Feedback
Contents
- Configuring LDAP
- Finding Feature Information
- Prerequisites for Configuring LDAP
- Restrictions for Configuring LDAP
- Information About LDAP
- Transport Layer Security
- LDAP Operations
- Bind
- Search
- Compare
- LDAP Dynamic Attribute Mapping
- How to Configure LDAP
- Configuring Router-to-LDAP Server Communication
- Configuring LDAP Protocol Parameters
- Configuring a AAA Server Group
- Configuring Search and Bind Operations for an Authentication Request
- Configuring a Dynamic Attribute Map on an LDAP Server
- Monitoring and Maintaining LDAP
- Configuration Examples for LDAP
- LDAP Server Communication Example
- LDAP Protocol Parameters Example
- AAA Server Group Example
- Search and Bind Operations for an Authentication Request Example
- Dynamic LDAP Attribute Map and LDAP Server Example
- Additional References
- Feature Information for Configuring LDAP
Configuring LDAP
Lightweight Directory Access Protocol (LDAP) is integrated into Cisco IOS software as a AAA protocol alongside the existing AAA protocols such as RADIUS, TACACS+, Kerberos, and Diameter. AAA framework provides tools and mechanisms such as method lists, server groups, and generic attribute lists that enable an abstract and uniform interface to AAA clients irrespective of actual protocol used for communication with the AAA server. LDAP supports authentication and authorization functions for AAA.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring LDAP
If you are using a secure Transport Layer Security (TLS) secure connection, you must configure X.509 certificates.
Restrictions for Configuring LDAP
- Bind, search, and compare operations are supported.
- LDAP referrals are not supported.
- Unsolicited messages or notifications from LDAP server are not handled.
Information About LDAP
Transport Layer Security
TLS is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys for clients to prove the identity. Certificates are issued by Certificate Authorities (CAs). Each certificate includes the name of the authority that issued it, the name of the entity to which the certificate was issued, the entityâs public key, and time stamps that indicate the certificateâs expiration date. TLS support for LDAP is mentioned in RFC 2830 as an extension to the LDAP protocol.
LDAP Operations
Bind
The bind operation is used to authenticate a user to the server. It is used to start a connection with the LDAP server. LDAP is a connection-oriented protocol. The client specifies the protocol version and the client authentication information. LDAP supports the following binds:
- Authenticated bind
- Anonymous bind
An authenticated bind is performed when a root distinguished name (DN) and password are available. In the absence of a root DN and password, an anonymous bind is performed. In LDAP deployments, the search operation is performed first and the bind operation later. This is because, if a password attribute is returned as part of the search operation, then the password verification can be done locally on an LDAP client. Thus, there is no need to perform an extra bind operation. If a password attribute is not returned, bind operation can be performed later. Another advantage of performing a search operation first and bind operation later is that the distinguished name (DN) received in the search result can be used as the user DN instead of forming a DN by prefixing the username (cn attribute) with base DN. All entries stored in an LDAP server have a unique distinguished name (DN). The DN consists of two parts: Relative Distinguished Name (RDN) and location within the LDAP server where the record resides.
Most of the entries that you store in an LDAP server will have a name, and the name is frequently stored in the cn (Common Name) attribute. Because every object has a name, most objects you store in an LDAP will use their cn value as the basis for their RDN.
Search
A search operation is used to search the LDAP server. The client specifies the starting point (base DN) of the search, the search scope (either the object, its children, or the subtree rooted at the object), and a search filter.
For authorization requests, the search operation is directly performed without a bind operation. The LDAP server can be configured with certain privileges for the search operation to succeed. This privilege level is established with the bind operation.
An LDAP search operation can return multiple user entries for a specific user. In such cases, the LDAP client returns an appropriate error code to AAA. To avoid these errors, appropriate search filters that help to match a single entry must be configured.
LDAP Dynamic Attribute Mapping
LDAP is a powerful and flexible protocol for communication with AAA servers. LDAP attribute maps provide a method to cross-reference the attributes retrieved from a server to Cisco attributes supported by the security appliances.
When a user authenticates a security appliance, the security appliance, in turn, authenticates to the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the administrator who updates the user records.
How to Configure LDAP
- Configuring Router-to-LDAP Server Communication
- Configuring LDAP Protocol Parameters
- Configuring a AAA Server Group
- Configuring Search and Bind Operations for an Authentication Request
- Configuring a Dynamic Attribute Map on an LDAP Server
- Monitoring and Maintaining LDAP
Configuring Router-to-LDAP Server Communication
Perform this task to configure router-toLDAP server communication.
The LDAP host is normally a multiuser system running LDAP server software such as Active Directory (Microsoft) and OpenLDAP. Configuring router-to-LDAP server communication can have several components:
- Hostname or IP address
- Port number
- Timeout period
- Base DN
DETAILED STEPS
Configuring LDAP Protocol Parameters
DETAILED STEPS
Configuring a AAA Server Group
Perform this task to configure a AAA server group.
Configuring the router to use AAA server groups enables you to group existing servers. You need to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier.
If two different host entries on the same LDAP server are configured for the same service (for example, accounting) the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The LDAP host entries will be tried in the order in which they are configured.) To define a server host with a server group name, enter the following commands. The listed server must exist in global configuration mode.
DETAILED STEPS
Configuring Search and Bind Operations for an Authentication Request
DETAILED STEPS
Configuring a Dynamic Attribute Map on an LDAP Server
Perform this task to configure a dynamic attribute map on an LDAP server.
You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as required. See the chapter User-Based Firewall support in Cisco IOS Security Configuration Guide: Securing the Data Plane for more information about user-based firewalls.
 Note | To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values. |
DETAILED STEPS
Monitoring and Maintaining LDAP
To monitor and maintain LDAP scalability enhancements, use the following commands in privileged EXEC mode. The following commands can be entered in any order.
|
Command |
Purpose |
|---|---|
|
Router# clear ldap server |
Clears the TCP connection with the LDAP server. |
|
Router# debug ldap |
Displays information associated with LDAP. |
|
Router# show ldap server |
Displays the LDAP server state information and various other counters for the server. |
|
Router# show ldap attributes |
Displays information about default LDAP attribute mapping. |
Configuration Examples for LDAP
- LDAP Server Communication Example
- LDAP Protocol Parameters Example
- AAA Server Group Example
- Search and Bind Operations for an Authentication Request Example
- Dynamic LDAP Attribute Map and LDAP Server Example
LDAP Protocol Parameters Example
The following example shows how to configure the LDAP parameters:
ldap server server1 bind authenticate root-dn âcn=administrator,cn=users,dc=nac-blr2,dc=cisco,dc=com password 123â search-filter user-object-type objectclass base-dn "dc=sns,dc=example,dc=com" mode secure no-negotiation secure cipher 3des-ede-cbc-sha
Dynamic LDAP Attribute Map and LDAP Server Example
The following example shows how to attach the attribute map to a particular LDAP server:
ldap attribute-map att_map_1 map type department element-req-qos exit ldap server ldap_dir_1 ipv4 10.0.0.1 bind authenticate root-dn cn=administrator,cn=users,dc=nac-blr2,dc=example,dc=com password example123 base-dn "dc=sns,dc=example,dc=com" attribute map att_map_1
Additional References
MIBs
RFCs
|
RFC |
Title |
|---|---|
|
Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security |
|
|
Lightweight Directory Access Protocol (LDAP) |
|
|
Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms |
|
|
Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names |
|
|
Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters |
|
|
Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules |
|
|
Lightweight Directory Access Protocol (LDAP): Schema for User Applications |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Configuring LDAP
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
LDAP integration with Active Directory |
15.1(1)T |
LDAP is a standard-based protocol used to access directories. It is based on client server model similar to RADIUS. LDAP is deployed on Cisco devices to send authentication requests to a central LDAP server that contains all user authentication and network service access information. This feature provides authentication and authorization support for AAA. The following commands were introduced or modified: aaa group server ldap, authentication bind-first, authentication compare, bind authenticate, base-dn, clear ldap server, debug ldap, ipv4, mode secure, ldap server, search-filter, secure cipher, show ldap server, transport port, timeout, retransmit. |
|
LDAP Active Directory Support for Authproxy |
15.1(1)T |
This feature enables the authentication proxy to authenticate and authorize the users with Active Directory servers using LDAP. The following commands were introduced or modified: map type, attribute map. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.