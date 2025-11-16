LDAP server settings can be configured with NVUE.

Configure the following connection settings:

The hostname or IP address of the LDAP server from which you want to import users. If you use multiple LDAP servers, you can also set a priority for each server.

The port number of the LDAP server if you are using a non-default port. The default port number for LDAP is TCP and UDP port 389.

Authenticated (Simple) BIND credentials. The BIND credentials are optional; if you do not specify the credentials, the switch assumes an anonymous bind. To use SASL (Simple Authentication and Security Layer) BIND, which provides authentication services using other mechanisms such as Kerberos, contact your LDAP server administrator for authentication information.

The following example configures the LDAP server and port, and the BIND credentials.

Copy Copied! admin @nvos :~$ nv set system aaa ldap server ldapserver1 admin @nvos :~$ nv set system aaa ldap port 388 admin @nvos :~$ nv set system aaa ldap bind-dn CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test admin @nvos :~$ nv set system aaa ldap secret 1Q2w3e4r! admin @nvos :~$ nv config apply

The following example sets the priority to 2 for ldapserver2 when using multiple LDAP servers:

Copy Copied! admin @nvos :~$ nv set system aaa ldap server ldapserver2 priority 2





To prioritize the order in which NVOS attempts different authentication methods to verify user access to the switch, you set the authentication order. By default, NVOS verifies users according to their local passwords.

When AAA authentication failthrough is enabled, if you set the authentication order to start with LDAP, but the LDAP servers do not have the user in the directory or does not respond, NVOS tries local password authentication.

If no LDAP server is available, local authentication is applied.

To set the authentication order to start with LDAP before local authentication:

Copy Copied! admin @nvos :~$ nv set system aaa authentication order ldap,local admin @nvos :~$ nv config apply





When an LDAP client requests information about a resource, the client must connect and bind to the server, then perform one or more resource queries depending on the lookup. All search queries to the LDAP server use the configured search base, filter, and the desired entry (uid=myuser). If the LDAP directory is large, this search takes a long time. Define a more specific search base for the common maps (passwd and group).

Copy Copied! admin @nvos :~$ nv set system aaa ldap base-dn ou=support,dc=rtp,dc=example,dc=test admin @nvos :~$ nv config apply





NVOS uses LDAP version 3 by default. If you need to change the LDAP version to 2:

Copy Copied! admin @nvos :~$ nv set system aaa ldap version 2 admin @nvos :~$ nv config apply





NVOS provides two timeout settings:

The bind timeout sets the number of seconds before the BIND operation times out. The default setting is 5 seconds.

The search timeout sets the number of seconds before the search times out. The default setting is 5 seconds.

The following example sets both the BIND session timeout and the search timeout to 60 seconds.

Copy Copied! admin @nvos :~$ nv set system aaa ldap timeout-bind 60 admin @nvos :~$ nv set system aaa ldap timeout-search 60 admin @nvos :~$ nv config apply





You can configure the following SSL options:

SSL mode. You can specify, none , ssl , or start-tls .

SL port.

SSL certificate validation.

SSL cipher suites. You can specify TLS1.2, TLS1.3, TLS-CIPHERS, or all.

SSL CRL check.

To use IPv6 with SSL or Start TLS, you must set the hostname of the LDAP server instead of the IPv6 address with the nv set system aaa ldap server <hostname> command. See Configure LDAP Server Settings.

The following example sets the SSL mode to SSL, the port to 8443, enables the SSL certificate checker, sets the SSL cipher suites to TLS1.3 and the Certificate Authorities List to /etc/ssl/certs/ca-certificates.crt

Copy Copied! admin @nvos :~$ nv set system aaa ldap ssl mode ssl admin @nvos :~$ nv set system aaa ldap ssl port 8443 admin @nvos :~$ nv set system aaa ldap ssl cert-verify enabled admin @nvos :~$ nv set system aaa ldap ssl tls-ciphers TLS1. 3 admin @nvos :~$ nv config apply





To show the LDAP configuration settings on the switch, run the following commands:

nv show system aaa ldap shows all the LDAP configuration settings.

nv show system aaa ldap server shows the configured LDAP servers and their priorities.

nv show system aaa ldap server <server-id> shows the priority for the specified LDAP server.

nv show system aaa ldap ssl shows the LDAP SSL configuration settings.

The following example shows all the LDAP configuration settings:

Copy Copied! admin @nvos :~$ nv show system aaa ldap operational applied -------------- --------------------------------------------------- --------------------------------------------------- bind-dn CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test base-dn ou=users,dc=example,dc=com ou=users,dc=example,dc=com port 389 388 timeout-bind 5 5 timeout-search 5 5 secret $nvsec$4fb719e24167246947d4f746f58696fc $nvsec$4fb719e24167246947d4f746f58696fc version 3 3 [server] ldapserver1 ldapserver1 ssl mode ssl ssl port 8443 8443 cert-verify enabled enabled tls-ciphers TLS1. 3 TLS1. 3 ...

The following example shows the configured LDAP servers and their priorities:

Copy Copied! admin @nvos :~$ nv show system aaa ldap server Hostname Priority ----------- -------- ldapserver1 1 ldapserver2 2

The following example shows the SSL configuration settings:

Copy Copied! admin @nvos :~$ nv show system aaa ldap ssl operational applied ----------- --------------------------------- --------------------------------- mode ssl ssl port 8443 8443 cert-verify enabled enabled tls-ciphers TLS1. 3 TLS1. 3



