LDAP Providers
You can configure remote users, assign roles and locales from Cisco UCS Central the same way as you can create LDAP users from Cisco UCS Manager. You should always create the LDAP provider from Cisco UCS Central Domain Group root.
LDAP Provider Groups
You can define up to 28 LDAP provider groups and nest them up to as many levels as the Active Directory supports for nesting in Cisco UCS Central. When you assign a provider to a nested group, even if the provider is a member of a different LDAP group, they become authenticated member of the parent nested group. During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.
Creating an LDAP Provider
Create and configure LDAP remote users, and assign roles and locales from Cisco UCS Central, in the same manner as Cisco UCS Manager. Always create the LDAP provider from the Cisco UCS Central domain group root.
Before you begin
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. Give this account a non-expiring password.
In the LDAP server, perform one of the following configurations:
-
Configure LDAP groups. LDAP groups contain user role and locale information.
-
Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
-
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Central.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
UCSC#connect policy-mgr |
Enters policy manager mode. |
||
Step 2 |
UCSC(policy-mgr)#scope org |
|
||
Step 3 |
UCSC(policy-mgr) /org#scope device-profile |
|
||
Step 4 |
UCSC(policy-mgr) /org/device-profile#scope security |
|
||
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
||
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # create server server-name |
|
||
Step 7 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set attribute attribute |
(Optional)
An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name. |
||
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set basedn basedn-name |
The name in the LDAP hierarchy, where the server begins a search, when a remote user logs in. After log in, the system attempts to obtain the user's DN based on their username. You can set the length of the base DN to a maximum of 255 characters minus the length of CN=username. Where username identifies the remote user attempting to access Cisco UCS Central using LDAP authentication. |
||
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn binddn-name |
The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN. The maximum supported string length is 255 ASCII characters. |
||
Step 10 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set filter filter-value |
Restricts the LDAP search to those user names that match the defined filter. |
||
Step 11 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password |
To set the password, press Enter after typing the set password command and enter the key value at the prompt. |
||
Step 12 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order order-num |
The order in which Cisco UCS Central uses this provider to authenticate users. |
||
Step 13 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port port-num |
The port through which Cisco UCS Central communicates with the LDAP database. The standard port number is 389. |
||
Step 14 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl {yes | no} |
Enables or disables encryption when communicating with the LDAP server. The options are as follows:
|
||
Step 15 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout timeout-num |
|
||
Step 16 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set vendor |
Specifies the vendor for the LDAP group.
|
||
Step 17 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Scopes into the organization
-
Creates an LDAP server instance named 10.193.169.246
-
Configures the binddn
-
Configures the password
-
Configures the order
-
Configures the port
-
Configures the SSL settings
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # create server 10.193.169.246
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password
Enter the password:
Confirm the password:
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order 2
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port 389
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl yes
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout 30
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap/server #
Configuring Default Settings for LDAP Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. Give this account a non-expiring password.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)# scope org |
|
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # set attribute attribute |
Restricts database searches to records that contain the specified attribute. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # set basedn distinguished-name |
Restricts database searches to records that contain the specified distinguished name. |
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # set filter filter |
Restricts database searches to records that contain the specified filter. |
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # set timeout seconds |
Sets the time interval. The system waits for a response from the LDAP server before noting the server as down. |
Step 10 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Sets the LDAP attribute to CiscoAvPair
-
Sets the base distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
-
Sets the filter to sAMAccountName=$userid
-
Sets the timeout interval to 5 seconds
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # set attribute CiscoAvPair
UCSC(policy-mgr) /org/device-profile/security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCSC(policy-mgr) /org/device-profile/security/ldap* # set filter sAMAccountName=$userid
UCSC(policy-mgr) /org/device-profile/security/ldap* # set timeout 5
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap #
What to do next
Create an LDAP provider.
Changing the LDAP Group Rule for an LDAP Provider
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
||
Step 2 |
UCSC(policy-mgr)#scope org |
|
||
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
||
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
||
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
||
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # scope server ldap-provider |
Enters security LDAP provider mode. |
||
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server # scope ldap-group-rule |
Enters LDAP group rule mode. |
||
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule # set authorization {enable | disable} |
Specifies if Cisco UCS searches LDAP groups when assigning user roles and locales to a remote user.
|
||
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set member-of-attribute attr-name |
The attribute Cisco UCS uses to determine group membership in the LDAP database. The supported string length is 63 characters. The default string is memberOf. |
||
Step 10 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set traversal {non-recursive | recursive} |
Specifies if Cisco UCS inherits the settings for a group member's parent group:
|
||
Step 11 |
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Sets the LDAP group rule to enable authorization
-
Sets the member of attribute to memberOf
-
Sets the traversal to non-recursive
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # scope server ldapprovider
UCSC(policy-mgr) /org/device-profile/security/ldap/server # scope ldap-group-rule
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule # set authorization enable
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set member-of-attribute memberOf
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set traversal non-recursive
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule #
Deleting an LDAP Provider
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # delete server serv-name |
Deletes the specified server. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Deletes the LDAP server called ldap1
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # delete server ldap1
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap #