Changes To Ldap Implementation (V1.5.X); User Query Attribute; Ftp Access With Ldap Authentication; Ssh Access With Ldap Authentication - AMX NX-1200 Webconsole And Programming Manual

The following table provides sample LDIF files:
Sample LDIF Files
Example:
dn: cn=admin,dc=smith,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
Example:
dn: uid=olUser,ou=users,dc=smith,dc=local
cn: user
uid: olUser
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: top
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/olUser
sn: olUser

Changes to LDAP Implementation (v1.5.x)

There are numerous changes to LDAP configuration when you upgrade your Master's firmware to version 1.5.x or higher.
Upgrading from version 1.4.x to 1.5.x may require you to make changes to the configuration on your LDAP server.

User Query Attribute

If the server is an LDAP server, the attribute used for the User Query Attribute can be any unique attribute but typically the

cn attribute is used.
If the server is an Active Directory server, the attribute used for the User Query Attribute field MUST be sAMAccountName.

If the sAMAccountName attribute is not used, LDAP authentication will work for Telnet and HTTP but not for FTP and
SSH.

FTP Access with LDAP Authentication

If the server is an Active Directory server, the sAMAccountName attribute must be used for the User Query Attribute field

on the NX Master's LDAP configuration page.
For FTP access to an NX Master to work using LDAP authentication credentials on an NX Master running firmware version

1.5.x, the following attributes must exist on the user account on the LDAP/Active Directory server: gidNumber,
homeDirectory, uidNumber.
If the server is an Active Directory server, the homeDirectory attribute in the user account can contain ANY value.

If the server is an LDAP server, the homeDirectory attribute in the user account MUST be a valid UNIX directory path format

(for example, /user or /bin). However, if the homeDirectory attribute contains two levels of directories which do not exist
on the NX Master (for example, /bin/nonexistent directory), FTP access will not work.
The uidNumber, gidNumber, homeDirectory, and loginShell attributes MUST be readable by the BINDDN for FTP to work.


SSH Access with LDAP Authentication

Same requirements as FTP (see above)

The user account (on either an Active Directory server or LDAP server) can contain the loginShell attribute, but this

attribute is not required.
If the loginShell attribute does exist in the user account and the server is an Active Directory server, the value of the

loginShell attribute can be ANY value.
If the loginShell attribute does exist in the user account and the server is an LDAP server, the value of the loginShell

attribute MUST be a valid UNIX directory path format (for example, /user or /bin). However, if the loginShell attribute
contains two levels of directories which do not exist on the NX Master (for example, /bin/nonexistent directory), SSH
access won't work.
The uidNumber, gidNumber, homeDirectory, and loginShell attributes MUST be readable by the BINDDN for SSH to work.

NX-Series Controllers - WebConsole & Programming Guide
Appendix A: LDAP Implementation Details
Example:
dn: ou=users,dc=smith,dc=local
objectClass: organizationalUnit
objectClass: top
ou: users
Example:
dn: uid=olAdmin,ou=users,dc=smith,dc=local
cn: olAdmin
uid: olAdmin
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: top
uidNumber: 5000
homeDirectory: /home/olAdmin
sn: admin
gidNumber: 5000
130