In this section:

LDAP Configuration Mode

Use this parameter to configure the mode for the LDAP client.

Command Syntax

% set oam ldapAuthentication ldapConfigurationMode <advanced | legacy>

Command Parameters

Parameter

Length/Range

Description

Mandatory (M)
or Optional (O)

ldapConfigurationModeN/A

The configuration mode for the LDAP client.

  • legacy (default)  Use this option for legacy LDAP behavior.
  • advanced  Use this option to support Microsoft Active Directory (AD) services.
O

Command Example

set oam ldapAuthentication ldapConfigurationMode advanced
Note

For more information on the "advanced" ldapConfigurationMode, refer to: Configuring SBC for External Centralized Authentication using LDAP.

LDAP Server

Use this parameter to configure information to communicate with one or more LDAP servers.

Command Syntax

ldapServer Syntax (Legacy Mode)
% set oam ldapAuthentication ldapServer <serverName>
    binddn <name>
    bindMethod <sasl | simple>
    groupNameAttribute <groupName, or empty string>
    ldapServerAddress <IPv4 address, IPv6 address, or FQDN>
    ldapServerPort <valid port>
    priority <1-25>
    saslMechanism <digest-md5 | plain>
    searchbase <base>
    state <disabled | enabled>
    transport <ldaps | tcp | tls>
ldapServer Syntax (Advanced Mode)
% set oam ldapAuthentication ldapServer <serverName>
    binddn <name>
	bindMethod <sasl | simple>
    ldapServerAddress <IPv4, IPv6 or FQDN>
    ldapServerPort <valid port>
    priority <1-25>
    returnAttribute <1-255 characters>
    saslMechanism <digest-md5 | plain>
    searchFilter <1-255 characters>
    searchbase <1-255 characters>
    state <disabled | enabled>
    systemPassword <password>
    systemUsername <1-255 characters>
    transport <ldaps | tcp | tls>

Command Parameters

LDAP Authentication Parameters

Parameter

Length/Range

Description

Mandatory (M)
or Optional (O)

serverNameUp to 23 characters<serverName> – The name of this LDAP server.M
binddnString

<name> – The distinguished name to use for the bind operation (only used for simple binds).

M, if bindMethod = simple
bindMethodN/A

Specify the bindMethod to use.

  • sasl – Use the Simple Authentication and Security Layer (SASL) option.
  • simple (default) – Use this option to bind the LDAP clients to the LDAP server with a username and password.
O
groupNameAttributeString

Use this parameter to define the group name attribute.

  • <attribute of user record> – The attribute in the user record that contains the CLI group name.
  • <empty string> (default) – leave as an empty string if the groupname is obtained using filters.
O
ldapServerAddress

IPv4 address

IPv6 address

FQDN

<IP address> – The IPv4 address, IPv6 address. or FQDN of the LDAP server.M
ldapServerPort1-65535

<port number> – The LDAP server port. 

The default value is 389.

Note

If transport = ldaps, specify port 636.


O
priority1-25<priority #> – The server priority, where '1' is the highest priority.M
saslMechanismN/A

The SASL mechanism to use.

  • digest-md5 – Use this option to send the username and password as a hash so they can not be viewed on the wire even if the transport is TCP.
  • plain (default)
O
searchbaseString

This parameter specifies the location where the user records are located, and serves as the base for the LDAP query.

M
stateN/A

The state of this LDAP server.

  • disabled (default)
  • enabled
O
transportN/A

The transport type to use.

  • ldaps
  • tcp (default)
  • tls
O
returnAttribute*

1-255
characters

The attribute returned from the search for the group name of the LDAP user.

For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: users. The query may return multiple users

O
searchFilter*1-255
characters

The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter. 

For example: (&(objectClass=group)(member=cn={0},CN=Users,DC=example,DC=tst))

O
systemPassword*stringThe password for the LDAP user with Administrative privileges systemUser). Leave blank if the systemUsername is not specified.O
systemUsername*1-255
characters

An LDAP user with Administrative privileges   Leave blank, or enter a user name.

Note

If ldapConfigurationMode = advanced, the SBC LDAP client binds with the provided systemUsername and systemPassword. This allows the LDAP query specified in the searchFilter to  access the records needed to ascertain the group of the user under authentication.

The systemUsername and systemPassword are optional.  If a systemUsername is not specified, the SBC performs the search specified in searchFilter using the user's credentials.  If a systemUsername is specified, you cannot leave the systemPassword field blank.

O

* To use this feature, you must set ldapConfigurationMode to advanced. See "LDAP Configuration Mode" above.

Command Example

Legacy Mode Example
set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled
commit
Advanced Mode Example
set oam ldapAuthentication ldapServer ldap1 priority 1 state enabled bindMethod simple saslMechanism plain systemUsername CN=Administrator,CN=Users,DC=mdroot,DC=tst systemPassword xxxyyyzzz transport ldaps binddn "cn={0},CN=Users,dc=mdroot,dc=tst" searchbase CN=Builtin,DC=mdroot,DC=tst ldapServerAddress rdc1.mdroot.tst ldapServerPort 636 searchFilter (&(objectClass=group)(member=CN=Administrator,CN=Users,DC=mdroot,DC=tst)) returnAttribute cn
commit

LDAP Filters

Use this parameter to configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.

Command Syntax

% set oam ldapAuthentication ldapFilters
    filter <LDAP filter string>
	groupName <name of CLI group name to login to CLI>
	order <integer>

Command Parameters

LDAP Filter Parameters

Parameter

Length/Range

Description

filterString

<filter string> – The LDAP filter (valid LDAP filter string) used to determine if the specified user is a member of the group defined by groupName.

The special string %%USERNAME%% will get replaced with the current user name being validated.

For example, if the user is jsmith, the filter (&(uid=%%USERNAME%%)(accessLevel:=userAccessLevel1)) becomes (&(uid=jsmith )(accessLevel:=userAccessLevel1))

groupNameN/A

The CLI group name to use for logging onto the CLI. 

  • Administrator
  • Calea
  • FieldService
  • Guest
  • Operator
  • SecurityAuditor
  • (The user-defined group containing the name of a custom group configured on the SBC)
orderInteger

<integer> – Specify a unique number to set the order to process the filter. The filter with an order  of '1' is processed first. 

Command Example

set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1))
commit

LDAP Retry Criteria

Use this parameter to configure the LDAP Server Retry criteria settings. 

Command Syntax

% set oam ldapAuthentication retryCriteria
	retryTimer <500-45000>
	retryCount <1-3>
	oosDuration <0-300>

Command Parameters

LDAP Retry Criteria Parameters

Parameter

Length/Range

Description

retryTimer 500-45000

<timer value> – The time, in milliseconds, before the SBC attempts another authentication request.

Default: 1000

retryCount 

1-3

<retryCount #> – The number of retries the SBC performs to attempt authentication.

Default: 3

oosDuration 0-300

<oosDuration #> – The time, in minutes, the LDAP server remains out of service after a timeout.

Default: 60

Command Example

set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60
commit

Re-enable Server

An LDAP server is marked "unavailable" when the SBC cannot reach it. Use this command to re-enable the LDAP server, which will set the status back to "available".

Command Syntax

% request oam ldapAuthentication ldapServer <servername> reEnableServer

Command Parameters

Re-enable Server Parameters

ParameterDescription
ldapServer<serverName> – The name of the LDAP server.
reEnableServer

An LDAP server is marked "unavailable" when the SBC cannot reach it.

Use this action to re-enable an LDAP server, which then sets the status back to "available". 

Command Example

request oam ldapAuthentication ldapServer ldapServer1 reEnableServer