DO NOT SHARE THESE DOCS WITH CUSTOMERS!

This is an LA release that will only be provided to a select number of PLM-sanctioned customers (PDFs only). Contact PLM for details.


In this section:

LDAP Server

Use this parameter to configure information to communicate with one or more LDAP servers.

Command Syntax

% set oam ldapAuthentication ldapServer <serverName>
    binddn <name>
    bindMethod <sasl|simple>
    groupNameAttribute <groupName, or empty string>
    ldapServerAddress <IPv4/IPv6 address>
    ldapServerPort <valid port>
    priority <1-3>
    saslMechanism <plain>
    searchbase <base>
    state <disabled|enabled>
    transport <ldaps|tcp|tls>

Command Parameters

LDAP Authentication Parameters

Parameter

Length/Range

Description

Mandatory (M)
or Optional (O)

serverNameUp to 23 characters<serverName> – The name of this LDAP server.M
binddnString

<name> – The distinguished name to use for the bind operation (only used for simple binds).

M, if bindMethod = simple
bindMethodN/A

Specify the bindMethod to use.

  • sasl – Use the Simple Authentication and Security Layer (SASL) option.
  • simple (default) – Use this option to bind the LDAP clients to the LDAP server with a username and password.
O
groupNameAttributeString

Use this parameter to define the group name attribute.

  • <attribute of user record> – The attribute in the user record that contains the CLI group name.
  • <empty string> (default) – leave as an empty string if the groupname is obtained using filters.
O
ldapServerAddressIPv4/IPv6 address<IP address> – The IPv4/IPv6 address of the LDAP serverM
ldapServerPort1-65535

<port number> – The LDAP server port. 

The default value is 389.

NOTE: If transport = ldaps, specify port 636.

O
priority1-3<priority #> – The server priority, where '1' is the highest priority.M
saslMechanismN/A

The SASL mechanism to use.

  • plain (default)
O
searchbaseString

This parameter specifies the location where the user records are located, and serves as the base for the LDAP query.

M
stateN/A

The state of this LDAP server.

  • disabled (default)
  • enabled
O
transportN/A

The transport type to use.

  • ldaps
  • tcp (default)
  • tls
O

Command Example

set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled

LDAP Filters

Use this parameter to configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.

Command Syntax

% set oam ldapAuthentication ldapFilters
    filter <LDAP filter string>
	groupName <name of CLI group name to login to CLI>
	order <integer>

Command Parameters

LDAP Filter Parameters

Parameter

Length/Range

Description

filterString

<filter string> – The LDAP filter (valid LDAP filter string) used to determine if the specified user is a member of the group defined by groupName.

The special string %%USERNAME%% will get replaced with the current user name being validated.

For example, if the user is jsmith, the filter (&(uid=%%USERNAME%%)(accessLevel:=userAccessLevel1)) becomes (&(uid=jsmith )(accessLevel:=userAccessLevel1))

groupNameN/A

The CLI group name to use for logging onto the CLI. 

  • Administrator
  • Calea
  • FieldService
  • Guest
  • Operator
  • SecurityAuditor
  • (The user-defined group containing the name of a custom group configured on the SBC)
orderInteger

<integer> – Specify a unique number to set the order to process the filter. The filter with an order  of '1' is processed first. 

Command Example

set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1)) 

LDAP Retry Criteria

Use this parameter to configure the LDAP Server Retry criteria settings. 

Command Syntax

% set oam ldapAuthentication retryCriteria
	retryTimer <500-45000>
	retryCount <1-3>
	oosDuration <0-300>

Command Parameters

LDAP Retry Criteria Parameters

Parameter

Length/Range

Description

retryTimer 500-45000

<timer value> – The time, in milliseconds, before the SBC attempts another authentication request.

Default: 1000

retryCount 

1-3

<retryCount #> – The number of retries the SBC performs to attempt authentication.

Default: 3

oosDuration 0-300

<oosDuration #> – The time, in minutes, the LDAP server remains out of service after a timeout.

Default: 60

Command Example

set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60

Re-enable Server

An LDAP server is marked "unavailable" when the SBC cannot reach it. Use this command to re-enable the LDAP server, which will set the status back to "available".

Command Syntax

% request oam ldapAuthentication ldapServer <servername> reEnableServer

Command Parameters

Re-enable Server Parameters

ParameterDescription
ldapServer<serverName> – The name of the LDAP server.
reEnableServer

An LDAP server is marked "unavailable" when the SBC cannot reach it.

Use this action to re-enable an LDAP server, which then sets the status back to "available". 

Command Example

request oam ldapAuthentication ldapServer ldapServer1 reEnableServer