Command Line Interface Reference Guide > The Configuration Menu > /cfg/sys/ldap LDAP Server Configuration
/cfg/sys/ldap
LDAP Server Configuration
If Alteon is configured to use LDAP for authentication, the user-authentication process is as follows:
1. The user access Alteon interface and enters the username and password given by the LDAP administrator.
2. Alteon sends the authentication request (that is, the bind request) to the LDAP server.
Note: If Administrator bind DN is not define, the Fully Qualified Domain Name (FQDN) parameter is mandatory, as the user name in the bind request includes the FQDN (that is, <username>@<FQDN>).
3. If the authentication with the LDAP server fails, the user receives an appropriate message and the connection is refused.
4. If the authentication with the LDAP server succeeds:
a. Alteon sends a search request to the LDAP server for the user who is the defined 'User ID Attribute' (default sAMAccountName ) value matches the login name.
Alteon then matches the user attributes with the defined Role mapping to find the user's role.
Note: To optimize the search time specifying the most suitable base DNs directories to start the search from.
b. If the LDAP server finds the requested user, Alteon gives permissions to the authenticated user according to the matching LDAP object-class role mapping configured in Alteon.
If there is no match with the role mapping, Alteon displays an appropriate message and does not grant user access.
LDAP communication can be done either via the management (default) or the data port. This can be set via the CLI command: /cfg/sys/mmgmt, or through the WEB UI System > Management Access > Management Traffic Routing > LDAP.
LDAP on the data port has the following limitations:
1. To enable LDAP on the data port, '/maint/debug/ldapdata' must be enabled followed by a device reset.
2. LDAP is not supported on Non-DPDK platform (6420p and 8820).
3. Alteon VA requires a minimum of 2 CPUs and 4GB memory.
4. vADC MP CPU should be set to Normal or higher (/c/vadc/mpcpu).
 
[LDAP Server Menu]
maprole - Map LDAP Object Class to User Role Menu
prisrv - Set primary LDAP server address
secsrv - Set secondary LDAP server address
port - Set LDAP port
secure - Set LDAP over SSL (LDAPs)
fqdn - LDAP's Fully Qualified Domain Name
binddn - Set the administrator bind DN
bindpw - Set the administrator password for LDAP binding
dnadd - Add base DN for search
dnrem - Remove base DN for search
userattr - Set the user id attribute for username matching
retries - Set LDAP server retries
timeout - Set LDAP server timeout (seconds)
secbd - Enable/disable LDAP secure backdoor for telnet/ssh/http
local - Set local Authentication priority
on - Turn LDAP authentication ON
off - Turn LDAP authentication OFF
cur - Display current LDAP configuration
 
LDAP Server Configuration Menu Options (/cfg/sys/ldap) 
Command Syntax and Usage
maprole
 
Displays the MAP LDAP Object Class to User Role menu. To view this menu, see /cfg/sys/ldap/maprole MAP LDAP Object Class to User Role Menu.
prisrv <IP address (v4 or v6)>
 
The IPv4 or IPv6 address of the primary LDAP server.
secsrv <IP address (v4 or v6)>
 
The IPv4 or IPv6 address of the secondary LDAP server.
port <LDAP port to configure>
 
Sets the LDAP port.
Values: 1-65000
Default: 389
If Secure LDAP is configured, the default port is 636.
secure
 
Specifies whether authentication communication between Alteon and the LDAP server uses Secure LDAP.
Values: disable, enable
Default: disable
fqdn
 
Specifies the LDAP FQDN.
If the Fully Qualified Domain Name (FQDN) parameter is specified, the user name in the bind request includes the FQDN (that is, <username>@<FQDN>). Mandatory when administrator bind DN is not configured.
Maximum number of characters: 255
binddn
 
Sets the administrator bind distinguished name (DN).
The administrator bind DN is used only for querying the directory server and so this user must have privileges to search the directory tree. It is required when anonymous bind is not allowed.
Maximum number of characters: 256
bindpw
 
Enter the administrator bind password.
Maximum number of characters: 256.
dnadd
 
The Base DN limits the search to a more specific directory tree. Using a specific Base DN speeds up all queries to the LDAP server.
Up to 10 Base DN can be configured. At least one Base DN must be configured.
dnrem
 
Removes base DN for search.
userattr
 
Set the user ID attribute for username matching.
Maximum number of characters: 30
The User ID Attribute is the attribute in a user record that identifies the user, and is expected to match the username entered during user login.
Default: sAMAccountName
retries <LDAP server retries (1-3)>
 
Sets the LDAP server number of retries.
values: 1-3
Default: 3
timeout <LDAP server timeout seconds (1-10)>
 
Sets the time, in seconds, before re-sending an authentication to the LDAP server after receiving no answer.
values: 1-60
Default: 3 seconds
secbd disable|enable
 
Enables or disables the LDAP secure backdoor access for telnet/ssh/http.
Values:
*enabled —  Default admin can log in from the serial console, Telnet, SSH and WEB UI when the LDAP server is unavailable.
*disabled — There is no access to Alteon until the authorization servers are reachable again.
Default: disabled
local
 
Specifies that Alteon should first search for the user in the Local User Table, and only if not found/authenticated there to connect to the remote authentication server.
Values: disable, enable
Default: disable
on
 
Turn on LDAP authentication.
off
 
Turn off LDAP authentication.
cur
 
Displays the current LDAP configuration.