Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.1 The 128T Networking Platform can be configured to leverage an LDAP server to authenticate administrative users to the PCLI and GUI interfaces for administration, configuration, and management.
Configuring LDAP on the 128T is done globally, and is done within the
authority > ldap-server configuration element. The 128T authority configuration may only have one
ldap-server configured at a time.
ldap-server configuration has the following attributes:
- name: a unique name that the 128T uses to reference this configuration.
- address: the IP address or FQDN of the LDAP server.
If using an FQDN/hostname, this name must be resolvable by the 128T.
- search-base: the search base defines the starting point for the search in the directory tree. For example, 128T might need to query the entire directory, in which case the search base must specify the root of the directory service. Or, 128T might need to query a specific organizational unit (OU) in the directory. Generally this is configured as a series of Domain Components, which are abbreviated "dc."
- server-type: an enumeration, which can be global-catalog, ldaps, or starttls. For Active Directory LDAP servers, use
global-catalog. LDAPS is LDAP wrapped in SSL, and is a non-standard (yet popular) implementation. StartTLS is instead built into the LDAP protocol itself. Consult your LDAP server's documentation to determine the server-type most appropriate for your deployment.
The default type is ldaps, which requires TLS/SSL for the entire duration of the connection
The "starttls" type will not send user passwords in the process of being validated in the clear (it requires that STARTTLS be performed, and uses that channel for sending the password), but all other LDAP traffic (including the bind request and credentials used for binding) are sent in the clear.
- port: the listening port on your LDAP server. Using
server-type-defaultwill select the default port based on the server-type configured (3269 for global-catalog, 636 for LDAPS, 389 for StartTLS)
- bind-type: an enumeration of anonymous, unauthenticated, or password. This is how your 128T will authenticate to your LDAP server.
- distinguished-name: the name to use when binding to the server; available when bind-type is set to
- password: the password to use to bind to the server (available when bind-type is set to
Here is a sample configuration that interfaces with Microsoft Active Directory
LDAP User Account Requirements
It is important to ensure that administrative users are configured on the LDAP server as being a member of a group called
128t-user for read-only access to the configuration, or
128t-admin for read-write access to configuration. These group names are case sensitive.
show userwithin the PCLI (and GUI's User management page) allows viewing LDAP users that have connected to 128T
edit userwithin the PCLI (and GUI's User management page) allows editing LDAP users, (changing password, display name, enabled/disabled). While saving these changes may report back that it has completed successfully, these changes are not saved in the LDAP server.
- Having local 128T users with the same name as LDAP users is not supported.
- The "admin" user is always authenticated locally; any "admin" user in ldap is ignored
- If the TLS certificates for LDAP servers are not from a CA recognized by openssl's CA bundle, trust for the certificate must be configured manually (in linux)
- When the system is configured to use LDAP for user authentication, the status of the LDAP connection can be seen on the Users page of the GUI. This is a high level status of connectivity to retrieve user and group information based on the LDAP configuration.
Debugging Issues Using LDAP
For diagnosing connection status from linux
To test what a user's current group memberships are from linux
There is a minimum delay of 5 minutes from when a user's groups are retrieved before the server will be consulted again, so changes that are made on the server may appear to lag a bit.