Common Name

CiscoAVPair

LDAP Display Name

CiscoAVPair

Unique X500 Object ID

1.3.6.1.4.1.9.287247.1

Description

CiscoAVPair

Syntax

Case Sensitive String

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

Enable LDAP check box

If checked, user authentication and role authorization is performed first by the LDAP server, followed by user accounts that are not found in the local user database.

Base DN field

Base Distinguished Name. This field describes where to load users and groups from.

It must be in the dc=domain,dc=com format for Active Directory servers.

Domain field

The IPv4 domain that all users must be in.

This field is required unless you specify at least one Global Catalog server address.

Enable Encryption check box

If checked, the server encrypts all information it sends to the LDAP server.

Enable Binding CA Certificate check box

If checked, allows you to bind the LDAP CA certificate.

Timeout (0 - 180) seconds

The number of seconds the Cisco IMC waits until the LDAP search operation times out.

If the search operation times out, Cisco IMC tries to connect to the next server listed on this tab, if one is available.

Pre-Configure LDAP Servers radio button

If checked, the Active Directory uses the pre-configured LDAP servers.

LDAP Servers fields

Server

The IP address of the 6 LDAP servers.

If you are using Active Directory for LDAP, then servers 1, 2 and 3 are domain controllers, while servers 4, 5 and 6 are Global Catalogs. If you are not Active Directory for LDAP, then you can configure a maximum of 6 LDAP servers.

Port

The port numbers for the servers.

If you are using Active Directory for LDAP, then for servers 1, 2 and 3, which are domain controllers, the default port number is 389. For servers 4, 5 and 6, which are Global Catalogs, the default port number is 3268.

LDAPS communication occurs over the TCP 636 port. LDAPS communication to a global catalog server occurs over TCP 3269 port.

Use DNS to Configure LDAP Servers radio button

If checked, you can use DNS to configure access to the LDAP servers.

DNS Parameters fields

Source

Specifies how to obtain the domain name used for the DNS SRV request. It can be one of the following:

• Extracted—specifies using domain name extracted-domain from the login ID

• Configured—specifies using the configured-search domain.

• Configured-Extracted—specifies using the domain name extracted from the login ID than the configured-search domain.

Domain to Search

A configured domain name that acts as a source for a DNS query.

This field is disabled if the source is specified as Extracted.

Forest to Search

A configured forest name that acts as a source for a DNS query.

This field is disabled if the source is specified as Extracted.

Method

It can be one of the following:

• Anonymous—requires NULL username and password. If this option is selected and the LDAP server is configured for Anonymous logins, then the user can gain access.

• Configured Credentials—requires a known set of credentials to be specified for the initial bind process. If the initial bind process succeeds, then the distinguished name (DN) of the user name is queried and re-used for the re-binding process. If the re-binding process fails, then the user is denied access.

• Login Credentials—requires the user credentials. If the bind process fails, the user is denied access.

  By default, the Login Credentials option is selected.

Binding DN

The distinguished name (DN) of the user. This field is editable only if you have selected Configured Credentials option as the binding method.

Password

The password of the user. This field is editable only if you have selected Configured Credentials option as the binding method.

Filter Attribute

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays sAMAccountName.

Group Attribute

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays memberOf.

Attribute

An LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

The LDAP attribute can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales, or can modify the schema such that a new LDAP attribute can be created. For example, CiscoAvPair.

Nested Group Search Depth (1-128)

Parameter to search for an LDAP group nested within another defined group in an LDAP group map. The parameter defines the depth of a nested group search.

LDAP Group Authorization check box

If checked, user authentication is also done on the group level for LDAP users that are not found in the local user database.

If you check this box, Cisco IMC enables the Configure Group button.

Group Name column

The name of the group in the LDAP server database that is authorized to access the server.

Group Domain column

The LDAP server domain the group must reside in.

Role column

The role assigned to all users in this LDAP server group. This can be one of the following:

• read-only—A user with this role can view information but cannot make any changes.

• user—A user with this role can perform the following tasks:

  • View all information

  • Manage the power control options such as power on, power cycle, and power off

  • Launch the KVM console and virtual media

  • Clear all logs

  • Toggle the locator LED

  • Set time zone

  • Ping

• admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

Configure button

Configures an active directory group.

Delete button

Deletes an existing LDAP group.