Managing Authentication Servers LDAP Servers
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 31-26
The keywords for the aaa ldap-server command are listed here:
Creating an LDAP Authentication Server
An example of creating an LDAP server:
-> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us
In this example, the switch can communicate with an LDAP server (called ldap2) that has an IP address of
10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us. These parameters
must match the same parameters configured on the server itself.
An option prompt-password is provided, which can be used to enter the super-user password in a
obscured format rather than as clear text. When this option is selected, press the Enter key. A password
prompt appears prompting to enter the super-user password. Password needs to be re-entered, and only if
both the passwords match, command is accepted. Password provided in this mode is not displayed on the
CLI as text.
For example,
-> aaa ldap-server topanga5 host 10.10.3.4 dn cn=manager prompt-password base c=us
retransmit 4
Enter Password: *******
Confirm Password: *******
Modifying an LDAP Authentication Server
To modify an LDAP authentication server, use the aaa ldap-server command with the server name; or, if
you have just entered the aaa ldap-server command to create or modify the server, you can use command
prefix recognition. For example:
-> aaa ldap-server ldap2 password my_pass
-> timeout 4
In this example, an existing LDAP server is modified with a different password, and then the timeout is
modified on a separate line. These two command lines are equivalent to:
-> aaa ldap-server ldap2 password my_pass timeout 4
Setting Up SSL for an LDAP Authentication Server
A Secure Socket Layer (SSL) can be set up on the server for additional security. When SSL is enabled, the
server identity is authenticated. The authentication requires a certificate from a Certification Authority
(CA). If the CA providing the certificate is well-known, the certificate is automatically extracted from the
Kbase.img file on the switch (certs.pem). If the CA is not well-known, the CA certificate must be
transferred to the switch through FTP to the /flash/certified or /flash/working directory and must be named
optcerts.pem. The switch merges either or both of these files into a file called ldapcerts.pem.
Required for creating: optional:
host
dn
password
base
type
retransmit
timeout
port
ssl
Note. The distinguished name must be different from the searchbase name.
To Next Page
Loading...
