Configuring Ldap; Ldap Authentication And Authorization - Cisco MDS 9000 Series Configuration Manual

Configuring LDAP

• When global test parameters are added or modified, all the AAA servers, which do not have
• When the server test parameters are removed for a server or when the idle-time is set to zero
• If global test parameters are removed or global idle-time is set to zero, servers for which the
• If the server monitoring fails with the user specified server test parameters, the server monitoring

Configuring LDAP

The Lightweight Directory Access Protocol (LDAP) provides centralized validation of users attempting to
gain access to a Cisco NX-OS device. LDAP services are maintained in a database on an LDAP daemon
running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure an
LDAP server before the configured LDAP features on your Cisco NX-OS device are available.
LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access
control server (the LDAP daemon) to provide each service-authentication and authorization-independently.
Each service can be tied into its own database to take advantage of other services available on that server or
on the network, depending on the capabilities of the daemon.
The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco NX-OS devices
provide centralized authentication using the LDAP protocol.
Note
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might
differ from the Cisco IOS commands that you would use.
This section includes the following topics:

LDAP Authentication and Authorization

Clients establish a TCP connection and authentication session with an LDAP server through a simple bind
(username and password). As part of the authorization process, the LDAP server searches its database to
retrieve the user profile and other information.
You can configure the bind operation to first bind and then search, where authentication is performed first
and authorization next, or to first search and then bind. The default method is to first search and then bind.
The advantage of searching first and binding later is that the distinguished name (DN) received in the search
result can be used as the user DN during binding rather than forming a DN by prepending the username (cn
attribute) with the baseDN. This method is especially helpful when the user DN is different from the username
plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where
append-with-baseDN has a default value of cn=$userid.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
42
any test parameters configured, start getting monitored using the new global test parameters.
(default value) it starts getting monitored using the global test parameters, if defined.
server test parameters are present will not be affected. However monitoring will stop for all
other servers which were previously being monitored using global parameters.
does not fall back to global test parameters.
Configuring Security Features on an External AAA Server