CHAPTER16 Services
Mediant 1000 Gateway & E-SBC | User's Manual
■ Management-related LDAP Queries: LDAP can be used for authenticating and authorizing
management users (Web and CLI) and is based on the user's login username and password
(credentials) when attempting login to one of the device's management platforms. When
configuring the login username (LDAP Bind DN) and password (LDAP Password) to send to
the LDAP server, you can use templates based on the dollar ($) sign, which the device
replaces with the actual username and password entered by the user during the login attempt.
You can also configure the device to send the username and password in clear-text format or
encrypted using TLS (SSL).
The device connects to the LDAP server (i.e., an LDAP session is created) only when a login
attempt occurs. The LDAP Bind operation establishes the authentication of the user based on
the username-password combination. The server typically checks the password against the
userPassword attribute in the named entry. A successful Bind operation indicates that the
username-password combination is correct; a failed Bind operation indicates that the
username-password combination is incorrect.
Once the user is successfully authenticated, the established LDAP session may be used for
further LDAP queries to determine the user's management access level and privileges
(Operator, Admin, or Security Admin). This is known as the user authorization stage. To
determine the access level, the device searches the LDAP directory for groups of which the
user is a member, for example:
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC
=com
The device then assigns the user the access level configured for that group (in Configuring
Access Level per Management Groups Attributes). The location in the directory where you want
to search for the user's member group(s) is configured using the following:
● Search base object (distinguished name or DN, e.g.,
"ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory from
where the LDAP search begins and is configured in Configuring LDAP DNs (Base Paths)
per LDAP Server.
● Search filter, for example, (&(objectClass=person)(sAMAccountName=JohnD)), which
filters the search in the subtree to include only the specific username. The search filter can
be configured with the dollar ($) sign to represent the username, for example,
(sAMAccountName=$). To configure the search filter, see Configuring the LDAP Search
Filter Attribute.
● Management attribute (e.g., memberOf), from where objects that match the search filter
criteria are returned. This shows the user's member groups. The attribute is configured in
the LDAP Servers table (see Configuring LDAP Servers).
If the device finds a group, it assigns the user the corresponding access level and permits login;
otherwise, login is denied. Once the LDAP response has been received (success or failure), the
device ends the LDAP session.
■ LDAP-based Management services: This LDAP service works together with the LDAP-
based management account (described above), allowing you to use different LDAP service
accounts for user authentication and user authorization:
● Management-type LDAP server: This LDAP server account is used only for user
authentication. For more information about how it works, see Management-related LDAP
Queries, above.
- 210 -
To Next Page
Loading...
Need help?
General
