In this section:
Overview
The SBC Core is configurable using CLI and EMA interfaces, and the access to these interfaces are authenticated using the user credentials. User credentials are verified using external authentication. The user credentials can be sent to a remote Lightweight Directory Access Protocol (LDAP) for external centralized authentication. The username and password are sent to the remote LDAP server. The user is allowed/denied access to the SBC based on the response from the LDAP server.
SBC users are currently segregated into the following groups which define the privileges of each user. Access to data/commands is allowed/prevented based on the group of the user who is trying to acquire the access.
- Administrator
- Operator
- FieldService
- Guest
- SecurityAuditor
- Calea
Configuring LDAP
Set External Authentication Type to LDAP
To configure LDAP authentication for the SBC Core, you must first enable external authentication and then configure the remote LDAP server.
- Login to the SBC CLI.
Execute the following System Admin command:
Exampleset system admin SBC-1 externalAuthenticationType ldap
For CLI configuration details, refer to External Authentication - CLI. To enable the external authentication using EMA, refer to System - Admin.
Establish LDAP Authentication
Configure information to communicate with one or more LDAP servers using the OAM command.
set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled
For CLI configuration details, refer to LDAP Authentication - CLI. To establish the LDAP authentication using EMA, refer to OAM - LDAP Authentication - LDAP Server.
The SBC provides Lightweight Directory Access Protocol (LDAP) support for Microsoft Active Directory (AD) services. LDAP support was added for logging into the confd via ssh or netconf to establish external centralized authentication. However, this support was developed for only Linux-style LDAP servers, not Microsoft's AD services.
The LDAP Authentication configuration is enhanced to include an advanced mode which allows you to to bind a user with elevated privileges to the LDAP server in order for the SBC to search the entire LDAP database to determine the group for which the user is associated.
The following updates are made to the LDAP Authentication configuration to facilitate SBC LDAP support of Microsoft's AD services.
Genericized the LDAP bind parameter to support both AD and openldap schemas.
Added a new search parameter to allow querying the AD database for the user's group membership information.
Added two new parameters to specify a service username/password when performing the search described in #2.
Added a new table to specify the mapping of the groups returned by the search in #2.
For further configuration details, refer to:
Obtain groupName
Two methods are available to get the groupName.
Method 1:
Set the groupName parameter to the LDAP attribute that contains the groupname. For example, a user record of this type would look like the following using a sample directory entry for account "jsmith":
# jsmith, People, example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
uid: jsmith
cn: Joe Smith
objectClass: top
objectClass: person
objectClass: inetOrgPerson
userPassword:: sunshine23!
groupName: Administrator
accessLevel: userAccessLevel1
In this case, the groupName attribute is set to groupName, and the groupName Administrator is returned.
Method 2:
If the groupName parameter is not set, then each filter in the filters table is tried until a match is made. A sample user entry in this case will not include the groupName attribute. Here is a sample directory entry for account "jsmith":
# jsmith, People, example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
uid: jsmith
cn: Joe Smith
objectClass: top
objectClass: person
objectClass: inetOrgPerson
userPassword:: sunshine23!
accessLevel: userAccessLevel1
In this case, a filter (&(uid=%%USERNAME%% ) (accessLevel:=userAccessLevel1)) matches the accessLevel: userAccesLevel1 attribute, and the groupName is Administrator as configured in the filters table.
Obtain Correct privileges via LDAP Query
Configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.
set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1))
For CLI configuration details, refer to LDAP Authentication - CLI. To set the LDAP filters using EMA, refer to OAM - LDAP Authentication - LDAP Filters.
Configure LDAP Servers
Configure SBC Core information to communicate with one or more LDAP servers. See Establish LDAP Authentication.
Configure LDAP Retry Criteria
Configure the LDAP Server Retry criteria settings the SBC uses to attempt another authentication request if a request fails, how many times to attempt an authentication retry, and how long the LDAP server remains out of service after a timeout.
set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60
For CLI configuration details, refer to LDAP Authentication - CLI. To configure LDAP Retry Criteria using EMA, refer to OAM - LDAP Authentication - LDAP Retry Criteria.
Maintaining LDAP
Send a 're-enable' Command to Re-enable the LDAP Server
An LDAP server is marked "unavailable" when the SBC cannot reach it. Use the Request command to re-enable the LDAP server, which will set the status back to "available".
request oam ldapAuthentication ldapServer ldapServer1 reEnableServer
For CLI configuration details, refer to LDAP Authentication - CLI. To re-enable the LDAP server using EMA, refer to OAM - LDAP Authentication - LDAP Server.
View LDAP Status
Use the following OAM command to view LDAP server status details.
% show table oam ldapAuthentication ldapStatus
For CLI configuration details, refer to LDAP Authentication - CLI. To view the LDAP server status using EMA, refer to OAM - LDAP Authentication - LDAP Status.