|
Command or Action |
Purpose |
Step 1 |
UCS-A# scope security |
Enters security mode. |
Step 2 |
UCS-A /security # scope ldap |
Enters security LDAP mode. |
Step 3 |
UCS-A /security/ldap # create server server-name |
Creates an LDAP server instance and enters security LDAP server mode. If SSL is enabled, the server-name , typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. Unless an IP address is specified, a DNS server must be configured in Cisco UCS Manager. |
Step 4 |
UCS-A /security/ldap/server # set attribute attr-name |
(Optional) An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name. If you do not want to extend your LDAP schema, you can configure an existing, unused LDAP attribute with the Cisco UCS roles and locales. Alternatively, you can create an attribute named CiscoAVPair in the remote authentication service with the following attribute ID: 1.3.6.1.4.1.9.287247.1 This value is required unless a default attribute has been set on the LDAP General tab. |
Step 5 |
UCS-A /security/ldap/server # set basedn basedn-name |
(Optional) The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user's DN based on their username. The maximum supported string length is 127 characters. This value is required unless a default base DN has been set on the LDAP General tab. |
Step 6 |
UCS-A /security/ldap/server # set binddn binddn-name |
(Optional) The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN. The maximum supported string length is 127 ASCII characters. |
Step 7 |
UCS-A /security/ldap/server # set filter filter-value |
(Optional) The LDAP search is restricted to those usernames that match the defined filter. This value is required unless a default filter has been set on the LDAP General tab. |
Step 8 |
UCS-A /security/ldap/server # set password |
The password for the LDAP database account specified in the Bind DN field. You can enter any standard ASCII characters except for space, § (section sign), ? (question mark), or = (equal sign). To set the password, press Enter after typing the set password command and enter the key value at the prompt. |
Step 9 |
UCS-A /security/ldap/server # set order order-num |
(Optional) The order in which Cisco UCS uses this provider to authenticate users. |
Step 10 |
UCS-A /security/ldap/server # set port port-num |
(Optional) The port through which Cisco UCS communicates with the LDAP database. The standard port number is 389. |
Step 11 |
UCS-A /security/ldap/server # set ssl {yes | no} |
Enables or disables the use of encryption when communicating with the LDAP server. The options are as follows:
-
yes —Encryption is required. If encryption cannot be negotiated, the connection fails.
-
no —Encryption is disabled. Authentication information is sent as clear text.
LDAP uses STARTTLS. This allows encrypted communication using port 389. |
Step 12 |
UCS-A /security/ldap/server # set timeout timeout-num |
The length of time in seconds the system should spend trying to contact the LDAP database before it times out. Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the LDAP General tab. The default is 30 seconds. |
Step 13 |
UCS-A /security/ldap/server # commit-buffer |
Commits the transaction to the system configuration. |