User's Manual 230 Document #: LTRT-27045
Mediant 1000B Gateway & E-SBC
key (filter), which defines the exact DN to search and one or more attributes whose
values must be returned to the device must also be configured. For more information
on configuring these attributes and search filters, see ''AD-based Routing for Microsoft
Skype for Business'' on page 250.
The device can store recent LDAP queries and responses in its local cache. The
cache is used for subsequent queries and/or in case of LDAP server failure. For more
information, see ''Configuring the Device's LDAP Cache'' on page 241.
If connection with the LDAP server disconnects (broken), the device sends the SNMP
alarm, acLDAPLostConnection. Upon successful reconnection, the alarm clears. If
connection with the LDAP server is disrupted during the search, all search requests
are dropped and an alarm indicating a failed status is sent to client applications.
Management-related LDAP Queries: LDAP can be used for authenticating and
authorizing management users (Web and CLI) and is based on the user's login
username and password (credentials) when attempting login to one of the device's
management platforms. When configuring the login username (LDAP Bind DN) and
password (LDAP Password) to send to the LDAP server, you can use templates
based on the dollar ($) sign, which the device replaces with the actual username and
password entered by the user during the login attempt. You can also configure the
device to send the username and password in clear-text format or encrypted using
TLS (SSL).
The device connects to the LDAP server (i.e., an LDAP session is created) only when
a login attempt occurs. The LDAP Bind operation establishes the authentication of the
user based on the username-password combination. The server typically checks the
password against the userPassword attribute in the named entry. A successful Bind
operation indicates that the username-password combination is correct; a failed Bind
operation indicates that the username-password combination is incorrect.
Once the user is successfully authenticated, the established LDAP session may be
used for further LDAP queries to determine the user's management access level and
privileges (Operator, Admin, or Security Admin). This is known as the user
authorization stage. To determine the access level, the device searches the LDAP
directory for groups of which the user is a member, for example:
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=a
bc,DC=com
The device then assigns the user the access level configured for that group (in
''Configuring Access Level per Management Groups Attributes'' on page 239). The
location in the directory where you want to search for the user's member group(s) is
configured using the following:
• Search base object (distinguished name or DN, e.g.,
"ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory
from where the LDAP search begins and is configured in ''Configuring LDAP DNs
(Base Paths) per LDAP Server'' on page 237.
• Search filter, for example, (&(objectClass=person)(sAMAccountName=JohnD)),
which filters the search in the subtree to include only the specific username. The
search filter can be configured with the dollar ($) sign to represent the username,
for example, (sAMAccountName=$). To configure the search filter, see
''Configuring the LDAP Search Filter Attribute'' on page 238.
• Management attribute (e.g., memberOf), from where objects that match the
search filter criteria are returned. This shows the user's member groups. The
attribute is configured in the LDAP Servers table (see ''Configuring LDAP
Servers'' on page 234).
If the device finds a group, it assigns the user the corresponding access level and
permits login; otherwise, login is denied. Once the LDAP response has been received
(success or failure), the device ends the LDAP session.
To Next Page
Loading...
Need help?
General
