image image image image image

On This Page

ldap base-dn


ldap base-dn <string>
no ldap base-dn

Sets the base distinguished name (location) of the user information in the schema of the LDAP server.
The no form of the command resets the attribute to its default values.

Syntax DescriptionstringA case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.
For example: "ou=users,dc=example,dc=com", with no spaces.
Where:
  • ou – organizational unit
  • dc – domain component
  • cn – common name
  • sn – surname
Defaultou=users,dc=example,dc=com
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap base-dn ou=department,dc=example,dc=com
Related Commands

show ldap

Notes

ldap {bind-dn | bind-password}


ldap {bind-dn | bind-password} <string>
no ldap {bind-dn | bind-password}

Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default).
The no form of the command resets the attribute to its default values.

Syntax DescriptionstringA case-sensitive string that specifies distinguished name or password to bind to on the LDAP server
Default""
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap bind-dn my-dn
ufmapl [ mgmt-sa ] (config) # ldap bind-password my-password
Related Commands

show ldap

NotesFor anonymous login, bind-dn and bind-password should be empty strings ""

ldap {group-attribute | group-dn}


ldap {group-attribute {<group-att> | member | uniqueMember} | group-dn <group-dn>}
no ldap {group-attribute | group-dn}

Sets the distinguished name or attribute name of a group on the LDAP server.
The no form of the command resets the attribute to its default values.

Syntax Descriptiongroup-attributeSpecifies a custom attribute name
membergroupOfNames or group membership attribute
uniqueMembergroupOfUniqueNames membership attribute
group-dnDN of group required for authorization
Defaultgroup-att: member
group-dn: ""
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap group-attribute member
ufmapl [ mgmt-sa ] (config) # ldap group-dn my-group-dn
Related Commands

show ldap

Notes
  • The user's distinguished name must be listed as one of the values of this attribute or the user will not be authorized to log in.
  • After login authentication, if the group-dn is set, a user must be a member of this group or the user will not be authorized to log in. If the group is not set ("" – the default) no authorization checks are done.

ldap host


ldap host <ip-address> [order <number> last]
no ldap host <ip-address>

Adds an LDAP server to the set of servers used for authentication.
The no form of the command deletes the LDAP host.

Syntax Descriptionip-addressIP address
numberThe order of the LDAP server
lastThe LDAP server will be added in the last location
DefaultN/A
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap host 10.10.10.10
Related Commands

show aaa
show ldap

Notes
  • The system will select the LDAP host to try according to its order
  • New servers are by default added at the end of the list of servers

ldap login-attribute


ldap login-attribute {<string> | uid | sAMAccountName}
no ldap login-attribute

Sets the attribute name which contains the login name of the user.
The no form of the command resets this attribute to its default.

Syntax DescriptionstringCustom attribute name
uidLDAP login name is taken from the user login username
sAMAccountNameSAM Account name, active directory login name
DefaultN/A
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap login-attribute uid
Related Commands

show aaa
show ldap

Notes

ldap port


ldap port <port>
no ldap port

Sets the TCP port on the LDAP server to connect to for authentication.
The no form of the command resets this attribute to its default value.

Syntax DescriptionportTCP port number
Default389
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap port 1111
Related Commands

show aaa
show ldap

Notes

ldap referrals


ldap referrals
no ldap referrals

Enables LDAP referrals.
The no form of the command disables LDAP referrals.

Syntax DescriptionN/A
DefaultEnabled
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # no ldap referrals
Related Commands

show aaa
show ldap

NotesReferral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information.

ldap scope


ldap scope <scope>
no ldap scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.

Syntax Descriptionscope
  • one-level – searches the immediate children of the base dn
  • subtree – searches at the base DN and all its children
Defaultsubtree
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap scope subtree
Related Commands

show aaa
show ldap

Notes

ldap ssl


ldap ssl {cert-verify | mode <mode>| port <port-number>}
no ldap ssl {cert-verify | mode | port}

Sets SSL parameter for LDAP.
The no form of the command resets the attribute to its default value.

Syntax Descriptioncert-verifyEnables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server.
modeSets the security mode for connections to the LDAP server.
  • none – requests no encryption for the LDAP connection
  • ssl – the SSL-port configuration is used, an SSL connection is made before LDAP requests are sent (LDAP over SSL)
  • tls – the normal LDAP port is used, an LDAP connection is initiated, and then TLS is started on this existing connection
portSets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL)
Defaultcert-verify is enabled
mode is none (LDAP SSL is not activated)
port-number is 636
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap ssl mode ssl
Related Commands

show aaa
show ldap

Notes
  • If available, the TLS mode is recommended, as it is standardized, and may also be of higher security
  • The port number is used only for SSL mode. If the mode is TLS, the LDAP port number will be used.

ldap timeout


ldap {timeout-bind | timeout-search} <seconds>
no ldap {timeout-bind | timeout-search}

Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.

Syntax Descriptiontimeout-bindSets the global LDAP bind timeout for all LDAP servers
timeout-searchSets the global LDAP search timeout for all LDAP servers
secondsRange: 1-60
Default5 seconds
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap timeout-bind 10
Related Commands

show aaa
show ldap

Notes

ldap version


ldap version <version>
no ldap version

Sets the LDAP version.
The no form of the command resets the attribute to its default value.

Syntax DescriptionversionSets the LDAP version. Possible values: 2 or 3.
Default3
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # ldap version 3
Related Commands

show aaa
show ldap

Notes

show ldap


show ldap

Displays LDAP configurations.

Syntax DescriptionN/A
DefaultN/A
Configuration ModeAny configuration mode
History1.5
Example
ufmapl [ mgmt-sa ] (config) # show ldap
User base DN      : ou=department,dc=example,dc=com
User search scope : subtree
Login attribute   : uid
Bind DN           : my-dn
Bind password     : my-password
Group base DN     : my-group-dn
Group attribute   : member
LDAP version      : 3
Referrals         : no
Server port       : 1111
Search Timeout    : 5
Bind Timeout      : 10
SSL mode          : none
Server SSL port   : 636 (not active)
SSL cert verify   : yes

LDAP servers:
  1: 10.10.10.10
  2: 10.10.10.12
Related Commands

show aaa
show ldap

Notes