Configuring an LDAP Server Template

Context

In an LDAP server template, you must specify the server type, IP address, and port number. The other parameters have default settings, for example, the Base DN, user filter, and group filter. These default settings can be modified manually.

Procedure

Run system-view
The system view is displayed.
Run ldap-server template template-name
An LDAP server template is created and the LDAP server template view is displayed.

By default, no LDAP server template is configured.
Run ldap-server server-type { ad-ldap | ibm-tivoli | open-ldap | sun-one }
The LDAP server type is set.

You need to set the LDAP server type based on the type of the peer LDAP server. The default server type of LDAP server templates that the device creates is AD LDAP.
Run ldap-server authentication ip-address [ port-number ] [ secondary | third ] [ no-ssl | ssl ]
An LDAP authentication server is created.

By default, no LDAP authentication server is configured.
(Optional) Run ldap-server source { loopback interface-number | ip-address ip-address | vlanif interface-number }
Configure the source IP address that the device uses when sending packets to the LDAP server.

By default, when a device sends packets to the LDAP server, the IP address of the actual outbound interface is used as the source IP address.

If the specified loopback interface or VLANIF interface is not created or no IP address is configured for the specified interface, use the IP address of the actual outbound interface as the source IP address.
Run ldap-server authentication base-dn base-dn
The Base DN of the LDAP server is set.

By default, the Base DN is dc=my-domain,dc=com.
Run the following commands as required.

In anonymous login, users do not need to enter the password; therefore, there are security risks. Make an all-round evaluation to determine whether to enable anonymous login.
- The server allows administrators to log in anonymously.
  
  Run the ldap-server authentication manager-anonymous enable command to allow administrators to access the LDAP server anonymously.
  
  By default, administrators are prevented from accessing an LDAP server anonymously.
  
  After the configuration, if you run the ldap-server authentication manager manager-dn [ password [ repassword ] ] command again to configure the administrator DN and password of the LDAP server, the administrator anonymous login configuration will be cleared.
- The server does not allow administrators to log in anonymously.
  
  To configure the administrator DN and password of the LDAP server, run the ldap-server authentication manager manager-dn [ password [ repassword ] ] command.
  
  The administrator DN and password of an LDAP authentication server are configured.
  
  After the configuration is complete, run the ldap-server authentication manager-password password [ repassword ] to change the administrator password of the LDAP authentication server.
  
  If you run the ldap-server authentication manager-anonymous enable command again after the configuration, the administrator DN and password are cleared, and the Base DN is also deleted.
Run ldap-server authorization bind-user enable
Configure user binding during LDAP authorization.

By default, user binding is performed during LDAP authorization.
(Optional) Run ldap-server authentication-filter authentication-filter-name

The authentication filter of the LDAP server is set.

By default, the authentication filter is set to objectclass=*, which indicates that all users can be authenticated.
(Optional) Run ldap-server user-filter field
The user filter of the LDAP server is set.

By default, the user attribute of an AD server or AD LDAP server is sAMAccountName, the user attribute of an Open LDAP or IBM Tivoli LDAP server is cn, and the user attribute of a Sun ONE LDAP server is uid. You are advised to keep the default values.
(Optional) Run ldap-server group-filter field
The group filtering field that functions as the group name for an LDAP server is set.

By default, the default value of group filtering field that functions as the group name is ou.
(Optional) Run ldap-server ip-address-filter field mask-filter field
The IP address filter of the LDAP server is set.

By default, no IP address filtering field for the LDAP server is configured.
(Optional) Run ldap-server mobile-number-filter field
The mobile number filter of the LDAP server is set.

By default, no mobile number filtering field for the LDAP server is configured.
(Optional) Run ldap-server time-stamp-filter field
The timestamp attribute filtering field of the LDAP server is set.

By default, the timestamp attribute filtering field of the LDAP server is createTimeStamp.
(Optional) Run ldap-server authentication manager-with-base-dn enable
The Base DN to an administrator DN during LDAP authentication is attached.

By default, an administrator DN carries the Base DN during LDAP authentication.
(Optional) Run ldap-server response-timeout interval.
The response timeout interval of an LDAP server is set.

By default, the response timeout interval of an LDAP server is 10 seconds.
(Optional) Configure interconnection options between the device and server.
1. To return the system view, run the quit command.
2. To set the SSL protocol version used for the interaction between the device and LDAP server, run the ldap-server ssl version { tlsv1.1 | tlsv1.2 } ^* command.
  
  By default, the SSL protocol version used for the interaction between the device and LDAP server is TLS1.2.
  
  not secure. TLS1.2 is recommended.
(Optional) Test connectivity between the device and server.
1. To return to the user view, run the return command.
2. To test connectivity, run the test-aaa user-name user-password ldap-template template-name command.