Ldap Configuration And Microsoft Active Directory - HP SN3000B Administrator's Manual
Brocade fabric os administrator's guide - supporting fabric os v7.0.1 (53-1002446-01, march 2012)
Hide thumbs
Also See for SN3000B:
- Troubleshooting manual (138 pages) ,
- Reference manual (70 pages) ,
- Quickspecs (21 pages)
Table of Contents
Advertisement
LDAP configuration and Microsoft Active Directory
LDAP provides user authentication and authorization using the Microsoft Active Directory service in
conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication,
FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For
more information on LDAP in FIPS mode, refer to
following are restrictions when using LDAP in non-FIPS mode:
•
•
•
•
•
•
•
•
Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg
to one of the default roles available on a switch. For more information on RBAC roles, see
"Role-Based Access Control"
NOTE
All instructions involving Microsoft Active Directory can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Following is the overview of the process used to set up LDAP:
1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is,
2. Create a user in Microsoft Active Directory server.
Fabric OS Administrator's Guide
53-1002446-01
d. Add the Brocade profile.
e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA
SecurID.
There is no password change through Active Directory.
There is no automatic migration of newly created users from the local switch database to
Active Directory. This is a manual process explained later.
Only IPv4 is supported for LDAP on Windows 2000 and LDAP on Windows Server 2003. For
LDAP on Windows Server 2008, both IPv4 and IPv6 are supported.
LDAP authentication is used on the local switch only and not for the entire fabric.
You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
A user can belong to multiple groups as long as one of the groups is the primary group. The
primary group in the AD server should not be set to the group corresponding to the switch role.
You can choose any other group.
A user can be part of any Organizational Unit (OU).
Active Directory LDAP 2000, 2003, and 2008 is supported.
maprole ldap_role_name switch_role command to map an LDAP server permissions
-–
the Brocade switch), then you must install a Certificate Authority (CA) certificate on the
Windows Active Directory server for LDAP.
Follow Microsoft instructions for generating and installing CA certificates on a Windows server.
The authentication model using RADIUS and LDAP
Chapter 7, "Configuring Security
on page 82.
5
Policies". The
109
Advertisement
Table of Contents
