Step 1
| In the
Navigation pane, click the
Admin menu.
|
Step 2
| In the
Admin menu, click
User Management.
|
Step 3
| In the
User Management pane, click
LDAP.
|
Step 4
| In the
LDAP
Settings area, update the following properties:
Name
|
Description
|
Enable LDAP check box
|
If
checked, user authentication and role authorization is performed first by the
LDAP server, followed by user accounts that are not found in the local user
database.
|
Base DN field
|
Base
Distinguished Name. This field describes where to load users and groups from.
It must
be in the
dc=domain,dc=com format for Active Directory
servers.
|
Domain field
|
The IPv4
domain that all users must be in.
This
field is required unless you specify at least one Global Catalog server
address.
|
Enable Encryption check box
|
If
checked, the server encrypts all information it sends to the LDAP server.
|
Enable Binding CA Certificate check box
|
If
checked, allows you to bind the LDAP CA certificate.
|
Timeout (0 - 180)
seconds
|
The
number of seconds the
Cisco IMC
waits until the LDAP search operation times out.
If the
search operation times out,
Cisco IMC
tries to connect to the next server listed on this tab, if one is available.
Note
|
The
value you specify for this field could impact the overall time.
|
|
Note
|
If you checked the
Enable Encryption and the
Enable Binding CA Certificate check boxes, enter the fully
qualified domain name (FQDN) of the LDAP server in the
LDAP Server field. To resolve the FQDN of the LDAP server,
configure the preferred DNS of Cisco IMC network with the appropriate DNS IP
address.
|
|
Step 5
| In the
Configure LDAP Servers area, update the following
properties:
Name
|
Description
|
Pre-Configure LDAP Servers radio button
|
If
checked, the Active Directory uses the pre-configured LDAP servers.
|
LDAP Servers fields
|
Server
|
The IP
address of the 6 LDAP servers.
If you
are using Active Directory for LDAP, then servers 1, 2 and 3 are domain
controllers, while servers 4, 5 and 6 are Global Catalogs. If you are not
Active Directory for LDAP, then you can configure a maximum of 6 LDAP servers.
Note
|
You
can provide the IP address of the host name as well.
|
|
Port
|
The port
numbers for the servers.
If you
are using Active Directory for LDAP, then for servers 1, 2 and 3, which are
domain controllers, the default port number is 389. For servers 4, 5 and 6,
which are Global Catalogs, the default port number is 3268.
LDAPS
communication occurs over the TCP 636 port. LDAPS communication to a global
catalog server occurs over TCP 3269 port.
|
Use DNS to Configure LDAP Servers radio button
|
If
checked, you can use DNS to configure access to the LDAP servers.
|
DNS Parameters fields
|
Source
|
Specifies how to obtain the domain name used for the DNS SRV
request. It can be one of the following:
-
Extracted—specifies using domain name
extracted-domain from the login ID
-
Configured—specifies using the configured-search
domain.
-
Configured-Extracted—specifies using the domain name
extracted from the login ID than the configured-search domain.
|
Domain to
Search
|
A
configured domain name that acts as a source for a DNS query.
This
field is disabled if the source is specified as
Extracted.
|
Forest to
Search
|
A
configured forest name that acts as a source for a DNS query.
This
field is disabled if the source is specified as
Extracted.
|
|
Step 6
| In the
Binding
Parameters area, update the following properties:
Name
|
Description
|
Method
|
It can
be one of the following:
-
Anonymous—requires NULL username and password. If
this option is selected and the LDAP server is configured for Anonymous logins,
then the user can gain access.
-
Configured Credentials—requires a known set of
credentials to be specified for the initial bind process. If the initial bind
process succeeds, then the distinguished name (DN) of the user name is queried
and re-used for the re-binding process. If the re-binding process fails, then
the user is denied access.
-
Login Credentials—requires the user credentials. If
the bind process fails, the user is denied access.
By
default, the
Login Credentials option is selected.
|
Binding DN
|
The
distinguished name (DN) of the user. This field is editable only if you have
selected
Configured Credentials option as the binding method.
|
Password
|
The
password of the user. This field is editable only if you have selected
Configured Credentials option as the binding method.
|
|
Step 7
| In the
Search
Parameters area, update the following fields:
Name
|
Description
|
Filter
Attribute
|
This
field must match the configured attribute in the schema on the LDAP server.
By
default, this field displays
sAMAccountName.
|
Group Attribute
|
This
field must match the configured attribute in the schema on the LDAP server.
By
default, this field displays
memberOf.
|
Attribute
|
An LDAP
attribute that contains the role and locale information for the user. This
property is always a name-value pair. The system queries the user record for
the value that matches this attribute name.
The
LDAP attribute can use an existing LDAP attribute that is mapped to the
Cisco IMC
user roles and locales, or can modify the schema such that a new LDAP attribute
can be created. For example,
CiscoAvPair.
Note
|
If you
do not specify this property, the user cannot login. Although the object is
located on the LDAP server, it should be an exact match of the attribute that
is specified in this field.
|
|
Nested Group Search Depth
(1-128)
|
Parameter to search for an LDAP group nested within another defined group in an
LDAP group map. The parameter defines the depth of a nested group search.
|
|
Step 8
| (Optional)In the
Group
Authorization area, update the following properties:
Name
|
Description
|
LDAP Group Authorization check box
|
If
checked, user authentication is also done on the group level for LDAP users
that are not found in the local user database.
If you
check this box,
Cisco IMC
enables the
Configure Group button.
|
Group Name column
|
The name of the group in the LDAP server database that is authorized to access the server.
|
Group Domain column
|
The LDAP server domain the group must reside in.
|
Role column
|
The role assigned to all users in this LDAP server group. This can be one of the following:
-
read-only—A user with this role can view information
but cannot make any changes.
-
user—A user with this role can perform the following
tasks:
-
View all information
-
Manage the power control options such as power on, power cycle,
and power off
-
Launch the KVM console and virtual media
-
Clear all logs
-
Toggle the locator LED
-
Set time zone
-
Ping
-
admin—A user with this role can perform all actions
available through the GUI, CLI, and IPMI.
|
Configure button
|
Configures an active directory group.
|
Delete button
|
Deletes
an existing LDAP group.
|
|
Step 9
| Click
Save
Changes.
|