Display the configuration of LDAP schemes. | display ldap scheme [ ldap-scheme-name ] |