The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes a configuration example in order to get Lightweight Directory Access Protocol (LDAP) to work on the C880 with the use of Microsoft Active Directory (AD). The C880's LDAP implementation is unique in a way that the user has to be in Common Name (CN) = Users. There are also some specific configuration requirements in order for it to work.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Microsoft Active Directory Server
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
When userX wants to log in to MMB:
Step 1. MMB firmware asks AD server to search userX under the CN=Users (hard coded).
Step 2. If the MMB firmware receives a response that userX is found in the CN=Users from the AD server, then the MMB firmware asks the AD server to search for userX in the Organizational Unit's (OU's) tree of Directory Information Tree (DIT) from the location specified by Groups directory as sub-tree from base DN field on the MMB Web-UI.
Step 3. If the MMB firmware receives a response that userX is found in the OU's tree from AD server (group name which userX belongs to is also sent from AD server), then the MMB firmware checks whether the group name received is a match with the group name registered in LDAP User Group page in the MMB Web-UI.
Step 4. If group name is a match, then userX can log in.
Create Special Accounts
Step 1. Secure Shell (SSH) to the server's management IP address and log in as Administrator.
Step 2. Create special admin and ce accounts:
Administrator> set special_account spadmin admin
Are you sure you want to add spadmin? [Y/N]: y
Administrator> set special_account spce ce
Are you sure you want to add spce? [Y/N]: y
Step 1. Navigate to User Administration > LDAP Configuration > Directory Service Configuration.
Step 2. Click Enabled for LDAP.
Step 3. Choose whether to Enable/DisableLDAP SSL.
Step 4. Select Active Directory from the drop down menu for Directory Server Type.
Step 5. Enter the details for Primary LDAP Server and Backup LDAP Server configuration.
Step 6. Enter the Domain Name.
Step 7. Enter the Groups directory as sub-tree from base DN. This is where the AD group which is created in the User Group here needs to reside.
Step 8. Enter the LDAP Auth UserName and Password. This user needs to exist in CN=Users, DC=domain, DC=com.
Step 9. Click Apply.
Step 10. Click Test LDAP, as shown in the images.
Create User Group
Step 1. Navigate to User Administration > LDAP Configuration > LDAP User Group List.
Step 2. Click the Add Group button to add a new group.
Step 3. Enter the LDAP User Group Name and Privilege (e.g. Admin)
Step 4. Click Apply as shown in the images.
Step 1. Create c880bind User.
Step 2. Create ldaptest User as shown in the image.
CN=Users, DC=VXI, DC=local:
Step 3. Create MMBadmin Security Group in OU as shown in the image.
MMBadmin group in OU=VXI-TAC-Team, OU=VXI-IT, OU=VXI:
Step 4. Add ldaptest to MMBadmin as shown in the image.
Use this section in order to confirm that your configuration works properly.
Test LDAP must work
You must be able to log in with ldaptest account
This section provides information you can use in order to troubleshoot your configuration.
Verify server and AD configuration which conforms to Fujitsu's LDAP implementation