Configuring LDAP

This chapter describes how to configure the Lightweight Directory Access Protocol (LDAP) on Cisco NX-OS devices and includes the following sections:

About LDAP

The Lightweight Directory Access Protocol (LDAP) provides centralized validation of users attempting to gain access to a Cisco NX-OS device. LDAP services are maintained in a database on an LDAP daemon running typically on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco NX-OS device are available.

LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) to provide each service authentication and authorization independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The LDAP client/server protocol uses TCP (port 389) for transport requirements. Cisco NX-OS devices provide centralized authentication using the LDAP protocol.

LDAP Authentication and Authorization

Clients establish a TCP connection and authentication session with an LDAP server through a simple bind (username and password). As part of the authorization process, the LDAP server searches its database to retrieve the user profile and other information.

You can configure the bind operation to first bind and then search, where authentication is performed first and authorization next, or to first search and then bind. The default method is to first search and then bind.

The advantage of searching first and binding later is that the distinguished name (DN) received in the search result can be used as the user DN during binding rather than forming a DN by prepending the username (cn attribute) with the baseDN. This method is especially helpful when the user DN is different from the username plus the baseDN. For the user bind, the bindDN is constructed as baseDN + append-with-baseDN, where append-with-baseDN has a default value of cn=$userid.


Note


As an alternative to the bind method, you can establish LDAP authentication using the compare method, which compares the attribute values of a user entry at the server. For example, the user password attribute can be compared for authentication. The default password attribute type is userPassword.

LDAP Operation for User Login

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using LDAP, the following actions occur:
  1. When the Cisco NX-OS device establishes a connection, it contacts the LDAP daemon to obtain the username and password.
  2. The Cisco NX-OS device eventually receives one of the following responses from the LDAP daemon:
    • ACCEPT—User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization, authorization begins.
    • REJECT—User authentication fails. The LDAP daemon either denies further access to the user or prompts the user to retry the login sequence.
    • ERROR—An error occurs at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.

    After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the Cisco NX-OS device. Users must first successfully complete LDAP authentication before proceeding to LDAP authorization.

  3. If LDAP authorization is required, the Cisco NX-OS device again contacts the LDAP daemon, and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access. Services include the following:
    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

Note


LDAP allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination but may include prompts for other items.

Note


In LDAP, authorization can occur before authentication.

LDAP Server Monitoring

An unresponsive LDAP server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor an LDAP server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive LDAP servers as dead and does not send AAA requests to any dead LDAP servers. A Cisco NX-OS device periodically monitors dead LDAP servers and brings them to the alive state once they are responding. This process verifies that an LDAP server is in a working state before real AAA requests are sent its way. Whenever an LDAP server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated, and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance. The following figure shows the server states for LDAP server monitoring.

Figure 1. LDAP Server States



Note


The monitoring interval for alive servers and dead servers is different and can be configured by the user. The LDAP server monitoring is performed by sending a test authentication request to the LDAP server.

Vendor-Specific Attributes for LDAP

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the LDAP server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

Cisco VSA Format for LDAP

The Cisco LDAP implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is an = (equal sign) for mandatory attributes, and an * (asterisk) indicates optional attributes. When you use LDAP servers for authentication on a Cisco NX-OS device, LDAP directs the LDAP server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs. The following VSA protocol option is supported by the Cisco NX-OS software:

  • Shell—Protocol used in access-accept packets to provide user profile information.

The Cisco NX-OS software supports the following attribute:

  • roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space.

Virtualization Support for LDAP

The Cisco NX-OS device uses virtual routing and forwarding instances (VRFs) to access the LDAP servers. For more information on VRFs, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.

Prerequisites for LDAP

LDAP has the following prerequisites:

  • Obtain the IPv4 or IPv6 addresses or hostnames for the LDAP servers.
  • Ensure that the Cisco NX-OS device is configured as an LDAP client of the AAA servers.

Guidelines and Limitations for LDAP

LDAP has the following guidelines and limitations:

  • You can configure a maximum of 64 LDAP servers on the Cisco NX-OS device.

  • Cisco NX-OS supports only LDAP version 3.

  • Cisco NX-OS supports only these LDAP servers:

    • OpenLDAP

    • Microsoft Active Directory

  • LDAP over Secure Sockets Layer (SSL) supports only SSL version 3 and Transport Layer Security (TLS) version 1.2.

  • For LDAP over SSL, the LDAP client configuration must include the hostname as a subject in the LDAP server certificate.

  • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on a AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

  • Beginning with Cisco NX-OS Release 10.3(1)F, LDAP is supported on the Cisco Nexus 9808 switches.

Default Settings for LDAP

This table lists the default settings for LDAP parameters.

Parameters

Default

LDAP

Disabled

LDAP authentication method

First search and then bind

LDAP authentication mechanism

Plain

Dead-time interval

0 minutes

Timeout interval

5 seconds

Idle timer interval

60 minutes

Periodic server monitoring username

test

Periodic server monitoring password

Cisco

Configuring LDAP

This section describes how to configure LDAP on a Cisco NX-OS device.

LDAP Server Configuration Process

You can configure LDAP servers by following this configuration process.

  1. Enable LDAP.
  2. Establish the LDAP server connections to the Cisco NX-OS device.
  3. If needed, configure LDAP server groups with subsets of the LDAP servers for AAA authentication methods.
  4. (Optional) Configure the TCP port.
  5. (Optional) Configure the default AAA authorization method for the LDAP server.
  6. (Optional) Configure an LDAP search map.
  7. (Optional) If needed, configure periodic LDAP server monitoring.

Enabling or Disabling LDAP

By default, the LDAP feature is disabled on the Cisco NX-OS device. You must explicitly enable the LDAP feature to access the configuration and verification commands for authentication.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] feature ldap

Example:

switch(config)# feature ldap

Enables LDAP. Use the no form of this command to disable LDAP.

Note

 
When you disable LDAP, all related configurations are automatically discarded.

Step 3

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring LDAP Server Hosts

To access a remote LDAP server, you must configure the IP address or the hostname for the LDAP server on the Cisco NX-OS device. You can configure up to 64 LDAP servers.


Note


By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.


Before you begin

Enable LDAP.

Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

If you plan to enable the Secure Sockets Layer (SSL) protocol, make sure that the LDAP server certificate is manually configured on the Cisco NX-OS device.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server host {ipv4-address | ipv6-address | host-name} [enable-ssl] [referral-disable]

Example:

switch(config)# ldap-server host 10.10.2.2 enable-ssl

Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

The enable-ssl keyword ensures the integrity and confidentiality of the transferred data by causing the LDAP client to establish an SSL session prior to sending the bind or search request.

The referral-disable keyword disables the unwanted referral links.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring the RootDN for an LDAP Server

You can configure the root designated name (DN) for the LDAP server database. The rootDN is used to bind to the LDAP server to verify its state.

Before you begin

Enable LDAP.

Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server host {ipv4-address | ipv6-address | hostname} rootDN root-name [password password [port tcp-port [timeout seconds] | timeout seconds]]

Example:

switch(config)# ldap-server host 10.10.1.1 rootDN cn=manager,dc=acme,dc=com password Ur2Gd2BH timeout 60

Specifies the rootDN for the LDAP server database and the bind password for the root.

Optionally specifies the TCP port to use for LDAP messages to the server. The range is from 1 to 65535, and the default TCP port is the global value or 389 if a global value is not configured. Also specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring LDAP Server Groups

You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must be configured to use LDAP. The servers are tried in the same order in which you configure them.

You can configure these server groups at any time, but they take effect only when you apply them to an AAA service.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] aaa group server ldap group-name

Example:

switch(config)# aaa group server ldap LDAPServer1
switch(config-ldap)#

Creates an LDAP server group and enters the LDAP server group configuration mode for that group.

Step 3

[no] server {ipv4-address | ipv6-address | host-name}

Example:

switch(config-ldap)# server 10.10.2.2

Configures the LDAP server as a member of the LDAP server group.

If the specified LDAP server is not found, configure it using the ldap-server host command and retry this command.

Step 4

(Optional) [no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}

Example:

switch(config-ldap)# authentication compare password-attribute TyuL8r
(Optional)

Performs LDAP authentication using the bind or compare method. The default LDAP authentication method is the bind method using first search and then bind.

Step 5

(Optional) [no] enable user-server-group

Example:

switch(config-ldap)# enable user-server-group
(Optional)

Enables group validation. The group name should be configured in the LDAP server. Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.

Step 6

(Optional) [no] enable Cert-DN-match

Example:

switch(config-ldap)# enable Cert-DN-match
(Optional)

Enables users to login only if the user profile lists the subject-DN of the user certificate as authorized for login.

Step 7

(Optional) [no] use-vrf vrf-name

Example:

switch(config-ldap)# use-vrf vrf1
(Optional)

Specifies the VRF to use to contact the servers in the server group.

Step 8

exit

Example:

switch(config-ldap)# exit
switch(config)#

Exits LDAP server group configuration mode.

Step 9

(Optional) show ldap-server groups

Example:

switch(config)# show ldap-server groups
(Optional)

Displays the LDAP server group configuration.

Step 10

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring the Global LDAP Timeout Interval

You can set a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all LDAP servers before declaring a timeout failure.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server timeout seconds

Example:

switch(config)# ldap-server timeout 10

Specifies the timeout interval for LDAP servers. The default timeout interval is 5 seconds. The range is from 1 to 60 seconds.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring the Timeout Interval for an LDAP Server

You can set a timeout interval that determines how long the Cisco NX-OS device waits for responses from an LDAP server before declaring a timeout failure.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server host {ipv4-address | ipv6-address | hostname} timeout seconds

Example:

switch(config)# ldap-server host server1 timeout 10

Specifies the timeout interval for a specific server. The default is the global value.

Note

 

The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring TCP Ports

You can configure another TCP port for the LDAP servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 389 for all LDAP requests.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server host {ipv4-address | ipv6-address | hostname} port tcp-port [timeout seconds]

Example:

switch(config)# ldap-server host 10.10.1.1 port 200 timeout 5

Specifies the TCP port to use for LDAP messages to the server. The default TCP port is 389. The range is from 1 to 65535.

Optionally specifies the timeout interval for the server. The range is from 1 to 60 seconds, and the default timeout is the global value or 5 seconds if a global value is not configured.

Note

 

The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring LDAP Search Maps

You can configure LDAP search maps to send a search query to the LDAP server. The server searches its database for data meeting the criteria specified in the search map.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

ldap search-map map-name

Example:

switch(config)# ldap search-map map1
switch(config-ldap-search-map)#

Configures an LDAP search map.

Step 3

(Optional) [userprofile | trustedCert | CRLLookup | user-certdn-match | user-pubkey-match | user-switch-bind] attribute-name attribute-name search-filter filter base-DN base-DN-name

Example:

switch(config-ldap-search-map)# userprofile attribute-name att-name search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com
(Optional)

Configures the attribute name, search filter, and base-DN for the user profile, trusted certificate, CRL, certificate DN match, public key match, or user-switchgroup lookup search operation. These values are used to send a search query to the LDAP server.

The attribute-name argument is the name of the attribute in the LDAP server that contains the Nexus role definition.

Step 4

(Optional) exit

Example:

switch(config-ldap-search-map)# exit
switch(config)#
(Optional)

Exits LDAP search map configuration mode.

Step 5

(Optional) show ldap-search-map

Example:

switch(config)# show ldap-search-map
(Optional)

Displays the configured LDAP search maps.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring Periodic LDAP Server Monitoring

You can monitor the availability of LDAP servers. The configuration parameters include the username and password to use for the server, the rootDN to bind to the server to verify its state, and an idle timer. The idle timer specifies the interval in which an LDAP server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.


Note


To protect network security, we recommend that you use a username that is not the same as an existing username in the LDAP database.


Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server host {ipv4-address | ipv6-address | hostname} test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]

Example:

switch(config)# ldap-server host 10.10.1.1 test rootDN root1 username user1 password Ur2Gd2BH idle-time 3

Specifies the parameters for server monitoring. The default username is test, and the default password is Cisco. The default value for the idle timer is 60 minutes, and the valid range is from 1 to 1440 minutes.

Note

 

We recommend that the user not be an existing user in the LDAP server database.

Step 3

[no] ldap-server deadtime minutes

Example:

switch(config)# ldap-server deadtime 5

Specifies the number of minutes before the Cisco NX-OS device checks an LDAP server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 1 to 60 minutes.

Step 4

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring the LDAP Dead-Time Interval

You can configure the dead-time interval for all LDAP servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.


Note


When the dead-time interval is 0 minutes, LDAP servers are not marked as dead even if they are not responding. You can configure the dead-time interval per group.


Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] ldap-server deadtime minutes

Example:

switch(config)# ldap-server deadtime 5

Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 60 minutes.

Step 3

(Optional) show ldap-server

Example:

switch(config)# show ldap-server
(Optional)

Displays the LDAP server configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Authorization on LDAP Servers

You can configure the default AAA authorization method for LDAP servers.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization {ssh-certificate | ssh-publickey} default {group group-list | local}

Example:

switch(config)# aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2

Configures the default AAA authorization method for the LDAP servers.

The ssh-certificate keyword configures LDAP or local authorization with certificate authentication, and the ssh-publickey keyword configures LDAP or local authorization with the SSH public key. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of LDAP server group names. Servers that belong to this group are contacted for AAA authorization. The local method uses the local database for authorization.

Step 3

(Optional) show aaa authorization [all]

Example:

switch(config)# show aaa authorization
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring LDAP SSH Public Key Authorization

The AAA authorization is performed through LDAP servers with the public key of the user which is saved in the user entry of the LDAP server.

Before configuring LDAP SSH public key authorization, ensure that the following are taken care of:

  • Save the public key of the user as a user attribute in the LDAP server.

  • Sign-in using the private key from the SSH client.


    Note


    The private key that is presented during SSH sign-in is verified with the public key which is saved in the LDAP server.


The following example shows the sample LDAP client configuration.

In the following example, the public key of the user is saved in the LDAP server under the attribute mentioned in user-pubkey-match configuration, ie, sshPublicKeys attribute in the below case:

ldap-server host fully qualified domain name.com rootDN "CN=ucsadmin1,CN=Users,DC=PI-Sec-DT,DC=com"  password 7 password1
ldap search-map Map1
  userprofile attribute-name "description" search-filter "(cn=$userid)" base-DN "DC=PI-Sec-DT,DC=com"
  user-pubkey-match attribute-name "sshPublicKeys" search-filter "(cn=$userid)" base-DN "DC=PI-Sec-DT,DC=com"
aaa group server ldap ldap1
  server fully qualified domain name.com
  use-vrf management
  ldap-search-map Map1

aaa authorization ssh-publickey default group ldap1
In the following example, the SSH client private key of the user is used to sign in to the switch management IP address:
ssh ldapuser@10.0.0.1 -i ldap_pub_key_test 

Configuring LDAP SSH Certificate Authorization

AAA authorization is performed through an LDAP server with a certificate and the DN of the certificate which is saved in the user attribute of the LDAP server.

During LDAP SSH certificate authorization, following things are taken care of:

  • Validation of the user certificate presented through the SSH client using the CA certificate installed in the switch.

  • As the enable cert-dn-match configuration is enabled by default, the cert-DN-match with the DN stored in the LDAP server to validate the certificate is taken care automatically.

The following example shows the sample LDAP client configurations.

  • The following example shows how to save the certificate DN in an LDAP server under any specific attribute that is mentioned in the user-certdn-match configuration.

    The format is "x509v3-sign-rsa DN /DC=com, DC=PI-Sec-DT, CN=Users, CN=username1".

    ldap-server host fully qualified domain name.com rootDN "CN=ucsadmin1,CN=Users,DC=PI-Sec-DT,DC=com"  password 7 password1
    ldap search-map Map24
      userprofile attribute-name "description" search-filter "(cn=$userid)" base-DN "DC=PI-Sec-DT,DC=com"
      user-certdn-match attribute-name <attribute> search-filter "(cn=$userid)" base-DN "DC=PI-Sec-DT,DC=com"
    aaa group server ldap ldap24
      server fully qualified domain name.com
      enable Cert-DN-match
      use-vrf management
      ldap-search-map Map24
    
    aaa authorization ssh-certificate default group ldap24
    
  • The following show command shows the details of the rootCA certificate installed on the box:
    switch# show crypto ca certificates
    Trustpoint: ldap
    CA certificate 0:
    subject=C = IN, ST = KAR, L = BGL, O = Cisco, OU = DCBG-Cert, CN = RootCA
    issuer=C = IN, ST = KAR, L = BGL, O = Cisco, OU = DCBG-Cert, CN = RootCA
    serial=82EE7603BF7E74A9
    notBefore=May 29 07:12:30 2023 GMT
    notAfter=May 26 07:12:30 2033 GMT
    SHA1 Fingerprint=D5:AE:75:8E:A1:4F:79:1E:80:3E:5E:67:C5:42:44:10:13:C6:F7:1D
    purposes: sslserver sslclient
    
    n7700-DE#
    
  • The following example shows how user sign-in is performed from the SSH client:

    • In the SSH client, the input certificate contains both private key and user certificate concatenated in a single file '<user>.crt'.

    • The rootCA.crt is the rootCA certificate file.

    • The IP Address is the switch management IP address.

    ssh username1@10.0.0.1 -i username1.crt -vvv -oCACertificateFile=rootCA.crt

Monitoring LDAP Servers

You can monitor the statistics that the Cisco NX-OS device maintains for LDAP server activity.

Before you begin

Configure LDAP servers on the Cisco NX-OS device.

Procedure

Command or Action Purpose

show ldap-server statistics {hostname | ipv4-address | ipv6-address}

Example:

switch# show ldap-server statistics 10.10.1.1

Displays the LDAP server statistics.

Clearing LDAP Server Statistics

You can display the statistics that the Cisco NX-OS device maintains for LDAP server activity.

Before you begin

Configure LDAP servers on the Cisco NX-OS device.

Procedure

  Command or Action Purpose

Step 1

(Optional) show ldap-server statistics {hostname | ipv4-address | ipv6-address}

Example:

switch# show ldap-server statistics 10.10.1.1
(Optional)

Displays the LDAP server statistics.

Step 2

clear ldap-server statistics {hostname | ipv4-address | ipv6-address}

Example:

switch# clear ldap-server statistics 10.10.1.1

Clears the LDAP server statistics.

Verifying the LDAP Configuration

To display LDAP configuration information, perform one of the following tasks.

Command

Purpose

show running-config ldap [all]

Displays the LDAP configuration in the running configuration.

show startup-config ldap

Displays the LDAP configuration in the startup configuration.

show ldap-server

Displays LDAP configuration information.

show ldap-server groups

Displays LDAP server group configuration information.

show ldap-server statistics {hostname | ipv4-address | ipv6-address}

Displays LDAP statistics.

show ldap-search-map

Displays information about the configured LDAP attribute maps.

Configuration Examples for LDAP

The following example shows how to configure an LDAP server host and server group:

feature ldap
ldap-server host 10.10.2.2 enable-ssl
aaa group server ldap LdapServer
server 10.10.2.2
exit
show ldap-server
show ldap-server groups

The following example shows how to configure an LDAP search map:

ldap search-map s0
userprofile attribute-name att-name search-filter "
(&(objectClass=Person)(sAMAccountName=$userid))" base-DN dc=acme,dc=com
exit
show ldap-search-map

The following example shows how to configure AAA authorization with certificate authentication for an LDAP server:

aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2
exit
show aaa authorization

The following example shows how you can validate the authentication:

failing
test aaa group LdapServer user <user-password>
user has failed authentication

! working
test aaa group LdapServer user <user-password>
user has been authenticated

Where to Go Next

You can now configure AAA authentication methods to include the server groups.

Additional References for LDAP

Related Documents

Related Topic

Document Title

Cisco NX-OS licensing

Cisco NX-OS Licensing Guide

VRF configuration

Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs

MIBs Link

MIBs related to LDAP

To locate and download the supported MIBs, go to the following URL:

ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html