Step 1 | UCS-A#
scope security
|
Enters security mode.
|
Step 2 | UCS-A /security #
scope ldap
|
Enters security LDAP mode.
|
Step 3 | UCS-A /security/ldap #
create server
server-name
|
Creates an LDAP server instance and enters security LDAP server
mode. If SSL is enabled, the
server-name
, typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. Unless an IP address is specified, a DNS server must be configured in Cisco UCS Manager.
|
Step 4 | UCS-A /security/ldap/server #
set attribute
attr-name
| (Optional)
An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.
If you do not want to extend your LDAP schema, you can configure an existing, unused LDAP attribute with the Cisco UCS roles and locales. Alternatively, you can create an attribute named CiscoAVPair in the remote authentication service with the following attribute ID: 1.3.6.1.4.1.9.287247.1
This value is required unless a default attribute has been set on the LDAP General tab.
|
Step 5 | UCS-A /security/ldap/server #
set basedn
basedn-name
| (Optional)
The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user's DN based on their username. The length of the base DN can be set to a maximum of 255 characters minus the length of CN=username, where username identifies the remote user attempting to access Cisco UCS Manager using LDAP authentication.
This value is required unless a default base DN has been set on the LDAP General tab.
|
Step 6 | UCS-A /security/ldap/server #
set binddn
binddn-name
| (Optional)
The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN.
The maximum supported string length is 255 ASCII characters.
|
Step 7 | UCS-A /security/ldap/server #
set filter
filter-value
| (Optional) The LDAP search is restricted to those user names that match the defined filter.
This value is required unless a default filter has been set on the LDAP General tab.
|
Step 8 | UCS-A /security/ldap/server #
set password
|
The password for the LDAP database account specified in the Bind DN field. You can enter any standard ASCII characters except for space, § (section sign), ? (question mark), or = (equal sign).
To set the password, press
Enter
after
typing the
set password
command and enter the key value at the
prompt.
|
Step 9 | UCS-A /security/ldap/server #
set order order-num
| (Optional)
The order in which Cisco UCS uses this provider to authenticate users.
|
Step 10 | UCS-A /security/ldap/server #
set port
port-num
| (Optional)
The port through which Cisco UCS communicates with the LDAP database. The standard port number is 389.
|
Step 11 | UCS-A /security/ldap/server #
set ssl
{yes
no}
|
Enables or disables the use of encryption when communicating with the
LDAP server.
The options are as follows:
-
yes
—Encryption is required. If encryption cannot be negotiated, the connection fails.
-
no
—Encryption is disabled. Authentication information is sent as clear text.
LDAP uses STARTTLS. This
allows encrypted communication using port 389.
|
Step 12 | UCS-A /security/ldap/server #
set timeout
timeout-num
|
The length of time in seconds the system should spend trying to contact the LDAP database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the LDAP General tab. The default is 30 seconds.
|
Step 13 | UCS-A /security/ldap/server #
set vendor {ms-ad | openldap}
| Enables or disables the use of the nested LDAP group search capability on the LDAP server. The options are as follows:
ms-ad—Nested LDAP group searches are supported with this option. If you set the vendor to ms-ad (Microsoft Active Directory), and enable and set the ldap-group-rule to recursive, Cisco UCS Manager can search through any nested LDAP groups.
openldap—Nested LDAP group searches are not supported with this option. If you set the vendor to openldap, and enable and set the ldap-group-rule to recursive, Cisco UCS Managerwill not search through any nested LDAP groups. If you choose this option, you must create each LDAP subgroup as an LDAP group map in Cisco UCS Manager, even if the parent group is already set up in a group map.
Note
| When you upgrade Cisco UCS Manager from an earlier version to release 2.1(2), the LDAP provider's vendor attribute is set to openldap by default, and LDAP authentication continues to operate successfully.
|
|
Step 14 | UCS-A /security/ldap/server #
commit-buffer
|
Commits the transaction to the system configuration.
|