You are here: Home > CLI Commands > Just_CLI_Topics > aaa authentication-server ldap

aaa authentication-server ldap

aaa authentication-server ldap <server>

admin-dn <name>

admin-passwd <string>

allow-cleartext

authport <port>

base-dn <name>

clone <server>

enable

filter <filter>

host <ipaddr>

key-attribute <string>

max-connection <number>

no ...

preferred-conn-type ldap-s|start-tls|clear-text

timeout <seconds>

Description

This command configures an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

 

A maximum of 128 LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. servers can be configured on the Mobility Master.

Syntax

Parameter

Description

Range

Default

<server>

Name that identifies the server.

admin-dn <name>

DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the admin user who has read or search privileges across all of the entries in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database (the user does not need write privileges but should be able to search the database and read attributes of other users in the database).

admin-passwd <string>

Password for the admin user.

allow-cleartext

Allows clear-text (unencrypted) communication with the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

enabled|
disabled

disabled

authport <port>

Port number used for authentication. Port 636 will be attempted for LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.-LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., while port 389 will be attempted for SSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. over LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., Start TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. operation and clear text.

1-65535

389

base-dn <name>

DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. name of the node which contains the entire user database to use.

chase-referrals

Chase referrals anonymously.

   

clone <server>

Name of an existing LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server configuration from which parameter values are copied.

enable

Enables the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

 

filter <filter>

Filter that should be applied to search of the user in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database. The default filter string is (objectclass=*).

(objectclass=*)

host <ip-addr>

IP address of the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, in dotted-decimal format.

key-attribute <string>

Attribute that should be used as a key in search for the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. For PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure., the value is sAMAccountName. For EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. termination the value is userPrincipalName.

sAMAccountName

max-connection

Maximum number of simultaneous non-admin connections to an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

no

Negates any configured parameter.

preferred-conn-type

Preferred connection type. The default order of connection type is:

1. ldap-s

2. start-tls

3. clear-text

The Mobility Master will first try to contact the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server using the preferred connection type, and will only attempt to use a lower-priority connection type if the first attempt is not successful.

NOTE: You enable the allow-cleartext option before you select clear-text as the preferred connection type. If you set clear-text as the preferred connection type but do not allow clear-text, the Mobility Master will only use ldap-s or start-tls to contact the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

ldap-s

start-tls

clear-text

ldap-s

timeout <seconds>

Timeout period of a LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. request, in seconds.

1-30

20 seconds

Usage Guidelines

You configure a server before you can add it to one or more server groups. You create a server group for a specific type of authentication (see aaa server-group).

Example

The following command configures and enables an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server:

(host) ^[md] (config) #aaa authentication-server ldap ldap1

(host) ^[md] (LDAP Server "ldap1") #host 10.1.1.243

(host) ^[md] (LDAP Server "ldap1") #base-dn cn=Users,dc=1m,dc=corp,dc=com

(host) ^[md] (LDAP Server "ldap1") #admin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=com

(host) ^[md] (LDAP Server "ldap1") #admin-passwd abc10

(host) ^[md] (LDAP Server "ldap1") #key-attribute sAMAccountName

(host) ^[md] (LDAP Server "ldap1") #filter (objectclass=*)

(host) ^[md] (LDAP Server "ldap1") #enable

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/