Appendix A: LDAP Implementation Details
130
NX-Series Controllers - WebConsole & Programming Guide
The following table provides sample LDIF files:
Changes to LDAP Implementation (v1.5.x)
There are numerous changes to LDAP configuration when you upgrade your Master’s firmware to version 1.5.x or higher.
Upgrading from version 1.4.x to 1.5.x may require you to make changes to the configuration on your LDAP server.
User Query Attribute
If the server is an LDAP server, the attribute used for the User Query Attribute can be any unique attribute but typically the
cn attribute is used.
If the server is an Active Directory server, the attribute used for the User Query Attribute field MUST be sAMAccountName.
If the sAMAccountName attribute is not used, LDAP authentication will work for Telnet and HTTP but not for FTP and
SSH.
FTP Access with LDAP Authentication
If the server is an Active Directory server, the sAMAccountName attribute must be used for the User Query Attribute field
on the NX Master’s LDAP configuration page.
For FTP access to an NX Master to work using LDAP authentication credentials on an NX Master running firmware version
1.5.x, the following attributes must exist on the user account on the LDAP/Active Directory server: gidNumber,
homeDirectory, uidNumber.
If the server is an Active Directory server, the homeDirectory attribute in the user account can contain ANY value.
If the server is an LDAP server, the homeDirectory attribute in the user account MUST be a valid UNIX directory path format
(for example, /user or /bin). However, if the homeDirectory attribute contains two levels of directories which do not exist
on the NX Master (for example, /bin/nonexistent directory), FTP access will not work.
The uidNumber, gidNumber, homeDirectory, and loginShell attributes MUST be readable by the BINDDN for FTP to work.
SSH Access with LDAP Authentication
Same requirements as FTP (see above)
The user account (on either an Active Directory server or LDAP server) can contain the loginShell attribute, but this
attribute is not required.
If the loginShell attribute does exist in the user account and the server is an Active Directory server, the value of the
loginShell attribute can be ANY value.
If the loginShell attribute does exist in the user account and the server is an LDAP server, the value of the loginShell
attribute MUST be a valid UNIX directory path format (for example, /user or /bin). However, if the loginShell attribute
contains two levels of directories which do not exist on the NX Master (for example, /bin/nonexistent directory), SSH
access won't work.
The uidNumber, gidNumber, homeDirectory, and loginShell attributes MUST be readable by the BINDDN for SSH to work.
Sample LDIF Files
Example:
dn: cn=admin,dc=smith,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
Example:
dn: ou=users,dc=smith,dc=local
objectClass: organizationalUnit
objectClass: top
ou: users
Example:
dn: uid=olUser,ou=users,dc=smith,dc=local
cn: user
uid: olUser
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: top
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/olUser
sn: olUser
Example:
dn: uid=olAdmin,ou=users,dc=smith,dc=local
cn: olAdmin
uid: olAdmin
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: top
uidNumber: 5000
homeDirectory: /home/olAdmin
sn: admin
gidNumber: 5000
To Next Page
Loading...
Need help?
General
