In this section:
LDAP Configuration Mode
Use this parameter to configure the mode for the LDAP client.
Command Syntax
% set oam ldapAuthentication ldapConfigurationMode <advanced | legacy>
Command Parameters
Parameter | Length/Range | Description | Mandatory (M) |
---|---|---|---|
ldapConfigurationMode | N/A | The configuration mode for the LDAP client.
| O |
Command Example
set oam ldapAuthentication ldapConfigurationMode advanced
For more information on the "advanced
" ldapConfigurationMode
, refer to: Configuring SBC for External Centralized Authentication using LDAP.
LDAP Server
Use this parameter to configure information to communicate with one or more LDAP servers.
Command Syntax
% set oam ldapAuthentication ldapServer <serverName> binddn <name> bindMethod <sasl | simple> groupNameAttribute <groupName, or empty string> ldapServerAddress <IPv4 address, IPv6 address, or FQDN> ldapServerPort <valid port> priority <1-25> saslMechanism <digest-md5 | plain> searchbase <base> state <disabled | enabled> transport <ldaps | tcp | tls>
% set oam ldapAuthentication ldapServer <serverName> binddn <name> bindMethod <sasl | simple> ldapServerAddress <IPv4, IPv6 or FQDN> ldapServerPort <valid port> priority <1-25> returnAttribute <1-255 characters> saslMechanism <digest-md5 | plain> searchFilter <1-255 characters> searchbase <1-255 characters> state <disabled | enabled> systemPassword <password> systemUsername <1-255 characters> transport <ldaps | tcp | tls>
Command Parameters
LDAP Authentication Parameters
Parameter | Length/Range | Description | Mandatory (M) |
---|---|---|---|
serverName | Up to 23 characters | <serverName> – The name of this LDAP server. | M |
binddn | String |
| M, if bindMethod = simple |
bindMethod | N/A | Specify the bindMethod to use.
| O |
groupNameAttribute | String | Use this parameter to define the group name attribute.
| O |
ldapServerAddress | IPv4 address IPv6 address FQDN | <IP address> – The IPv4 address, IPv6 address. or FQDN of the LDAP server | M |
ldapServerPort | 1-65535 |
The default value is NOTE: If | O |
priority | 1-25 | <priority #> – The server priority, where '1' is the highest priority. | M |
saslMechanism | N/A | The SASL mechanism to use.
| O |
searchbase | String | This parameter specifies the location where the user records are located, and serves as the base for the LDAP query. | M |
state | N/A | The state of this LDAP server.
| O |
transport | N/A | The transport type to use.
| O |
returnAttribute * | 1-255 | The attribute returned from the search for the group name of the LDAP user. For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: | O |
searchFilter* | 1-255 characters | The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter. For example: | O |
systemPassword* | string | The password for the LDAP user with Administrative privileges systemUser ). Leave blank if the systemUsername is not specified. | O |
systemUsername * | 1-255 characters | An LDAP user with Administrative privileges – Leave blank, or enter a user name. Note
If The | O |
* To use this feature, you must set ldapConfigurationMode
to advanced
. See "LDAP Configuration Mode" above.
Command Example
set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled
set oam ldapAuthentication ldapServer ldap1 priority 1 state enabled bindMethod simple saslMechanism plain systemUsername CN=Administrator,CN=Users,DC=mdroot,DC=tst systemPassword xxxyyyzzz transport ldaps binddn "cn={0},CN=Users,dc=mdroot,dc=tst" searchbase CN=Builtin,DC=mdroot,DC=tst ldapServerAddress rdc1.mdroot.tst ldapServerPort 636 searchFilter (&(objectClass=group)(member=CN=Administrator,CN=Users,DC=mdroot,DC=tst)) returnAttribute cn
LDAP Filters
Use this parameter to configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.
Command Syntax
% set oam ldapAuthentication ldapFilters filter <LDAP filter string> groupName <name of CLI group name to login to CLI> order <integer>
Command Parameters
LDAP Filter Parameters
Parameter | Length/Range | Description |
---|---|---|
filter | String |
The special string For example, if the user is jsmith, the filter (&(uid=%%USERNAME%%)(accessLevel:=userAccessLevel1)) becomes (&(uid=jsmith )(accessLevel:=userAccessLevel1)) |
groupName | N/A | The CLI group name to use for logging onto the CLI.
|
order | Integer |
|
Command Example
set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1))
LDAP Retry Criteria
Use this parameter to configure the LDAP Server Retry criteria settings.
Command Syntax
% set oam ldapAuthentication retryCriteria retryTimer <500-45000> retryCount <1-3> oosDuration <0-300>
Command Parameters
LDAP Retry Criteria Parameters
Parameter | Length/Range | Description |
---|---|---|
retryTimer | 500-45000 |
Default: 1000 |
retryCount | 1-3 |
Default: 3 |
oosDuration | 0-300 |
Default: 60 |
Command Example
set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60
Re-enable Server
An LDAP server is marked "unavailable" when the SBC cannot reach it. Use this command to re-enable the LDAP server, which will set the status back to "available".
Command Syntax
% request oam ldapAuthentication ldapServer <servername> reEnableServer
Command Parameters
Re-enable Server Parameters
Parameter | Description |
---|---|
ldapServer | <serverName> – The name of the LDAP server. |
reEnableServer | An LDAP server is marked "unavailable" when the SBC cannot reach it. Use this action to re-enable an LDAP server, which then sets the status back to "available". |
Command Example
request oam ldapAuthentication ldapServer ldapServer1 reEnableServer