Chapter 8: Authentication
178
2. Enter the Server Address (IP or host name) of the remote Authentication / Authorization server.
Multiple remote servers may be specified in a comma separated list. Each server is tried in
succession
3. Session accounting is on by default. If session accounting information is not wanted, check the
Disable Accounting checkbox. (One reason for not wanting session accounting: if the
authentication server does not respond to accounting requests, said request may introduce a
delay when logging in.)
4. In addition to multiple remote servers you can also enter for separate lists of
Authentication/Authorization servers and Accounting servers. If no Accounting servers are
specified, the Authentication/Authorization servers are used instead
5. Enter the Server Password
6. Click Apply. RADIUS remote authentication is used for all user access to console server and
serially or network attached devices
8.1.4 LDAP authentication
LDAP authentication supports OpenLDAP servers, using the Posix style schema for user and group
definitions.
Performing authentication against any LDAP server (AD or OpenLDAP) is straightforward, as they both
follow the common LDAP standards and protocols. The harder part is configuring how to get the extra
data about the users (the groups they are in, etc).
On an Opengear device, we may be configured to look at group information from an LDAP server for
authentication and authorization. This group information is stored in a number of different ways. Active
Directory has one method, and OpenLDAP has two other methods:
• Active Directory: Each entry for a user will have multiple 'memberOf' attributes. Each 'memberOf'
value is the full DN of the group they belong to. (The entry for the user will be of objectClass
"user")
• OpenLDAP / Posix: Each entry for a user must have a 'gidNumber' attribute. This will be an integer
value, which is the user's primary group (eg. mapping to the /etc/passwd file, with the group ID
field). To determine which group this is, we must search for an entry in the directory that has that
group ID, which will give us the group name. (The users are of objectClass "posixAccount", and
the groups are of objectClass "posixGroup").
• OpenLDAP / Posix: Each group entry in the group tree (of objectClass 'posixGroup') may have
multiple 'memberUid' attributes. These represent secondary groups (eg. mapping to the
/etc/groups file). Each attribute would contain a username.
To Next Page
Loading...
Need help?
General
Weight and Dimensions
