ldap-options
Syntax
ldap-options {
revert-interval seconds;
base-distinguished-name base-distinguished-name;
search {
admin-search;
}
allowed-groups {
group-name {
address-assignment {
pool pool-name;
}
}
}
ldap-server {
ip address;
}
}
address-assignment {
pool pool-name1 {
family inet {
network 100.127.255.255/10;
xauth-attributes {
primary-dns 100.127.255.255/12;
secondary-dns 110.127.255.255/12;
primary-wins 100.127.255.255/12;
secondary-wins 110.127.255.255/12;
}
}
}
pool pool-name2 {
family inet {
network 120.127.255.255/10;
xauth-attributes {
primary-dns 120.127.255.255/12;
secondary-dns 130.127.255.255/12;
primary-wins 120.127.255.255/12;
secondary-wins 130.127.255.255/12;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile default-profile-name;
}
}
Hierarchy Level
[edit access], [edit access profile profile-name authentication-order ldap]
Description
Configure LDAP authentication options.
You can configure user groups using ldap-options command for the
user groups that are user authenticated. You can authenticate users that are
assigned roles according to their LDAP group memberships. The
allowed-groups attribute authenticates users that are assigned
according to their group memberships. If none of the user groups match a user group,
then the user cannot access the system.
Membership characteristics are queried from the LDAP server as per configuration. After firewall authentication, a user can be assigned IP addresses from the associated pools with the authenticated group.
Options
| allowed-groups | Allow members of only specific groups to sign in. Group lists are limited
to 255 bytes. The order in which the membership attribute is received from the LDAP server determines how a user is associated with the configured (allowed) groups. To match the user, the first group in the list received from the LDAP server that matches any of the configured groups is used. Any user who is a member of more than one group can obtain resources from either group, depending on the order of the LDAP server's response. To ensure that the user is assigned the intended resource with certainty, it is recommended that the user belong to only one group. |
| group-name | Name of the group which should be allowed. |
| name | Address pool name |
The remaining options are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
Release Information
Statement introduced in Release 8.5 of Junos OS.
allowed-groups option introduced in Release 21.4R1 of Junos
OS.