Overview

The SBC Core is configurable using CLI and EMA interfaces, and the access to these interfaces are authenticated using the user credentials. User credentials are verified using external authentication. The user credentials can be sent to a remote Lightweight Directory Access Protocol (LDAP) for external centralized authentication. The username and password are sent to the remote LDAP server. The user is allowed/denied access to the SBC based on the response from the LDAP server. 

SBC users are currently segregated into the following groups which define the privileges of each user. Access to data/commands is allowed/prevented based on the group of the user who is trying to acquire the access.

  • Administrator
  • Operator
  • FieldService
  • Guest
  • SecurityAuditor
  • Calea

Configuring LDAP

Set External Authentication Type to LDAP

To configure LDAP authentication for the SBC Core, you must first enable external authentication and then configure the remote LDAP server.

  1. Login to the SBC CLI.
  2. Execute the following System Admin command:

    Example
    set system admin SBC-1 externalAuthenticationType ldap
Note

For CLI configuration details, refer to External Authentication - CLI. To enable the external authentication using EMA, refer to System - Admin.

Establish LDAP Authentication

Configure information to communicate with one or more LDAP servers using the OAM command.

set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled


Note

For CLI configuration details, refer to LDAP Authentication - CLI. To establish the LDAP authentication using EMA, refer to OAM - LDAP Authentication - LDAP Server.

Obtain groupName

Two methods are available to get the groupName.

Method 1:

Set the groupName parameter to the LDAP attribute that contains the groupname. For example, a user record of this type would look like the following using a sample directory entry for account "jsmith":

# jsmith, People, example.com

dn: uid=jsmith,ou=People,dc=example,dc=com

uid: jsmith

cn: Joe Smith

objectClass: top

objectClass: person

objectClass: inetOrgPerson

userPassword:: sunshine23!

groupName: Administrator

accessLevel: userAccessLevel1

In this case, the groupName attribute is set to groupName, and the groupName Administrator is returned.

Method 2:

If the groupName parameter is not set, then each filter in the filters table is tried until a match is made. A sample user entry in this case will not include the groupName attribute. Here is a sample directory entry for account "jsmith":

# jsmith, People, example.com

dn: uid=jsmith,ou=People,dc=example,dc=com

uid: jsmith

cn: Joe Smith

objectClass: top

objectClass: person

objectClass: inetOrgPerson

userPassword:: sunshine23!

accessLevel: userAccessLevel1

In this case, a filter (&(uid=%%USERNAME%% ) (accessLevel:=userAccessLevel1)) matches the accessLevel: userAccesLevel1 attribute, and the groupName is Administrator as configured in the filters table.

Obtain Correct privileges via LDAP Query

Configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.

Example
set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1)) 
Note

For CLI configuration details, refer to LDAP Authentication - CLI. To set the LDAP filters using EMA, refer to OAM - LDAP Authentication - LDAP Filters.

Configure LDAP Servers

Configure SBC Core information to communicate with one or more LDAP servers. See Establish LDAP Authentication.

Configure LDAP Retry Criteria

Configure the LDAP Server Retry criteria settings the SBC uses to attempt another authentication request if a request fails, how many times to attempt an authentication retry, and how long the LDAP server remains out of service after a timeout.

Example
set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60
Note

For CLI configuration details, refer to LDAP Authentication - CLI. To configure LDAP Retry Criteria using EMA, refer to OAM - LDAP Authentication - LDAP Retry Criteria.

Maintaining LDAP

Send a 're-enable' Command to Re-enable the LDAP Server

An LDAP server is marked "unavailable" when the SBC cannot reach it. Use the Request command to re-enable the LDAP server, which will set the status back to "available".

Example
request oam ldapAuthentication ldapServer ldapServer1 reEnableServer

For CLI configuration details, refer to LDAP Authentication - CLI. To re-enable the LDAP server using EMA, refer to OAM - LDAP Authentication - LDAP Server.

View LDAP Status

Use the following OAM command to view LDAP server status details.

Example
% show table oam ldapAuthentication ldapStatus

For CLI configuration details, refer to Show Table OAM#LDAPAuthentication. To view the LDAP server status using EMA, refer to OAM - LDAP Authentication - LDAP Status.