Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring LDAP
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 10.7MB) | The complete bookePub (ePub - 3.43MB) | Feedback

Configuring LDAP

Contents

Configuring LDAP

This chapter describes how to configure the Lightweight Directory Access Protocol (LDAP) on Cisco NX-OS devices.

This chapter includes the following sections:

Information About LDAP

The Lightweight Directory Access Protocol (LDAP) provides centralized validation of users attempting to gain access to a Cisco NX-OS device. LDAP services are maintained in a database on an LDAP daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco NX-OS device are available.

LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) to provide each service—authentication and authorization—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco NX-OS devices provide centralized authentication using the LDAP protocol.

LDAP Authentication and Authorization

Clients establish a TCP connection and authentication session with an LDAP server through a simple bind (username and password). As part of the authorization process, the LDAP server searches its database to retrieve the user profile and other information.

You can configure the bind operation to first bind and then search, where authentication is performed first and authorization next, or to first search and then bind. The default method is to first search and then bind.

The advantage of searching first and binding later is that the distinguished name (DN) received in the search result can be used as the user DN during binding rather than forming a DN by prepending the username (cn attribute) with the baseDN. This method is especially helpful when the user DN is different from the username plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where append-with-baseDN has a default value of cn=$userid.


Note


As an alternative to the bind method, you can establish LDAP authentication using the compare method, which compares the attribute values of a user entry at the server. For example, the user password attribute can be compared for authentication. The default password attribute type is userPassword.


LDAP Operation for User Login

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using LDAP, the following actions occur:


Note


LDAP allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination but may include prompts for other items.



Note


In LDAP, authorization can occur before authentication.


  1. When the Cisco NX-OS device establishes a connection, it contacts the LDAP daemon to obtain the username and password.
  2. The Cisco NX-OS device eventually receives one of the following responses from the LDAP daemon:
    ACCEPT
    User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization, authorization begins.
    REJECT
    User authentication fails. The LDAP daemon either denies further access to the user or prompts the user to retry the login sequence.
    ERROR
    An error occurs at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.
    After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the Cisco NX-OS device. Users must first successfully complete LDAP authentication before proceeding to LDAP authorization.
  3. If LDAP authorization is required, the Cisco NX-OS device again contacts the LDAP daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access. Services include the following:
    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

LDAP Server Monitoring

An unresponsive LDAP server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor an LDAP server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive LDAP servers as dead and does not send AAA requests to any dead LDAP servers. A Cisco NX-OS device periodically monitors dead LDAP servers and brings them to the alive state once they are responding. This process verifies that an LDAP server is in a working state before real AAA requests are sent its way. Whenever an LDAP server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance.

Figure 1. LDAP Server States. This figure shows the server states for LDAP server monitoring.


Note


The monitoring interval for alive servers and dead servers are different and can be configured by the user. The LDAP server monitoring is performed by sending a test authentication request to the LDAP server.


Vendor-Specific Attributes for LDAP

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the LDAP server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

Cisco VSA Format for LDAP

The Cisco LDAP implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use LDAP servers for authentication on a Cisco NX-OS device, LDAP directs the LDAP server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell
Protocol used in access-accept packets to provide user profile information.

The Cisco NX-OS software supports the following attributes:

roles

Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. For example, if the user belongs to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute, which the LDAP server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The following examples show the roles attribute as supported by Cisco ACS:

shell:roles=network-operator vdc-admin 

shell:roles*network-operator vdc-admin


Note


When you specify a VSA as shell:roles*"network-operator vdc-admin", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.


Virtualization Support for LDAP

LDAP configuration and operation are local to the virtual device context (VDC). For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

The Cisco NX-OS device uses virtual routing and forwarding instances (VRFs) to access the LDAP servers. For more information on VRFs, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide.

Licensing Requirements for LDAP

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

LDAP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for LDAP

LDAP has the following prerequisites:

  • Obtain the IPv4 or IPv6 addresses or hostnames for the LDAP servers.
  • Ensure that the Cisco NX-OS device is configured as an LDAP client of the AAA servers.

Guidelines and Limitations for LDAP

LDAP has the following guidelines and limitations:

  • You can configure a maximum of 64 LDAP servers on the Cisco NX-OS device.
  • Cisco NX-OS supports only LDAP version 3.
  • Cisco NX-OS supports only these LDAP servers:
    • OpenLDAP
    • Microsoft Active Directory
  • LDAP over Secure Sockets Layer (SSL) supports only SSL version 3 and Transport Layer Security (TLS) version 1.
  • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

Default Settings for LDAP

This table lists the default settings for LDAP parameters.

Table 1  Default LDAP Parameters Settings

Parameters

Default

LDAP

Disabled

LDAP authentication method

First search and then bind

LDAP authentication mechanism

Plain

Dead-time interval

0 minutes

Timeout interval

5 seconds

Idle timer interval

60 minutes

Periodic server monitoring username

test

Periodic server monitoring password

Cisco

Configuring LDAP

This section describes how to configure LDAP on a Cisco NX-OS device.


Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


LDAP Server Configuration Process

You can configure LDAP servers by following this configuration process.


    Step 1   Enable LDAP.
    Step 2   Establish the LDAP server connections to the Cisco NX-OS device.
    Step 3   If needed, configure LDAP server groups with subsets of the LDAP servers for AAA authentication methods.
    Step 4   (Optional) Configure the TCP port.
    Step 5   (Optional) Configure the default AAA authorization method for the LDAP server.
    Step 6   (Optional) Configure an LDAP search map.
    Step 7   (Optional) If needed, configure periodic LDAP server monitoring.

    Enabling LDAP

    By default, the LDAP feature is disabled on the Cisco NX-OS device. You must explicitly enable the LDAP feature to access the configuration and verification commands for authentication.

    SUMMARY STEPS

      1.    configure terminal

      2.    feature ldap

      3.    exit

      4.    (Optional) copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      switch# configure terminal
      switch(config)#
      
       

      Enters global configuration mode.

       
      Step 2 feature ldap


      Example:
      switch(config)# feature ldap
       

      Enables LDAP.

       
      Step 3 exit


      Example:
      switch(config)# exit
      switch#
      
       

      Exits configuration mode.

       
      Step 4 copy running-config startup-config


      Example:
      switch# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       

      Configuring LDAP Server Hosts

      To access a remote LDAP server, you must configure the IP address or the hostname for the LDAP server on the Cisco NX-OS device. You can configure up to 64 LDAP servers.


      Note


      By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.


      Before You Begin

      Enable LDAP.

      Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

      If you plan to enable the Secure Sockets Layer (SSL) protocol, make sure that the LDAP server certificate is manually configured on the Cisco NX-OS device.

      SUMMARY STEPS

        1.    configure terminal

        2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} [enable-ssl]

        3.    exit

        4.    (Optional) show ldap-server

        5.    (Optional) copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        switch# configure terminal
        switch(config)#
         

        Enters global configuration mode.

         
        Step 2 [no] ldap-server host {ipv4-address | ipv6-address | host-name} [enable-ssl]


        Example:
        switch(config)# ldap-server host 10.10.2.2 enable-ssl
         

        Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

        The enable-ssl keyword ensures the integrity and confidentiality of the transferred data by causing the LDAP client to establish a Secure Sockets Layer (SSL) session prior to sending the bind or search request.

         
        Step 3 exit


        Example:
        switch(config)# exit
        switch#
         

        Exits configuration mode.

         
        Step 4 show ldap-server


        Example:
        switch# show ldap-server
         
        (Optional)

        Displays the LDAP server configuration.

         
        Step 5 copy running-config startup-config


        Example:
        switch# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Configuring the RootDN for an LDAP Server

        You can configure the root designated name (DN) for the LDAP server database. The rootDN is used to bind to the LDAP server to verify its state.

        Before You Begin

        Enable LDAP.

        Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

        SUMMARY STEPS

          1.    configure terminal

          2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]]

          3.    exit

          4.    (Optional) show ldap-server

          5.    (Optional) copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          switch# configure terminal
          switch(config)#
           

          Enters global configuration mode.

           
          Step 2 [no] ldap-server host {ipv4-address | ipv6-address | host-name} rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]]


          Example:
          switch(config)# ldap-server host 10.10.1.1 rootDN cn=manager,dc=acme,dc=com password Ur2Gd2BH timeout 60
           

          Specifies the rootDN for the LDAP server database and the bind password for the root.

          Optionally specifies the TCP port to use for LDAP messages to the server. The range is from 1 to 65535, and the default TCP port is the global value or 389 if a global value is not configured. Also specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured.

           
          Step 3 exit


          Example:
          switch(config)# exit
          switch#
           

          Exits configuration mode.

           
          Step 4 show ldap-server


          Example:
          switch# show ldap-server
           
          (Optional)

          Displays the LDAP server configuration.

           
          Step 5 copy running-config startup-config


          Example:
          switch# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          Configuring LDAP Server Groups

          You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must be configured to use LDAP. The servers are tried in the same order in which you configure them.

          You can configure these server groups at any time, but they take effect only when you apply them to an AAA service.

          Before You Begin

          Enable LDAP.

          SUMMARY STEPS

            1.    configure terminal

            2.    [no] aaa group server ldap group-name

            3.    [no] server {ipv4-address | ipv6-address | host-name}

            4.    (Optional) [no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}

            5.    (Optional) [no] enable user-server-group

            6.    (Optional) [no] enable Cert-DN-match

            7.    (Optional) [no] use-vrf vrf-name

            8.    exit

            9.    (Optional) show ldap-server groups

            10.    (Optional) copy running-config startup-config


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            switch# configure terminal
            switch(config)#
             

            Enters global configuration mode.

             
            Step 2 [no] aaa group server ldap group-name


            Example:
            switch(config)# aaa group server ldap LDAPServer1
            switch(config-ldap)#
             

            Creates an LDAP server group and enters the LDAP server group configuration mode for that group.

             
            Step 3 [no] server {ipv4-address | ipv6-address | host-name}


            Example:
            switch(config-ldap)# server 10.10.2.2
             

            Configures the LDAP server as a member of the LDAP server group.

            If the specified LDAP server is not found, configure it using the ldap-server host command and retry this command.

             
            Step 4 [no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}


            Example:
            switch(config-ldap)# authentication compare password-attribute TyuL8r
             
            (Optional)

            Performs LDAP authentication using the bind or compare method. The default LDAP authentication method is the bind method using first search and then bind.

             
            Step 5 [no] enable user-server-group


            Example:
            switch(config-ldap)# enable user-server-group
             
            (Optional)

            Enables group validation. The group name should be configured in the LDAP server. Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.

             
            Step 6 [no] enable Cert-DN-match


            Example:
            switch(config-ldap)# enable Cert-DN-match
             
            (Optional)

            Enables users to login only if the user profile lists the subject-DN of the user certificate as authorized for login.

             
            Step 7 [no] use-vrf vrf-name


            Example:
            switch(config-ldap)# use-vrf vrf1
             
            (Optional)
            Specifies the VRF to use to contact the servers in the server group.
            Note   

            This command is supported only on Cisco Nexus 7000 Series Switches.

             
            Step 8 exit


            Example:
            switch(config-ldap)# exit
            switch(config)#
             

            Exits LDAP server group configuration mode.

             
            Step 9 show ldap-server groups


            Example:
            switch(config)# show ldap-server groups
             
            (Optional)

            Displays the LDAP server group configuration.

             
            Step 10 copy running-config startup-config


            Example:
            switch(config)# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            Configuring the Global LDAP Timeout Interval

            You can set a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all LDAP servers before declaring a timeout failure.

            Before You Begin

            Enable LDAP.

            SUMMARY STEPS

              1.    configure terminal

              2.    [no] ldap-server timeout seconds

              3.    exit

              4.    (Optional) show ldap-server

              5.    (Optional) copy running-config startup-config


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              switch# configure terminal
              switch(config)#
               

              Enters global configuration mode.

               
              Step 2 [no] ldap-server timeout seconds


              Example:
              switch(config)# ldap-server timeout 10 
               

              Specifies the timeout interval for LDAP servers. The default timeout interval is 5 seconds. The range is from 1 to 60 seconds.

               
              Step 3 exit


              Example:
              switch(config)# exit
              switch#
               

              Exits configuration mode.

               
              Step 4 show ldap-server


              Example:
              switch# show ldap-server
               
              (Optional)

              Displays the LDAP server configuration.

               
              Step 5 copy running-config startup-config


              Example:
              switch# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               

              Configuring the Timeout Interval for an LDAP Server

              You can set a timeout interval that determines how long the Cisco NX-OS device waits for responses from an LDAP server before declaring a timeout failure.

              Before You Begin

              Enable LDAP.

              SUMMARY STEPS

                1.    configure terminal

                2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} timeout seconds

                3.    exit

                4.    (Optional) show ldap-server

                5.    (Optional) copy running-config startup-config


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 configure terminal


                Example:
                switch# configure terminal
                switch(config)#
                 

                Enters global configuration mode.

                 
                Step 2 [no] ldap-server host {ipv4-address | ipv6-address | host-name} timeout seconds


                Example:
                switch(config)# ldap-server host server1 timeout 10
                 

                Specifies the timeout interval for a specific server. The default is the global value.

                Note   

                The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.

                 
                Step 3 exit


                Example:
                switch(config)# exit
                switch#
                 

                Exits configuration mode.

                 
                Step 4 show ldap-server


                Example:
                switch# show ldap-server
                 
                (Optional)

                Displays the LDAP server configuration.

                 
                Step 5 copy running-config startup-config


                Example:
                switch# copy running-config startup-config
                 
                (Optional)

                Copies the running configuration to the startup configuration.

                 

                Configuring the Global LDAP Server Port

                You can configure a global LDAP server port through which clients initiate TCP connections. By default, Cisco NX-OS devices use port 389 for all LDAP requests.

                Before You Begin

                Enable LDAP.

                SUMMARY STEPS

                  1.    configure terminal

                  2.    [no] ldap-server port tcp-port

                  3.    exit

                  4.    (Optional) show ldap-server

                  5.    (Optional) copy running-config startup-config


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  switch# configure terminal
                  switch(config)#
                   

                  Enters global configuration mode.

                   
                  Step 2 [no] ldap-server port tcp-port


                  Example:
                  switch(config)# ldap-server port 2
                   

                  Specifies the global TCP port to use for LDAP messages to the server. The default TCP port is 389. The range is from 1 to 65535.

                  Note   

                  This command is deprecated beginning with Cisco NX-OS Release 5.2.

                   
                  Step 3 exit


                  Example:
                  switch(config)# exit
                  switch#
                   

                  Exits configuration mode.

                   
                  Step 4 show ldap-server


                  Example:
                  switch# show ldap-server
                   
                  (Optional)

                  Displays the LDAP server configuration.

                   
                  Step 5 copy running-config startup-config


                  Example:
                  switch# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Configuring TCP Ports

                  You can configure another TCP port for the LDAP servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 389 for all LDAP requests.

                  Before You Begin

                  Enable LDAP.

                  SUMMARY STEPS

                    1.    configure terminal

                    2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} port tcp-port [timeout seconds]

                    3.    exit

                    4.    (Optional) show ldap-server

                    5.    (Optional) copy running-config startup-config


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 configure terminal


                    Example:
                    switch# configure terminal
                    switch(config)#
                     

                    Enters global configuration mode.

                     
                    Step 2 [no] ldap-server host {ipv4-address | ipv6-address | host-name} port tcp-port [timeout seconds]


                    Example:
                    switch(config)# ldap-server host 10.10.1.1 port 200 timeout 5
                     

                    Specifies the TCP port to use for LDAP messages to the server. The default TCP port is 389. The range is from 1 to 65535. Optionally specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured.

                    Note   

                    The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.

                     
                    Step 3 exit


                    Example:
                    switch(config)# exit
                    switch#
                     

                    Exits configuration mode.

                     
                    Step 4 show ldap-server


                    Example:
                    switch# show ldap-server
                     
                    (Optional)

                    Displays the LDAP server configuration.

                     
                    Step 5 copy running-config startup-config


                    Example:
                    switch# copy running-config startup-config
                     
                    (Optional)

                    Copies the running configuration to the startup configuration.

                     

                    Configuring LDAP Search Maps

                    You can configure LDAP search maps to send a search query to the LDAP server. The server searches its database for data meeting the criteria specified in the search map.

                    Before You Begin

                    Enable LDAP.

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    ldap search-map map-name

                      3.    (Optional) [userprofile | trustedCert | CRLLookup | user-certdn-match | user-pubkey-match | user-switch-bind] attribute-name attribute-name search-filter filter base-DN base-DN-name

                      4.    exit

                      5.    (Optional) show ldap-search-map

                      6.    (Optional) copy running-config startup-config


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      switch# configure terminal
                      switch(config)#
                       

                      Enters global configuration mode.

                       
                      Step 2 ldap search-map map-name


                      Example:
                      switch(config)# ldap search-map map1
                      switch(config-ldap-search-map)#
                       

                      Configures an LDAP search map.

                       
                      Step 3 [userprofile | trustedCert | CRLLookup | user-certdn-match | user-pubkey-match | user-switch-bind] attribute-name attribute-name search-filter filter base-DN base-DN-name


                      Example:
                      switch(config-ldap-search-map)# userprofile attribute-name att-name search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com
                       
                      (Optional)

                      Configures the attribute name, search filter, and base-DN for the user profile, trusted certificate, CRL, certificate DN match, public key match, or user-switchgroup lookup search operation. These values are used to send a search query to the LDAP server.

                      The attribute-name argument is the name of the attribute in the LDAP server that contains the Nexus role definition.

                       
                      Step 4 exit


                      Example:
                      switch(config-ldap-search-map)# exit
                      switch(config)#
                       

                      Exits LDAP search map configuration mode.

                       
                      Step 5 show ldap-search-map


                      Example:
                      switch(config)# show ldap-search-map
                       
                      (Optional)

                      Displays the configured LDAP search maps.

                       
                      Step 6 copy running-config startup-config


                      Example:
                      switch(config)# copy running-config startup-config
                       
                      (Optional)

                      Copies the running configuration to the startup configuration.

                       

                      Configuring Periodic LDAP Server Monitoring

                      You can monitor the availability of LDAP servers. The configuration parameters include the username and password to use for the server, the rootDN to bind to the server to verify its state, and an idle timer. The idle timer specifies the interval in which an LDAP server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.


                      Note


                      To protect network security, we recommend that you use a username that is not the same as an existing username in the LDAP database.


                      Before You Begin

                      Enable LDAP.

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]

                        3.    [no] ldap-server deadtime minutes

                        4.    exit

                        5.    (Optional) show ldap-server

                        6.    (Optional) copy running-config startup-config


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        switch# configure terminal
                        switch(config)#
                         

                        Enters global configuration mode.

                         
                        Step 2 [no] ldap-server host {ipv4-address | ipv6-address | host-name} test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]


                        Example:
                        switch(config)# ldap-server host 10.10.1.1 test rootDN root1 username user1 password Ur2Gd2BH idle-time 3
                         

                        Specifies the parameters for server monitoring. The default username is test, and the default password is Cisco. The default value for the idle timer is 60 minutes, and the valid range is from 1 to 1440 minutes.

                        Note   

                        We recommend that the user not be an existing user in the LDAP server database.

                         
                        Step 3 [no] ldap-server deadtime minutes


                        Example:
                        switch(config)# ldap-server deadtime 5
                         

                        Specifies the number of minutes before the Cisco NX-OS device checks an LDAP server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 1 to 60 minutes.

                         
                        Step 4 exit


                        Example:
                        switch(config)# exit
                        switch#
                         

                        Exits configuration mode.

                         
                        Step 5 show ldap-server


                        Example:
                        switch# show ldap-server
                         
                        (Optional)

                        Displays the LDAP server configuration.

                         
                        Step 6 copy running-config startup-config


                        Example:
                        switch# copy running-config startup-config
                         
                        (Optional)

                        Copies the running configuration to the startup configuration.

                         

                        Configuring the LDAP Dead-Time Interval

                        You can configure the dead-time interval for all LDAP servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.


                        Note


                        When the dead-time interval is 0 minutes, LDAP servers are not marked as dead even if they are not responding. You can configure the dead-time interval per group.


                        Before You Begin

                        Enable LDAP.

                        SUMMARY STEPS

                          1.    configure terminal

                          2.    [no] ldap-server deadtime minutes

                          3.    exit

                          4.    (Optional) show ldap-server

                          5.    (Optional) copy running-config startup-config


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 configure terminal


                          Example:
                          switch# configure terminal
                          switch(config)#
                           

                          Enters global configuration mode.

                           
                          Step 2 [no] ldap-server deadtime minutes


                          Example:
                          switch(config)# ldap-server deadtime 5
                           

                          Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 60 minutes.

                           
                          Step 3 exit


                          Example:
                          switch(config)# exit
                          switch#
                           

                          Exits configuration mode.

                           
                          Step 4 show ldap-server


                          Example:
                          switch# show ldap-server
                           
                          (Optional)

                          Displays the LDAP server configuration.

                           
                          Step 5 copy running-config startup-config


                          Example:
                          switch# copy running-config startup-config
                           
                          (Optional)

                          Copies the running configuration to the startup configuration.

                           

                          Configuring AAA Authorization on LDAP Servers

                          You can configure the default AAA authorization method for LDAP servers.

                          Before You Begin

                          Enable LDAP.

                          SUMMARY STEPS

                            1.    configure terminal

                            2.    aaa authorization {ssh-certificate | ssh-publickey} default {group group-list | local}

                            3.    exit

                            4.    (Optional) show aaa authorization [all]

                            5.    (Optional) copy running-config startup-config


                          DETAILED STEPS
                              Command or Action Purpose
                            Step 1 configure terminal


                            Example:
                            switch# configure terminal
                            switch(config)#
                             

                            Enters global configuration mode.

                             
                            Step 2 aaa authorization {ssh-certificate | ssh-publickey} default {group group-list | local}


                            Example:
                            switch(config)# aaa authorization ssh-certificate 
                            default group LDAPServer1 LDAPServer2
                             

                            Configures the default AAA authorization method for the LDAP servers.

                            The ssh-certificate keyword configures LDAP or local authorization with certificate authentication, and the ssh-publickey keyword configures LDAP or local authorization with the SSH public key. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

                            The group-list argument consists of a space-delimited list of LDAP server group names. Servers that belong to this group are contacted for AAA authorization. The local method uses the local database for authorization.

                             
                            Step 3 exit


                            Example:
                            switch(config)# exit
                            switch#
                             

                            Exits global configuration mode.

                             
                            Step 4 show aaa authorization [all]


                            Example:
                            switch(config)# show aaa authorization
                             
                            (Optional)

                            Displays the AAA authorization configuration. The all keyword displays the default values.

                             
                            Step 5 copy running-config startup-config


                            Example:
                            switch(config)# copy running-config 
                            startup-config
                             
                            (Optional)

                            Copies the running configuration to the startup configuration.

                             

                            Disabling LDAP

                            You can disable LDAP.


                            Caution


                            When you disable LDAP, all related configurations are automatically discarded.


                            SUMMARY STEPS

                              1.    configure terminal

                              2.    no feature ldap

                              3.    exit

                              4.    (Optional) copy running-config startup-config


                            DETAILED STEPS
                                Command or Action Purpose
                              Step 1 configure terminal


                              Example:
                              switch# configure terminal
                              switch(config)#
                               

                              Enters global configuration mode.

                               
                              Step 2 no feature ldap


                              Example:
                              switch(config)# no feature ldap
                               

                              Disables LDAP.

                               
                              Step 3 exit


                              Example:
                              switch(config)# exit
                              switch#
                               

                              Exits configuration mode.

                               
                              Step 4 copy running-config startup-config


                              Example:
                              switch# copy running-config startup-config
                               
                              (Optional)

                              Copies the running configuration to the startup configuration.

                               

                              Monitoring LDAP Servers

                              You can monitor the statistics that the Cisco NX-OS device maintains for LDAP server activity.

                              Before You Begin

                              Configure LDAP servers on the Cisco NX-OS device.

                              SUMMARY STEPS

                                1.    show ldap-server statistics {hostname | ipv4-address | ipv6-address}


                              DETAILED STEPS
                                  Command or Action Purpose
                                Step 1 show ldap-server statistics {hostname | ipv4-address | ipv6-address}


                                Example:
                                switch# show ldap-server statistics 10.10.1.1
                                 

                                Displays the LDAP statistics.

                                 

                                Clearing LDAP Server Statistics

                                You can display the statistics that the Cisco NX-OS device maintains for LDAP server activity.

                                Before You Begin

                                Configure LDAP servers on the Cisco NX-OS device.

                                SUMMARY STEPS

                                  1.    (Optional) show ldap-server statistics {hostname | ipv4-address | ipv6-address}

                                  2.    clear ldap-server statistics {hostname | ipv4-address | ipv6-address}


                                DETAILED STEPS
                                    Command or Action Purpose
                                  Step 1 show ldap-server statistics {hostname | ipv4-address | ipv6-address}


                                  Example:
                                  switch# show ldap-server statistics 10.10.1.1
                                   
                                  (Optional)

                                  Displays the LDAP server statistics on the Cisco NX-OS device.

                                   
                                  Step 2 clear ldap-server statistics {hostname | ipv4-address | ipv6-address}


                                  Example:
                                  switch# clear ldap-server statistics 10.10.1.1
                                   

                                  Clears the LDAP server statistics.

                                   

                                  Verifying the LDAP Configuration

                                  To display LDAP configuration information, perform one of the following tasks:

                                  Command

                                  Purpose

                                  show running-config ldap [all]

                                  Displays the LDAP configuration in the running configuration.

                                  show startup-config ldap

                                  Displays the LDAP configuration in the startup configuration.

                                  show ldap-server

                                  Displays LDAP configuration information.

                                  show ldap-server groups

                                  Displays LDAP server group configuration information.

                                  show ldap-server statistics {host-name | ipv4-address | ipv6-address}

                                  Displays LDAP statistics.

                                  show ldap-search-map

                                  Displays information about the configured LDAP attribute maps.

                                  For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

                                  Configuration Examples for LDAP

                                  The following example shows how to configure an LDAP server host and server group:

                                  feature ldap 
                                  ldap-server host 10.10.2.2 enable-ssl 
                                  aaa group server ldap LdapServer
                                      server 10.10.2.2
                                  exit
                                  show ldap-server
                                  show ldap-server groups
                                  
                                  
                                  

                                  The following example shows how to configure an LDAP search map:

                                  ldap search-map s0
                                  userprofile attribute-name description search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com 
                                  exit
                                  show ldap-search-map
                                  
                                  
                                  

                                  The following example shows how to configure AAA authorization with certificate authentication for an LDAP server:

                                  aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2
                                  exit
                                  show aaa authorization
                                  
                                  
                                  

                                  Where to Go Next

                                  You can now configure AAA authentication methods to include the server groups.

                                  Additional References for LDAP

                                  This section includes additional information related to implementing LDAP.

                                  Related Documents

                                  Related Topic

                                  Document Title

                                  Cisco NX-OS licensing

                                  Cisco NX-OS Licensing Guide

                                  Command reference

                                  Cisco Nexus 7000 Series NX-OS Security Command Reference

                                  VRF configuration

                                  Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide

                                  Standards

                                  Standards

                                  Title

                                  No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                                  MIBs

                                  MIBs

                                  MIBs Link

                                  • CISCO-AAA-SERVER-MIB
                                  • CISCO-AAA-SERVER-EXT-MIB

                                  To locate and download MIBs, go to the following URL:

                                  http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

                                  Feature History for LDAP

                                  This table lists the release history for this feature.

                                  Table 2  Feature History for LDAP

                                  Feature Name

                                  Releases

                                  Feature Information

                                  LDAP

                                  5.2(1)

                                  The ldap-server port command was deprecated.

                                  LDAP

                                  5.1(1)

                                  No change from Release 5.0.

                                  LDAP

                                  5.0(2)

                                  This feature was introduced.