Step 1 | UCS-A#
scope
security
|
Enters security
mode.
|
Step 2 | UCS-A /security
#
scope
ldap
|
Enters security
LDAP mode.
|
Step 3 | UCS-A
/security/ldap #
create
server
server-name
|
Creates an LDAP
server instance and enters security LDAP server mode. If SSL is enabled, the
server-name
, typically an IP address or FQDN, must exactly match a
Common Name (CN) in the LDAP server's security certificate. Unless an IP
address is specified, a DNS server must be configured in
Cisco UCS Manager.
|
Step 4 | UCS-A
/security/ldap/server #
set
attribute
attr-name
| (Optional)
An LDAP attribute that stores the values for the user roles and
locales. This property is always a name-value pair. The system queries the user
record for the value that matches this attribute name.
If you do not want to extend your LDAP schema, you can configure
an existing, unused LDAP attribute with the
Cisco UCS roles and locales. Alternatively, you can create an attribute named
CiscoAVPair in the remote authentication service with the following attribute
ID:
1.3.6.1.4.1.9.287247.1
This value is required unless a default attribute has been set
on the LDAP
General tab.
|
Step 5 | UCS-A
/security/ldap/server #
set
basedn
basedn-name
| (Optional)
The specific distinguished name in the LDAP hierarchy where the
server begins a search when a remote user logs in and the system attempts to
obtain the user's DN based on their username. You can set the length of the
base DN to a maximum of 255 characters minus the length of CN=username, where
username identifies the remote user attempting to access
Cisco UCS Manager using LDAP authentication.
This value is required unless a default base DN has been set on
the LDAP
General tab.
|
Step 6 | UCS-A
/security/ldap/server #
set
binddn
binddn-name
| (Optional)
The distinguished name (DN) for an LDAP database account that
has read and search permissions for all objects under the base DN.
The maximum supported string length is 255 ASCII characters.
|
Step 7 | UCS-A
/security/ldap/server #
set
filter
filter-value
| (Optional)
The LDAP search is restricted to those user names that match the
defined filter.
This value is required unless a default filter has been set on
the LDAP
General tab.
|
Step 8 | UCS-A
/security/ldap/server #
set
password
|
The password for the LDAP database account specified in the
Bind DN field. You can enter any standard ASCII
characters except for space, § (section sign), ? (question mark), or = (equal
sign).
To set the
password, press
Enter
after typing the
set
password
command and enter the key value at the prompt.
|
Step 9 | UCS-A
/security/ldap/server #
set
order
order-num
| (Optional)
The order that the
Cisco UCS uses this provider to authenticate users.
|
Step 10 | UCS-A
/security/ldap/server #
set
port
port-num
| (Optional)
The port through which
Cisco UCS communicates with the LDAP database. The standard port
number is 389.
|
Step 11 | UCS-A
/security/ldap/server #
set
ssl
{yes
no}
|
Enables or
disables the use of encryption when communicating with the LDAP server. The
options are as follows:
-
yes
—Encryption is required. If encryption cannot be
negotiated, the connection fails.
-
no
—Encryption is disabled. Authentication information is
sent as clear text.
LDAP uses STARTTLS. This
allows encrypted communication using port 389.
If encryption is enabled, do not change the port to 636, leave it as 389. Cisco UCS negotiates a TLS session on port 636 for SSL, but initial connection starts unencrypted on 389.
|
Step 12 | UCS-A
/security/ldap/server #
set
timeout
timeout-num
|
The length of time in seconds the system spends trying to
contact the LDAP database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use
the global timeout value specified on the LDAP
General tab. The default is 30 seconds.
|
Step 13 | UCS-A
/security/ldap/server #
set vendor
{ms-ad | openldap}
|
Enables or
disables the use of the nested LDAP group search capability on the LDAP server.
The options are as follows:
-
ms-ad—Nested LDAP group searches are supported
with this option. If you set the vendor to
ms-ad (Microsoft Active Directory), and enable and set the
ldap-group-rule to recursive,
Cisco UCS Manager
can search through any nested LDAP groups.
-
openldap—Nested LDAP group searches are not
supported with this option. If you set the vendor to
openldap, and enable and set the
ldap-group-rule to recursive,
Cisco UCS Managerwill
not search through any nested LDAP groups. If you choose this option, you must
create each LDAP subgroup as an LDAP group map in
Cisco UCS Manager,
even if the parent group is already set up in a group map.
Note
|
When you
upgrade
Cisco UCS Manager
from an earlier version to release 2.1(2), the LDAP provider's vendor attribute
is set to
openldap by default, and LDAP authentication continues to
operate successfully.
|
|
Step 14 | UCS-A
/security/ldap/server #
commit-buffer
|
Commits the
transaction to the system configuration.
|