If you are using the current version of Cumulus NetQ, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Integrate NetQ with Your LDAP Server

With this release and an administrator role, you can integrate the NetQ role-based access control (RBAC) with your lightweight directory access protocol (LDAP) server in on-premises deployments. NetQ maintains control over role-based permissions for the NetQ application. Currently there are two roles, admin and user. With the RBAC integration, LDAP handles user authentication and your directory service, such as Microsoft Active Directory, Kerberos, OpenLDAP, and Red Hat Directory Service. A copy of each user from LDAP is stored in the local NetQ database.

Integrating with an LDAP server does not prevent you from configuring local users (stored and managed in the NetQ database) as well.

Read Get Started to become familiar with LDAP configuration parameters, or skip to Create an LDAP Configuration if you are already an LDAP expert.

Get Started

LDAP integration requires information about how to connect to your LDAP server, the type of authentication you plan to use, bind credentials, and, optionally, search attributes.

Provide Your LDAP Server Information

To connect to your LDAP server, you need the URI and bind credentials. The URI identifies the location of the LDAP server. It comprises a FQDN (fully qualified domain name) or IP address, and the port of the LDAP server where the LDAP client can connect. For example: myldap.mycompany.com or 192.168.10.2. Typically you use port 389 for connection over TCP or UDP. In production environments, you deploy a secure connection with SSL. In this case, the port used is typically 636. Setting the Enable SSL toggle automatically sets the server port to 636.

Specify Your Authentication Method

Two methods of user authentication are available: anonymous and basic.

  • Anonymous: LDAP client does not require any authentication. The user can access all resources anonymously. This is not commonly used for production environments.

  • Basic: (Also called Simple) LDAP client must provide a bind DN and password to authenticate the connection. When selected, the Admin credentials appear: Bind DN and Bind Password. You define the distinguished name (DN) using a string of variables. Some common variables include:

    SyntaxDescription or Usage
    cnCommon name
    ouOrganizational unit or group
    dcDomain name
    dcDomain extension
    • Bind DN: DN of user with administrator access to query the LDAP server; used for binding with the server. For example, uid =admin,ou=ntwkops,dc=mycompany,dc=com.
    • Bind Password: Password associated with Bind DN.

    The Bind DN and password get sent as clear text. Only users with these credentials can perform LDAP operations.

If you are unfamiliar with the configuration of your LDAP server, contact your administrator to ensure you select the appropriate authentication method and credentials.

Define User Attributes

You need the following two attributes to define a user entry in a directory:

  • Base DN: Location in directory structure where search begins. For example, dc=mycompany,dc=com.
  • User ID: Type of identifier used to specify an LDAP user. This can vary depending on the authentication service you are using. For example, you can use the user ID (UID) or email address with OpenLDAP, whereas you might use the sAMAccountName with Active Directory.

Optionally, you can specify the first name, last name, and email address of the user.

Set Search Attributes

While optional, specifying search scope indicates where to start and how deep a given user can search within the directory. You specify the data to search for in the search query.

Search scope options include:

  • Subtree: Search for users from base, subordinates at any depth (default)
  • Base: Search for users at the base level only; no subordinates
  • One Level: Search for immediate children of user; not at base or for any descendants
  • Subordinate: Search for subordinates at any depth of user; but not at base

A typical search query for users could be {userIdAttribute}={userId}.

Now that you are familiar with the various LDAP configuration parameters, you can configure the integration of your LDAP server with NetQ using the instructions in the next section.

Create an LDAP Configuration

You can configure one LDAP server per bind DN (distinguished name). After you configure LDAP, you can validate the connectivity (and configuration) and save the configuration.

To create an LDAP configuration:

  1. Click , then select Management under Admin.

  2. Locate the LDAP Server Info card, and click Configure LDAP.

  3. Fill out the LDAP Server Configuration form according to your particular configuration. Refer to Overview for details about the various parameters.

    Note: Items with an asterisk (*) are required. All others are optional.

  4. Click Save to complete the configuration, or click Cancel to discard the configuration.

LDAP config cannot be changed once configured. If you need to change the configuration, you must delete the current LDAP configuration and create a new one. Note that if you change the LDAP server configuration, all users created against that LDAP server remain in the NetQ database and continue to be visible, but are no longer viable. You must manually delete those users if you do not want to see them.

Example LDAP Configurations

A variety of example configurations are provided here. Scenarios 1-3 are based on using an OpenLDAP or similar authentication service. Scenario 4 is based on using the Active Directory service for authentication.

Scenario 1: Base Configuration

In this scenario, we are configuring the LDAP server with anonymous authentication, a User ID based on an email address, and a search scope of base.

ParameterValue
Host Server URLldap1.mycompany.com
Host Server Port389
AuthenticationAnonymous
Base DNdc=mycompany,dc=com
User IDemail
Search ScopeBase
Search Query{userIdAttribute}={userId}

Scenario 2: Basic Authentication and Subset of Users

In this scenario, we are configuring the LDAP server with basic authentication, for access only by the persons in the network operators group, and a limited search scope.

ParameterValue
Host Server URLldap1.mycompany.com
Host Server Port389
AuthenticationBasic
Admin Bind DNuid =admin,ou=netops,dc=mycompany,dc=com
Admin Bind Passwordnqldap!
Base DNdc=mycompany,dc=com
User IDUID
Search ScopeOne Level
Search Query{userIdAttribute}={userId}

Scenario 3: Scenario 2 with Widest Search Capability

In this scenario, we are configuring the LDAP server with basic authentication, for access only by the persons in the network administrators group, and an unlimited search scope.

ParameterValue
Host Server URL192.168.10.2
Host Server Port389
AuthenticationBasic
Admin Bind DNuid =admin,ou=netadmin,dc=mycompany,dc=com
Admin Bind Password1dap*netq
Base DNdc=mycompany, dc=net
User IDUID
Search ScopeSubtree
Search QueryuserIdAttribute}={userId}

Scenario 4: Scenario 3 with Active Directory Service

In this scenario, we are configuring the LDAP server with basic authentication, for access only by the persons in the given Active Directory group, and an unlimited search scope.

ParameterValue
Host Server URL192.168.10.2
Host Server Port389
AuthenticationBasic
Admin Bind DNcn=netq,ou=45,dc=mycompany,dc=com
Admin Bind Passwordnq&4mAd!
Base DNdc=mycompany, dc=net
User IDsAMAccountName
Search ScopeSubtree
Search Query{userIdAttribute}={userId}

Add LDAP Users to NetQ

  1. Click , then select Management under Admin.

  2. Locate the User Accounts card, and click Manage.

  3. On the User Accounts tab, click Add User.

  4. Select LDAP User.

  5. Enter the user’s ID.

  6. Enter your administrator password.

  7. Click Search.

  8. If the user is found, the email address, first and last name fields are automatically filled in on the Add New User form. If searching is not enabled on the LDAP server, you must enter the information manually.

    If the fields are not automatically filled in, and searching is enabled on the LDAP server, you might require changes to the mapping file.

  9. Select the NetQ user role for this user, admin or user, in the User Type dropdown.

  10. Enter your admin password, and click Save, or click Cancel to discard the user account.

    LDAP user passwords are not stored in the NetQ database and are always authenticated against LDAP.

  11. Repeat these steps to add additional LDAP users.

Remove LDAP Users from NetQ

You can remove LDAP users in the same manner as local users.

  1. Click , then select Management under Admin.

  2. Locate the User Accounts card, and click Manage.

  3. Select the user or users you want to remove.

  4. Click in the Edit menu.

If you delete an LDAP user in LDAP it is not automatically deleted from NetQ; however, the login credentials for these LDAP users stop working immediately.