The LDAP provides centralized validation of users who attempt to gain access to a Cisco MDS 9000 switch. LDAP services are maintained in a database on an LDAP daemon that typically runs on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco switch are available.
LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) in order to provide each service authentication and authorization independently. Each service can be tied into its own database in order to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco MDS devices provide centralized authentication with use of the LDAP protocol.
Clients establish a TCP connection and authentication session with an LDAP server through a simple bind (username and password). As part of the authorization process, the LDAP server searches its database to retrieve the user profile and other information.
You can configure the bind operation to first bind and then search, where authentication is performed first and authorization next, or to first search and then bind. The default method is to first search and then bind.
The advantage of searching first and binding later is that the distinguished name (DN) received in the search result can be used as the user DN during binding rather than forming a DN by prepending the username (cn attribute) with the baseDN. This method is especially helpful when the user DN is different from the username plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where append-with-baseDN has a default value of cn=$userid.
LDAP has the following guidelines and limitations:
You can configure a maximum of 64 LDAP servers on the Cisco NX-OS device.
Cisco NX-OS supports only LDAP version 3.
Cisco NX-OS supports only these LDAP servers:
OpenLDAP
Microsoft Active Directory
LDAP over Secure Sockets Layer (SSL) supports only SSL version 3 and Transport Layer Security (TLS) version 1.
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
To access a remote LDAP server, first create a profile for it on the Cisco NX-OS device. Parameters specific to a server can be added to its profile. These include the use of SSL transport, the target port number on the server, the request timeout period, the root distinguished name (the bind user) and password, and search referrals.
Connectivity to LDAP servers over TLS (via SSL) is RFC4513 compliant. This requires that the identity presented by the server during secure transport negotiation must exactly match both the server profile name and the certificate on the switch. Matching may be by IP address or host name in the certificate “Subject Alternative Name.” This is the preferred method. If there is no match, the common name (CN) in the certificate “Subject” is checked. Server certificates are installed separately on the Cisco NX-OS devices.
Note
By default, when you configure an LDAP server IP address or host name on a Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group. Starting from Cisco MDS NX-OS Release 8.2(1), when TCP port 636 is configured, the connection establishment securely starts with an SSL or TLS negotiation. For other ports, this is done explicitly using the enable-ssl keyword.
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must be configured to use LDAP. The servers are tried in the same order in which you configure them. You can configure these server groups at any time, but they take effect only when you apply them to an AAA service.
Cisco MDS 9000 Series switches support group-based user roles. You can create a group on the LDAP servers and also create a group with the exact same name on the Cisco MDS switch and then add users to the group. The user role attribute is inherited by the user from the group that is configured. This can be accomplished using the Microsoft LDAP Server’s built-in memberOf attribute. If you wish to use the memberOf attribute, ensure that you create a role name on the switch. The role name must be the same as the group name on the LDAP server. A user can be part of multiple groups, but only one group should be part of the switch role.