In this section:

On the SBC main screen, go to All > OAM Ldap Authentication Ldap Server.

View LDAP Server Settings

Use the Ldap Server screen to view LDAP server settings.

Figure 1: LDAP Server List

Create LDAP Server

Use the Create New Ldap Server screen to create an LDAP server.

Figure 2: Create New LDAP Server Screen

Re-enable LDAP Server

Use the Ldap Server Commands screen to re-enable the LDAP server.

Figure 3: LDAP Server Commands Screen

Table 1: Re-enable Server Parameters

ParameterDescription
Ldap ServerThe name of the LDAP server.
Re Enable Server

An LDAP server is marked "unavailable" when the SBC cannot reach it.

Use this action to re-enable an LDAP server, which then sets the status back to "available". 

LDAP Server Parameters

The following table describes the LDAP Server Parameters. Use the table to edit the LDAP server settings as needed and click Save.

Table 2: LDAP Server Parameters

Parameter

Length/Range

Description

Mandatory (M)
or Optional (O)

Server NameUp to 23 charactersThe name of the LDAP server.M
Priority1-25The server priority, where '1' is the highest priority.M
StateN/A

The state of this LDAP server.

  • Disabled (default)
  • Enabled
O
Bind MethodN/A

Specify the Bind Method to use.

  • Sasl – Use the Simple Authentication and Security Layer (SASL) option.
  • Simple (default) – Use this option to bind the LDAP clients to the LDAP server with a username and password.
O
Sasl MechanismN/A

The SASL mechanism to use.

  • Digest-md5 – Use this option to send the username and password as a hash so they can not be viewed on the wire even if the transport is TCP.
  • Plain (default)
O
TransportN/A

The transport type to use.

  • Ldaps
  • TCP (default)
  • TLS
O
BinddnString

The distinguished name to use for the bind operation (only used for simple binds).

In the following example, the SBC replaces the "{0}" with the username when sending requests to the LDAP server.

"cn={0},CN=Users,dc=rbbn,dc=com"

(i.e., "cn=jsmith,CN=Users,dc=rbbn,dc=com")

M, if bind Method = simple
SearchbaseString

This parameter specifies the location where the user records are located, and serves as the base for the LDAP query.

M
Ldap Server Address

String in IPv4, IPv6 or FQDN format

The IPv4 address, IPv6 address or FQDN of the server as a hostname. The supported formats are:

  • IPv4 address (In dot notation)
  • IPv6 address (In hex-colon notation)
  • FQDN

When using digest-md5 with sasl mode, 

  • if an IP address is specified, the LDAP authentication logic running on the SBC performs a reverse lookup to retrieve the domain name of the LDAP server (e.g., ldap1.rbbn.com).
  • if an FQDN is specified, the LDAP authentication logic performs a DNS lookup to retrieve the IP address of the FQDN and then a reverse lookup to retrieve the domain name of the LDAP server (e.g., ldap1.rbbn.comz0. The SBC then appends the "rbbn.com" portion to either the username of the person trying to login or the system username when making requests to the LDAP server. As such, you must configure the remote LDAP server entries as user@rbbn.com.
M
Ldap Server Port1-65535

The LDAP server port. 

The default value is 389.

NOTE: If transport = Ldaps, specify port 636.

O
Group Name AttributeString

Use this parameter to define the group name attribute.

  • attribute of user record – The attribute in the user record that contains the CLI group name.
  • empty string (default) – leave as an empty string if the groupname is obtained using filters.
O
Return Attribute*

1-255
characters

The attribute returned from the search for the group name of the LDAP user.

For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: users. The query may return multiple users

O
Search Filter*1-255
characters

The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter. 

For example: (&(objectClass=group)(member=cn={0},CN=Users,DC=example,DC=tst))

O
System Password*stringThe password for the LDAP user with Administrative privileges systemUser). Leave blank if the systemUsername is not specified.O
System Username*1-255
characters

An LDAP user with Administrative privileges   Leave blank, or enter a user name.

Ensure the username field is ONLY the username (jsmith) and not the DistinguishedName (DN). In other words, CN=jsmith,CN=Users,DC=rbbn,DC=com.

Note

If ldapConfigurationMode = advanced, the SBC LDAP client binds with the provided systemUsername and systemPassword. This allows the LDAP query specified in the searchFilter to  access the records needed to ascertain the group of the user under authentication.

The systemUsername and systemPassword are optional.  If a systemUsername is not specified, the SBC performs the search specified in searchFilter using the user's credentials.  If a systemUsername is specified, you cannot leave the systemPassword field blank.

O

* To use this feature, you must set "Ldap Configuration Mode" to "Advanced".