In this section:
Overview
The
- Administrator
- Operator
- FieldService
- Guest
- SecurityAuditor
- Calea
Configuring LDAP
Set External Authentication Type to LDAP
To configure LDAP authentication for the
- Login to the SBC CLI.
Execute the following System Admin command:
Exampleset system admin SBC-1 externalAuthenticationType ldap
For CLI configuration details, refer to External Authentication - CLI. To enable the external authentication using EMA, refer to System - Admin.
Establish LDAP Authentication
Configure information to communicate with one or more LDAP servers using the OAM command.
set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled
For CLI configuration details, refer to LDAP Authentication - CLI. To establish the LDAP authentication using EMA, refer to OAM - LDAP Authentication - LDAP Server.
Obtain groupName
Two methods are available to get the groupName.
Method 1:
Set the groupName parameter to the LDAP attribute that contains the groupname. For example, a user record of this type would look like the following using a sample directory entry for account "jsmith":
# jsmith, People, example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
uid: jsmith
cn: Joe Smith
objectClass: top
objectClass: person
objectClass: inetOrgPerson
userPassword:: sunshine23!
groupName: Administrator
accessLevel: userAccessLevel1
In this case, the groupName attribute is set to groupName, and the groupName Administrator is returned.
Method 2:
If the groupName parameter is not set, then each filter in the filters table is tried until a match is made. A sample user entry in this case will not include the groupName attribute. Here is a sample directory entry for account "jsmith":
# jsmith, People, example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
uid: jsmith
cn: Joe Smith
objectClass: top
objectClass: person
objectClass: inetOrgPerson
userPassword:: sunshine23!
accessLevel: userAccessLevel1
In this case, a filter (&(uid=%%USERNAME%% ) (accessLevel:=userAccessLevel1)) matches the accessLevel: userAccesLevel1 attribute, and the groupName is Administrator as configured in the filters table.
Obtain Correct privileges via LDAP Query
Configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.
set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1))
For CLI configuration details, refer to LDAP Authentication - CLI. To set the LDAP filters using EMA, refer to OAM - LDAP Authentication - LDAP Filters.
Configure LDAP Servers
Configure
Configure LDAP Retry Criteria
Configure the LDAP Server Retry criteria settings the SBC uses to attempt another authentication request if a request fails, how many times to attempt an authentication retry, and how long the LDAP server remains out of service after a timeout.
set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60
For CLI configuration details, refer to LDAP Authentication - CLI. To configure LDAP Retry Criteria using EMA, refer to OAM - LDAP Authentication - LDAP Retry Criteria.
Maintaining LDAP
Send a 're-enable' Command to Re-enable the LDAP Server
An LDAP server is marked "unavailable" when the SBC cannot reach it. Use the Request command to re-enable the LDAP server, which will set the status back to "available".
request oam ldapAuthentication ldapServer ldapServer1 reEnableServer
For CLI configuration details, refer to LDAP Authentication - CLI. To re-enable the LDAP server using EMA, refer to OAM - LDAP Authentication - LDAP Server.
View LDAP Status
Use the following OAM command to view LDAP server status details.
% show table oam ldapAuthentication ldapStatus
For CLI configuration details, refer to Show Table OAM#LDAPAuthentication. To view the LDAP server status using EMA, refer to OAM - LDAP Authentication - LDAP Status.