NVIDIA UFM-SDN Appliance Command Reference Guide v4.12.1
NVIDIA UFM-SDN Appliance Command Reference Guide v4.12.1

LDAP

ldap base-dn <string>
no ldap base-dn

Sets the base distinguished name (location) of the user information in the schema of the LDAP server.
The no form of the command resets the attribute to its default values.

Syntax Description

string

A case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.
For example: "ou=users,dc=example,dc=com", with no spaces.
Where:

  • ou – organizational unit

  • dc – domain component

  • cn – common name

  • sn – surname

Default

ou=users,dc=example,dc=com

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap base-dn ou=department,dc=example,dc=com

Related Commands

show ldap

Notes

ldap {bind-dn | bind-password} <string>
no ldap {bind-dn | bind-password}

Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default).
The no form of the command resets the attribute to its default values.

Syntax Description

string

A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server

Default

""

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap bind-dn my-dn ufmapl [ mgmt-sa ] (config) # ldap bind-password my-password

Related Commands

show ldap

Notes

For anonymous login, bind-dn and bind-password should be empty strings ""

ldap {group-attribute {<group-att> | member | uniqueMember} | group-dn <group-dn>}
no ldap {group-attribute | group-dn}

Sets the distinguished name or attribute name of a group on the LDAP server.
The no form of the command resets the attribute to its default values.

Syntax Description

group-attribute

Specifies a custom attribute name

member

groupOfNames or group membership attribute

uniqueMember

groupOfUniqueNames membership attribute

group-dn

DN of group required for authorization

Default

group-att: member
group-dn: ""

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap group-attribute member ufmapl [ mgmt-sa ] (config) # ldap group-dn my-group-dn

Related Commands

show ldap

Notes

  • The user's distinguished name must be listed as one of the values of this attribute or the user will not be authorized to log in.

  • After login authentication, if the group-dn is set, a user must be a member of this group or the user will not be authorized to log in. If the group is not set ("" – the default) no authorization checks are done.

ldap host <ip-address> [order <number> last]
no ldap host <ip-address>

Adds an LDAP server to the set of servers used for authentication.
The no form of the command deletes the LDAP host.

Syntax Description

ip-address

IP address

number

The order of the LDAP server

last

The LDAP server will be added in the last location

Default

N/A

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap host 10.10.10.10

Related Commands

show aaa
show ldap

Notes

  • The system will select the LDAP host to try according to its order

  • New servers are by default added at the end of the list of servers

ldap login-attribute {<string> | uid | sAMAccountName}
no ldap login-attribute

Sets the attribute name which contains the login name of the user.
The no form of the command resets this attribute to its default.

Syntax Description

string

Custom attribute name

uid

LDAP login name is taken from the user login username

sAMAccountName

SAM Account name, active directory login name

Default

N/A

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap login-attribute uid

Related Commands

show aaa
show ldap

Notes

ldap port <port>
no ldap port

Sets the TCP port on the LDAP server to connect to for authentication.
The no form of the command resets this attribute to its default value.

Syntax Description

port

TCP port number

Default

389

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap port 1111

Related Commands

show aaa
show ldap

Notes

ldap referrals
no ldap referrals

Enables LDAP referrals.
The no form of the command disables LDAP referrals.

Syntax Description

N/A

Default

Enabled

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # no ldap referrals

Related Commands

show aaa
show ldap

Notes

Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information.

ldap scope <scope>
no ldap scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.

Syntax Description

scope

  • one-level – searches the immediate children of the base dn

  • subtree – searches at the base DN and all its children

Default

subtree

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap scope subtree

Related Commands

show aaa
show ldap

Notes

ldap ssl {cert-verify | mode <mode>| port <port-number>}
no ldap ssl {cert-verify | mode | port}

Sets SSL parameter for LDAP.
The no form of the command resets the attribute to its default value.

Syntax Description

cert-verify

Enables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server.

mode

Sets the security mode for connections to the LDAP server.

  • none – requests no encryption for the LDAP connection

  • ssl – the SSL-port configuration is used, an SSL connection is made before LDAP requests are sent (LDAP over SSL)

  • tls – the normal LDAP port is used, an LDAP connection is initiated, and then TLS is started on this existing connection

port

Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL)

Default

cert-verify is enabled
mode is none (LDAP SSL is not activated)
port-number is 636

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap ssl mode ssl

Related Commands

show aaa
show ldap

Notes

  • If available, the TLS mode is recommended, as it is standardized, and may also be of higher security

  • The port number is used only for SSL mode. If the mode is TLS, the LDAP port number will be used.

ldap {timeout-bind | timeout-search} <seconds>
no ldap {timeout-bind | timeout-search}

Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.

Syntax Description

timeout-bind

Sets the global LDAP bind timeout for all LDAP servers

timeout-search

Sets the global LDAP search timeout for all LDAP servers

seconds

Range: 1-60

Default

5 seconds

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap timeout-bind 10

Related Commands

show aaa
show ldap

Notes

ldap version <version>
no ldap version

Sets the LDAP version.
The no form of the command resets the attribute to its default value.

Syntax Description

version

Sets the LDAP version. Possible values: 2 or 3.

Default

3

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # ldap version 3

Related Commands

show aaa
show ldap

Notes

show ldap

Displays LDAP configurations.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any configuration mode

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # show ldap User base DN : ou=department,dc=example,dc=com User search scope : subtree Login attribute : uid Bind DN : my-dn Bind password : my-password Group base DN : my-group-dn Group attribute : member LDAP version : 3 Referrals : no Server port : 1111 Search Timeout : 5 Bind Timeout : 10 SSL mode : none Server SSL port : 636 (not active) SSL cert verify : yes   LDAP servers: 1: 10.10.10.10 2: 10.10.10.12

Related Commands

show aaa
show ldap

Notes

© Copyright 2023, NVIDIA. Last updated on Sep 6, 2023.