Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating and Managing LDAP Profiles

Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email and other programs use to look up information from a server. Use LDAP to look up encryption certificates, pointers to printers and other services on a network, in addition to providing a single logon where one user password is used for different services. LDAP authentication is appropriate for any kind of directory-like information where fast lookups and infrequent updates are used. From Network Director, you can create and manage LDAP profiles for EX Switching ELS.

Tip:

In addition to an LDAP server, you can configure a RADIUS server for both authentication and accounting purposes—for directions, see Creating and Managing RADIUS Profiles .

This topic describes:

Managing LDAP Profiles

From the Manage LDAP Profiles page, you can:

  • Create a new LDAP profile by clicking Add. For directions to add an LDAP profile, see Creating LDAP Profiles.

  • Modify an existing LDAP profile by selecting it and clicking Edit.

  • View information about a profile by selecting the group and clicking Details or by clicking the profile name.

  • Delete LDAP profiles by selecting the profile and clicking Delete.

    Tip:

    You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.

  • Clone an LDAP profile by selecting a profile and clicking Clone.

Table 1 describes the information provided about LDAP profiles on the Manage LDAP Profiles page. This page lists all LDAP profiles defined for your network, regardless of your current selected scope in the network view.

Table 1: LDAP Profile Information

Field

Description

LDAP Name

Name given to the LDAP server profile when it was created.

Server Address

IP address of the LDAP server.

Server Port

UDP port being used by the LDAP server.

Domain Name

Domain using the LDAP server.

Creation Time

Date and time when this profile was created.

Update Time

Date and time when this profile was last modified.

User Name

The username of the user who created or modified the profile.

Tip:

All columns of information may not be displayed. To show or hide fields in the table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.

Creating LDAP Profiles

To create an LDAP profile:

  1. Click in the Network Director banner.

  2. Under Select View, select either Logical View, Location View, Device View or Custom Group View.

    Tip:

    Do not select Dashboard View or Topology View.

  3. From the Tasks pane, select the type of network (Wired), the appropriate functional area (System, or AAA), and select the name of the profile that you want to create. For example, to create a radius profile for a wired device, click Wired > Profiles > PORT. The Manage Profile page opens.

  4. Click Add to add a new profile.

    The Create LDAP Profile page for the selected device family is displayed.

  5. Enter settings for the LDAP profile as described in Specifying Settings for an LDAP Profile.

  6. Click Done.

Specifying Settings for an LDAP Profile

Use the Create LDAP Profile page to define LDAP directory information services over an IP network.

Table 2 describes the LDAP settings.

Table 2: LDAP Profile Settings

Field

Action

Server Name

Type a name for the server, using up to 64 alphanumeric characters and no special characters other than the underscore. The name must be unique among servers.

Server Address

Type the IP address of the LDAP server.

Server Port(default is 389)

Using the arrows, adjust the number of the UDP port to use for LDAP authentication messages. The default port is 389 for unencrypted LDAP servers and 636 for unencrypted LDAP servers.

Advanced LDAP Settings

Fully Qualified Domain Name

Type a fully qualified domain name (FQDN)—this is the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the host name and the domain name. For example, an FQDN for a server might be ldap12.example.com. The host name is ldap12, and the host is located within the domain example.com. This domain name specifies all domain levels, including the top-level domain and the root zone. A fully qualified domain name is specified with a trailing dot, for example:

ldap12.example.com.

Dead Time(default is 5 seconds)

Using the arrows, adjust the number of seconds before Network Director checks an LDAP server that was previously unresponsive. The default value is 5 seconds.

Timeout (default is 5 seconds)

Using the arrows, adjust the number of seconds Network Director tries to establish connection with RADIUS server before giving an unreachable error.

Bind Mode(default is SASL-MD5)

Select either SASL-MD5 or SIMPLE-AUTH to establish authentication for an LDAP session.

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory enabling any authentication mechanism supported by SASL to be used in any application protocol that uses SASL.

SIMPLE-AUTH sends the user's domain name and password in plain text. The server then checks the password against the password attribute in the named entry.

Tip:

We recommend that connections using SIMPLE-AUTH be encrypted using Transport Layer Security (TLS).

MAC Address Format(default is Hyphens)

Select None, Hyphens, Colons, One-Hyphen, or Raw to determine the MAC address format used with the LDAP server. For example:

  • None: For unicast IPv4, an example MAC address is 0123456789ab. For unicast IPv6, an example MAC address is 20010db8000000000000ff0000428329.

  • Hyphens: For unicast IPv4, an example MAC address with hyphens is 01-23-45-67-89-ab. For unicast IPv6, an example MAC address with hyphens is 2001-0db8-0000-0000-0000-ff00-0042-8329.

  • Colons: For unicast IPv4, an example MAC address with colons is 01:23:45:67:89:ab. For unicast IPv6, an example MAC address with colons is 2001:0db8:0000:0000:0000:ff00:0042:8329.

  • One-Hyphen: IPv6 unicast addresses other than those that start with binary 000 are logically divided into two parts: a 64-bit (sub-)network prefix, and a 64-bit interface identifier used to identify a host's network interface. The hyphen is placed between the two parts.

  • Raw: The IPv6 address is represented by all numbers—no sections containing all zeros are skipped and then represented by a double colon. For example, this is a raw IPv6 address: 2001:0000:0234:C1AB:0000:00A0:AABC:003F.

Tip:

A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet.

Base Domain

Base domains contain no extra dots. For example, example.com is a base domain, but www.example.com is not because it contains an extra dot.

Domain Prefix(default is cn)

Enter a domain prefix to identify a subdomain. The subdomain name can be used to identify services, devices, or regions.

Use MAC as Password(default is unchecked)

Check this option if you want each client device to use its MAC address as its password for the LDAP server.

Authorization Password

If you are not using individual MAC addresses as passwords for the LDAP server, provide a common password here.

Click Done to create the LDAP Server profile. The profile appears on the list on the Manage LDAP Profiles page.

What to Do Next

Link the LDAP server to an Access profile for Campus Switching with ELS. For directions, see Creating and Managing Access Profiles.