Contents

• Configuring LDAP
• Information About LDAP
• LDAP Authentication and Authorization
• LDAP Operation for User Login
• LDAP Server Monitoring
• Vendor-Specific Attributes for LDAP
• Cisco VSA Format for LDAP
• Virtualization Support for LDAP
• Licensing Requirements for LDAP
• Prerequisites for LDAP
• Guidelines and Limitations for LDAP
• Default Settings for LDAP
• Configuring LDAP
• LDAP Server Configuration Process
• Enabling LDAP
• Configuring LDAP Server Hosts
• Configuring the RootDN for an LDAP Server
• Configuring LDAP Server Groups
• Configuring the Global LDAP Timeout Interval
• Configuring the Timeout Interval for an LDAP Server
• Configuring the Global LDAP Server Port
• Configuring TCP Ports
• Configuring LDAP Search Maps
• Configuring Periodic LDAP Server Monitoring
• Configuring the LDAP Dead-Time Interval
• Configuring AAA Authorization on LDAP Servers
• Disabling LDAP
• Monitoring LDAP Servers
• Clearing LDAP Server Statistics
• Verifying the LDAP Configuration
• Configuration Examples for LDAP
• Where to Go Next
• Additional References for LDAP
• Feature History for LDAP

Configuring LDAP

---

This chapter describes how to configure the Lightweight Directory Access Protocol (LDAP) on Cisco NX-OS devices.

This chapter includes the following sections:

• Information About LDAP
• Licensing Requirements for LDAP
• Prerequisites for LDAP
• Guidelines and Limitations for LDAP
• Default Settings for LDAP
• Configuring LDAP
• Monitoring LDAP Servers
• Clearing LDAP Server Statistics
• Verifying the LDAP Configuration
• Configuration Examples for LDAP
• Where to Go Next
• Additional References for LDAP
• Feature History for LDAP

Information About LDAP

The Lightweight Directory Access Protocol (LDAP) provides centralized validation of users attempting to gain access to a Cisco NX-OS device. LDAP services are maintained in a database on an LDAP daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco NX-OS device are available.

LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) to provide each service—authentication and authorization—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco NX-OS devices provide centralized authentication using the LDAP protocol.

• LDAP Authentication and Authorization
• LDAP Operation for User Login
• LDAP Server Monitoring
• Vendor-Specific Attributes for LDAP
• Virtualization Support for LDAP

LDAP Authentication and Authorization

Clients establish a TCP connection and authentication session with an LDAP server through a simple bind (username and password). As part of the authorization process, the LDAP server searches its database to retrieve the user profile and other information.

You can configure the bind operation to first bind and then search, where authentication is performed first and authorization next, or to first search and then bind. The default method is to first search and then bind.

The advantage of searching first and binding later is that the distinguished name (DN) received in the search result can be used as the user DN during binding rather than forming a DN by prepending the username (cn attribute) with the baseDN. This method is especially helpful when the user DN is different from the username plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where append-with-baseDN has a default value of cn=$userid.

Note	As an alternative to the bind method, you can establish LDAP authentication using the compare method, which compares the attribute values of a user entry at the server. For example, the user password attribute can be compared for authentication. The default password attribute type is userPassword.

LDAP Operation for User Login

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using LDAP, the following actions occur:

Note	LDAP allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination but may include prompts for other items.

Note	In LDAP, authorization can occur before authentication.

1. When the Cisco NX-OS device establishes a connection, it contacts the LDAP daemon to obtain the username and password.
2. The Cisco NX-OS device eventually receives one of the following responses from the LDAP daemon:

   ACCEPT

   User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization, authorization begins.

   REJECT

   User authentication fails. The LDAP daemon either denies further access to the user or prompts the user to retry the login sequence.

   ERROR

   An error occurs at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.

   After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the Cisco NX-OS device. Users must first successfully complete LDAP authentication before proceeding to LDAP authorization.
3. If LDAP authorization is required, the Cisco NX-OS device again contacts the LDAP daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access. Services include the following:
   • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
   • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

LDAP Server Monitoring

An unresponsive LDAP server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor an LDAP server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive LDAP servers as dead and does not send AAA requests to any dead LDAP servers. A Cisco NX-OS device periodically monitors dead LDAP servers and brings them to the alive state once they are responding. This process verifies that an LDAP server is in a working state before real AAA requests are sent its way. Whenever an LDAP server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance.

Figure 1. LDAP Server States. This figure shows the server states for LDAP server monitoring.

Note	The monitoring interval for alive servers and dead servers are different and can be configured by the user. The LDAP server monitoring is performed by sending a test authentication request to the LDAP server.

Vendor-Specific Attributes for LDAP

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the LDAP server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

• Cisco VSA Format for LDAP

Cisco VSA Format for LDAP

The Cisco LDAP implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use LDAP servers for authentication on a Cisco NX-OS device, LDAP directs the LDAP server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell

Protocol used in access-accept packets to provide user profile information.

The Cisco NX-OS software supports the following attributes:

roles

Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. For example, if the user belongs to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute, which the LDAP server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The following examples show the roles attribute as supported by Cisco ACS:

shell:roles=network-operator vdc-admin 

shell:roles*network-operator vdc-admin

Note	When you specify a VSA as shell:roles*"network-operator vdc-admin", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.

Virtualization Support for LDAP

LDAP configuration and operation are local to the virtual device context (VDC). For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

The Cisco NX-OS device uses virtual routing and forwarding instances (VRFs) to access the LDAP servers. For more information on VRFs, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide.

Licensing Requirements for LDAP

The following table shows the licensing requirements for this feature:

Product	License Requirement
Cisco NX-OS	LDAP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for LDAP

LDAP has the following prerequisites:

• Obtain the IPv4 or IPv6 addresses or hostnames for the LDAP servers.
• Ensure that the Cisco NX-OS device is configured as an LDAP client of the AAA servers.

Guidelines and Limitations for LDAP

LDAP has the following guidelines and limitations:

• You can configure a maximum of 64 LDAP servers on the Cisco NX-OS device.
• Cisco NX-OS supports only LDAP version 3.
• Cisco NX-OS supports only these LDAP servers:
  • OpenLDAP
  • Microsoft Active Directory
• LDAP over Secure Sockets Layer (SSL) supports only SSL version 3 and Transport Layer Security (TLS) version 1.
• If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

Default Settings for LDAP

This table lists the default settings for LDAP parameters.

Table 1  Default LDAP Parameters Settings

Parameters	Default
LDAP	Disabled
LDAP authentication method	First search and then bind
LDAP authentication mechanism	Plain
Dead-time interval	0 minutes
Timeout interval	5 seconds
Idle timer interval	60 minutes
Periodic server monitoring username	test
Periodic server monitoring password	Cisco

Configuring LDAP

This section describes how to configure LDAP on a Cisco NX-OS device.

Note	If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

• LDAP Server Configuration Process
• Enabling LDAP
• Configuring LDAP Server Hosts
• Configuring the RootDN for an LDAP Server
• Configuring LDAP Server Groups
• Configuring the Global LDAP Timeout Interval
• Configuring the Timeout Interval for an LDAP Server
• Configuring the Global LDAP Server Port
• Configuring TCP Ports
• Configuring LDAP Search Maps
• Configuring Periodic LDAP Server Monitoring
• Configuring the LDAP Dead-Time Interval
• Configuring AAA Authorization on LDAP Servers
• Disabling LDAP

LDAP Server Configuration Process

You can configure LDAP servers by following this configuration process.

---

Step 1	Enable LDAP.
Step 2	Establish the LDAP server connections to the Cisco NX-OS device.
Step 3	If needed, configure LDAP server groups with subsets of the LDAP servers for AAA authentication methods.
Step 4	(Optional) Configure the TCP port.
Step 5	(Optional) Configure the default AAA authorization method for the LDAP server.
Step 6	(Optional) Configure an LDAP search map.
Step 7	(Optional) If needed, configure periodic LDAP server monitoring.

---

Enabling LDAP

By default, the LDAP feature is disabled on the Cisco NX-OS device. You must explicitly enable the LDAP feature to access the configuration and verification commands for authentication.

SUMMARY STEPS

1.    configure terminal


2.    feature ldap


3.    exit


4.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	feature ldap Example: switch(config)# feature ldap	Enables LDAP.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring LDAP Server Hosts

To access a remote LDAP server, you must configure the IP address or the hostname for the LDAP server on the Cisco NX-OS device. You can configure up to 64 LDAP servers.

Note	By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.

Before You Begin

Enable LDAP.

Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

If you plan to enable the Secure Sockets Layer (SSL) protocol, make sure that the LDAP server certificate is manually configured on the Cisco NX-OS device.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} [enable-ssl]


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server host {ipv4-address | ipv6-address | host-name} [enable-ssl] Example: switch(config)# ldap-server host 10.10.2.2 enable-ssl	Specifies the IPv4 or IPv6 address or hostname for an LDAP server. The enable-ssl keyword ensures the integrity and confidentiality of the transferred data by causing the LDAP client to establish a Secure Sockets Layer (SSL) session prior to sending the bind or search request.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring the RootDN for an LDAP Server

You can configure the root designated name (DN) for the LDAP server database. The rootDN is used to bind to the LDAP server to verify its state.

Before You Begin

Enable LDAP.

Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]]


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server host {ipv4-address | ipv6-address | host-name} rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]] Example: switch(config)# ldap-server host 10.10.1.1 rootDN cn=manager,dc=acme,dc=com password Ur2Gd2BH timeout 60	Specifies the rootDN for the LDAP server database and the bind password for the root. Optionally specifies the TCP port to use for LDAP messages to the server. The range is from 1 to 65535, and the default TCP port is the global value or 389 if a global value is not configured. Also specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring LDAP Server Groups

You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must be configured to use LDAP. The servers are tried in the same order in which you configure them.

You can configure these server groups at any time, but they take effect only when you apply them to an AAA service.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] aaa group server ldap group-name


3.    [no] server {ipv4-address | ipv6-address | host-name}


4.    (Optional) [no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}


5.    (Optional) [no] enable user-server-group


6.    (Optional) [no] enable Cert-DN-match


7.    (Optional) [no] use-vrf vrf-name


8.    exit


9.    (Optional) show ldap-server groups


10.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] aaa group server ldap group-name Example: switch(config)# aaa group server ldap LDAPServer1 switch(config-ldap)#	Creates an LDAP server group and enters the LDAP server group configuration mode for that group.
Step 3	[no] server {ipv4-address | ipv6-address | host-name} Example: switch(config-ldap)# server 10.10.2.2	Configures the LDAP server as a member of the LDAP server group. If the specified LDAP server is not found, configure it using the ldap-server host command and retry this command.
Step 4	[no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]} Example: switch(config-ldap)# authentication compare password-attribute TyuL8r	(Optional) Performs LDAP authentication using the bind or compare method. The default LDAP authentication method is the bind method using first search and then bind.
Step 5	[no] enable user-server-group Example: switch(config-ldap)# enable user-server-group	(Optional) Enables group validation. The group name should be configured in the LDAP server. Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.
Step 6	[no] enable Cert-DN-match Example: switch(config-ldap)# enable Cert-DN-match	(Optional) Enables users to login only if the user profile lists the subject-DN of the user certificate as authorized for login.
Step 7	[no] use-vrf vrf-name Example: switch(config-ldap)# use-vrf vrf1	(Optional) Specifies the VRF to use to contact the servers in the server group. Note    This command is supported only on Cisco Nexus 7000 Series Switches.
Step 8	exit Example: switch(config-ldap)# exit switch(config)#	Exits LDAP server group configuration mode.
Step 9	show ldap-server groups Example: switch(config)# show ldap-server groups	(Optional) Displays the LDAP server group configuration.
Step 10	copy running-config startup-config Example: switch(config)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring the Global LDAP Timeout Interval

You can set a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all LDAP servers before declaring a timeout failure.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server timeout seconds


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server timeout seconds Example: switch(config)# ldap-server timeout 10	Specifies the timeout interval for LDAP servers. The default timeout interval is 5 seconds. The range is from 1 to 60 seconds.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring the Timeout Interval for an LDAP Server

You can set a timeout interval that determines how long the Cisco NX-OS device waits for responses from an LDAP server before declaring a timeout failure.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} timeout seconds


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server host {ipv4-address | ipv6-address | host-name} timeout seconds Example: switch(config)# ldap-server host server1 timeout 10	Specifies the timeout interval for a specific server. The default is the global value. Note    The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring the Global LDAP Server Port

You can configure a global LDAP server port through which clients initiate TCP connections. By default, Cisco NX-OS devices use port 389 for all LDAP requests.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server port tcp-port


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server port tcp-port Example: switch(config)# ldap-server port 2	Specifies the global TCP port to use for LDAP messages to the server. The default TCP port is 389. The range is from 1 to 65535. Note    This command is deprecated beginning with Cisco NX-OS Release 5.2.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring TCP Ports

You can configure another TCP port for the LDAP servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 389 for all LDAP requests.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} port tcp-port [timeout seconds]


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server host {ipv4-address | ipv6-address | host-name} port tcp-port [timeout seconds] Example: switch(config)# ldap-server host 10.10.1.1 port 200 timeout 5	Specifies the TCP port to use for LDAP messages to the server. The default TCP port is 389. The range is from 1 to 65535. Optionally specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured. Note    The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring LDAP Search Maps

You can configure LDAP search maps to send a search query to the LDAP server. The server searches its database for data meeting the criteria specified in the search map.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    ldap search-map map-name


3.    (Optional) [userprofile | trustedCert | CRLLookup | user-certdn-match | user-pubkey-match | user-switch-bind] attribute-name attribute-name search-filter filter base-DN base-DN-name


4.    exit


5.    (Optional) show ldap-search-map


6.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	ldap search-map map-name Example: switch(config)# ldap search-map map1 switch(config-ldap-search-map)#	Configures an LDAP search map.
Step 3	[userprofile | trustedCert | CRLLookup | user-certdn-match | user-pubkey-match | user-switch-bind] attribute-name attribute-name search-filter filter base-DN base-DN-name Example: switch(config-ldap-search-map)# userprofile attribute-name att-name search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com	(Optional) Configures the attribute name, search filter, and base-DN for the user profile, trusted certificate, CRL, certificate DN match, public key match, or user-switchgroup lookup search operation. These values are used to send a search query to the LDAP server. The attribute-name argument is the name of the attribute in the LDAP server that contains the Nexus role definition.
Step 4	exit Example: switch(config-ldap-search-map)# exit switch(config)#	Exits LDAP search map configuration mode.
Step 5	show ldap-search-map Example: switch(config)# show ldap-search-map	(Optional) Displays the configured LDAP search maps.
Step 6	copy running-config startup-config Example: switch(config)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring Periodic LDAP Server Monitoring

You can monitor the availability of LDAP servers. The configuration parameters include the username and password to use for the server, the rootDN to bind to the server to verify its state, and an idle timer. The idle timer specifies the interval in which an LDAP server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.

Note	To protect network security, we recommend that you use a username that is not the same as an existing username in the LDAP database.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server host {ipv4-address | ipv6-address | host-name} test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]


3.    [no] ldap-server deadtime minutes


4.    exit


5.    (Optional) show ldap-server


6.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server host {ipv4-address | ipv6-address | host-name} test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]] Example: switch(config)# ldap-server host 10.10.1.1 test rootDN root1 username user1 password Ur2Gd2BH idle-time 3	Specifies the parameters for server monitoring. The default username is test, and the default password is Cisco. The default value for the idle timer is 60 minutes, and the valid range is from 1 to 1440 minutes. Note    We recommend that the user not be an existing user in the LDAP server database.
Step 3	[no] ldap-server deadtime minutes Example: switch(config)# ldap-server deadtime 5	Specifies the number of minutes before the Cisco NX-OS device checks an LDAP server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 1 to 60 minutes.
Step 4	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 5	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 6	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring the LDAP Dead-Time Interval

You can configure the dead-time interval for all LDAP servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.

Note	When the dead-time interval is 0 minutes, LDAP servers are not marked as dead even if they are not responding. You can configure the dead-time interval per group.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    [no] ldap-server deadtime minutes


3.    exit


4.    (Optional) show ldap-server


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	[no] ldap-server deadtime minutes Example: switch(config)# ldap-server deadtime 5	Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 60 minutes.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	show ldap-server Example: switch# show ldap-server	(Optional) Displays the LDAP server configuration.
Step 5	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring AAA Authorization on LDAP Servers

You can configure the default AAA authorization method for LDAP servers.

Before You Begin

Enable LDAP.

SUMMARY STEPS

1.    configure terminal


2.    aaa authorization {ssh-certificate | ssh-publickey} default {group group-list | local}


3.    exit


4.    (Optional) show aaa authorization [all]


5.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	aaa authorization {ssh-certificate | ssh-publickey} default {group group-list | local} Example: switch(config)# aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2	Configures the default AAA authorization method for the LDAP servers. The ssh-certificate keyword configures LDAP or local authorization with certificate authentication, and the ssh-publickey keyword configures LDAP or local authorization with the SSH public key. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role. The group-list argument consists of a space-delimited list of LDAP server group names. Servers that belong to this group are contacted for AAA authorization. The local method uses the local database for authorization.
Step 3	exit Example: switch(config)# exit switch#	Exits global configuration mode.
Step 4	show aaa authorization [all] Example: switch(config)# show aaa authorization	(Optional) Displays the AAA authorization configuration. The all keyword displays the default values.
Step 5	copy running-config startup-config Example: switch(config)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Disabling LDAP

You can disable LDAP.

Caution

When you disable LDAP, all related configurations are automatically discarded.

SUMMARY STEPS

1.    configure terminal


2.    no feature ldap


3.    exit


4.    (Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: switch# configure terminal switch(config)#	Enters global configuration mode.
Step 2	no feature ldap Example: switch(config)# no feature ldap	Disables LDAP.
Step 3	exit Example: switch(config)# exit switch#	Exits configuration mode.
Step 4	copy running-config startup-config Example: switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Monitoring LDAP Servers

You can monitor the statistics that the Cisco NX-OS device maintains for LDAP server activity.

Before You Begin

Configure LDAP servers on the Cisco NX-OS device.

SUMMARY STEPS

1.    show ldap-server statistics {hostname | ipv4-address | ipv6-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	show ldap-server statistics {hostname | ipv4-address | ipv6-address} Example: switch# show ldap-server statistics 10.10.1.1	Displays the LDAP statistics.

Clearing LDAP Server Statistics

You can display the statistics that the Cisco NX-OS device maintains for LDAP server activity.

Before You Begin

Configure LDAP servers on the Cisco NX-OS device.

SUMMARY STEPS

1.    (Optional) show ldap-server statistics {hostname | ipv4-address | ipv6-address}


2.    clear ldap-server statistics {hostname | ipv4-address | ipv6-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	show ldap-server statistics {hostname | ipv4-address | ipv6-address} Example: switch# show ldap-server statistics 10.10.1.1	(Optional) Displays the LDAP server statistics on the Cisco NX-OS device.
Step 2	clear ldap-server statistics {hostname | ipv4-address | ipv6-address} Example: switch# clear ldap-server statistics 10.10.1.1	Clears the LDAP server statistics.

Verifying the LDAP Configuration

To display LDAP configuration information, perform one of the following tasks:

Command	Purpose
show running-config ldap [all]	Displays the LDAP configuration in the running configuration.
show startup-config ldap	Displays the LDAP configuration in the startup configuration.
show ldap-server	Displays LDAP configuration information.
show ldap-server groups	Displays LDAP server group configuration information.
show ldap-server statistics {host-name | ipv4-address | ipv6-address}	Displays LDAP statistics.
show ldap-search-map	Displays information about the configured LDAP attribute maps.

For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

Configuration Examples for LDAP

The following example shows how to configure an LDAP server host and server group:

feature ldap 
ldap-server host 10.10.2.2 enable-ssl 
aaa group server ldap LdapServer
    server 10.10.2.2
exit
show ldap-server
show ldap-server groups

The following example shows how to configure an LDAP search map:

ldap search-map s0
userprofile attribute-name description search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com 
exit
show ldap-search-map

The following example shows how to configure AAA authorization with certificate authentication for an LDAP server:

aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2
exit
show aaa authorization

Where to Go Next

You can now configure AAA authentication methods to include the server groups.

Additional References for LDAP

This section includes additional information related to implementing LDAP.

Related Documents

Related Topic	Document Title
Cisco NX-OS licensing	Cisco NX-OS Licensing Guide
Command reference	Cisco Nexus 7000 Series NX-OS Security Command Reference
VRF configuration	Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
CISCO-AAA-SERVER-MIB CISCO-AAA-SERVER-EXT-MIB	To locate and download MIBs, go to the following URL: http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

Feature History for LDAP

This table lists the release history for this feature.

Table 2  Feature History for LDAP

Feature Name	Releases	Feature Information
LDAP	5.2(1)	The ldap-server port command was deprecated.
LDAP	5.1(1)	No change from Release 5.0.
LDAP	5.0(2)	This feature was introduced.