Secure LDAP

Information About SLDAP

Transport Layer Security (TLS)

The Transport Layer Security (TLS) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. TLS relies upon certificates, public keys, and private keys to prove the identity of clients.

The certificates are issued by the Certificate Authorities (CAs).

Each certificate includes the following:

  • The name of the authority that issued it.

  • The name of the entity to which the certificate was issued.

  • The public key of the entity.

  • The timestamps of the entity that indicate the expiration date of the certificate.

You can find the TLS support for LDAP in the RFC2830 which is an extension to the LDAP protocol.

LDAP Operations

Bind

The bind operation is used to authenticate a user to the server. It is used to start a connection with the LDAP server. LDAP is a connection-oriented protocol. The client specifies the protocol version and authentication information.

LDAP supports the following binds:

  • Authenticated bind—An authenticated bind is performed when a root Distinguished Name (DN) and password are available.

  • Anonymous bind—In the absence of a root DN and password, an anonymous bind is performed.

In LDAP deployments, the search operation is performed first and the bind operation later. This is because, if a password attribute is returned as part of the search operation, the password verification can be done locally on an LDAP client. Thus, there is no need to perform an extra bind operation. If a password attribute is not returned, the bind operation can be performed later. Another advantage of performing a search operation first and a bind operation later is that the DN received in the search result can be used as the user DN instead of forming a DN by prefixing the username (cn attribute) with the base DN. All entries stored in an LDAP server have a unique DN.

The DN consists of two parts:

  • Relative Distinguished Name (RDN)

  • Location in the LDAP server where the record resides.

Most of the entries that you store in an LDAP server will have a name, and the name is frequently stored in the Common Name (cn) attribute. Because every object has a name, most objects you store in an LDAP will use their cn value as the basis for their RDN.

Search

A search operation is used to search the LDAP server. The client specifies the starting point (base DN) of the search, the search scope (either the object, its children, or the subtree rooted at the object), and a search filter.

For authorization requests, the search operation is directly performed without a bind operation. The LDAP server can be configured with certain privileges for the search operation to succeed. This privilege level is established with the bind operation.

An LDAP search operation can return multiple user entries for a specific user. In such cases, the LDAP client returns an appropriate error code to AAA. To avoid these errors, you must configure appropriate search filters to match a single entry.

Compare

The compare operation is used to replace a bind request with a compare request for an authentication. The compare operation helps to maintain the initial bind parameters for the connection.

LDAP Dynamic Attribute Mapping

The Lightweight Directory Access Protocol (LDAP) is a powerful and flexible protocol for communication with AAA servers. LDAP attribute maps provide a method to cross-reference the attributes retrieved from a server to Cisco attributes supported by the security appliances.

When a user authenticates a security appliance, the security appliance, in turn, authenticates the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the administrator who updates the user records.

Prerequisite for Configuring SLDAP

If you are using a secure Transport Layer Security (TLS) secure connection, you must configure the X.509 certificates.

Restrictions for Configuring SLDAP

  • LDAP referrals are not supported.

  • Unsolicited messages or notifications from the LDAP server are not handled.

  • LDAP authentication is not supported for interactive (terminal) sessions.

Configuring SLDAP

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ldap server name

Example:

Device(config)# ldap server server1

Defines a Lightweight Directory Access Protocol (LDAP) server and enters LDAP server configuration mode.

Step 4

ipv4 ipv4-address

Example:

Device(config-ldap-server)# ipv4 9.4.109.20

Specifies the LDAP server IP address using IPv4.

Step 5

timeout retransmit seconds

Example:

Device(config-ldap-server)# timeout retransmit 20

Specifies the number of seconds the Cisco Catalyst 9800 Series Wireless Controller embedded wireless controller waits for a reply to an LDAP request before retransmitting the request.

Step 6

bind authenticate root-dn password [0 string | 7 string] string

Example:

Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345

Specifies a shared secret text string used between the Cisco Catalyst 9800 Series Wireless Controller embedded wireless controller and an LDAP server.

Use the 0 line option to configure an unencrypted shared secret.

Use the 7 line option to configure an encrypted shared secret.

Step 7

base-dn string

Example:

Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com

Specifies the base Distinguished Name (DN) of the search.

Step 8

mode secure [no- negotiation]

Example:

Device(config-ldap-server)# mode secure no- negotiation

Configures LDAP to initiate the TLS connection and specifies the secure mode.

Step 9

end

Example:

Device(config-ldap-server)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring an AAA Server Group (GUI)

Configuring a device to use AAA server groups helps you to group existing server hosts, select a subset of the configured server hosts and use them for a particular service. A server group is used with a global server-host list. The server group lists the IP addresses of the selected server hosts.

You can create the following server groups:

Procedure


Step 1

RADIUS

  1. Choose Services > Security > AAA > Server Groups > RADIUS.

  2. Click the Add button. The Create AAA Radius Server Group dialog box appears.

  3. Enter a name for the RADIUS server group in the Name field.

  4. Choose a desired delimiter from the MAC-Delimiter drop-down list. The available options are colon, hyphen, and single-hyphen.

  5. Choose a desired filter from the MAC-Filtering drop-down list. The available options are mac and Key.

  6. Enter a value in the Dead-Time (mins) field to make a server non-operational. You must specify a value between 1 and 1440.

  7. Choose any of the available servers from the Available Servers list and move them to the Assigned Servers list by clicking the > button.

  8. Click the Save & Apply to Device button.

Step 2

TACACS+

  1. Choose Services > Security > AAA > Server Groups > TACACS+.

  2. Click the Add button. The Create AAA Tacacs Server Group dialog box appears.

  3. Enter a name for the TACACS server group in the Name field.

  4. Choose any of the available servers from the Available Servers list and move them to the Assigned Servers list by clicking the > button.

  5. Click the Save & Apply to Device button.

Step 3

LDAP

  1. Choose Services > Security > AAA > Server Groups > LDAP.

  2. Click the Add button. The Create AAA Ldap Server Group dialog box appears.

  3. Enter a name for the LDAP server group in the Name field.

  4. Choose any of the available servers from the Available Servers list and move them to the Assigned Servers list by clicking the > button.

  5. Click the Save & Apply to Device button.


Configuring a AAA Server Group

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA.

Step 4

aaa group server ldap group-name

Example:

Device(config)# aaa group server ldap name1

Defines the AAA server group with a group name and enters LDAP server group configuration mode.

All members of a group must be of the same type, that is, RADIUS, LDAP, or TACACS+.

Step 5

server name

Example:

Device(config-ldap-sg)# server server1

Associates a particular LDAP server with the defined server group.

Each security server is identified by its IP address and UDP port number.

Step 6

exit

Example:

Device(config-ldap-sg)# exit

Exits LDAP server group configuration mode.

Configuring Search and Bind Operations for an Authentication Request

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA.

Step 4

ldap server name

Example:

Device(config)# ldap server server1

Defines a Lightweight Directory Access Protocol (LDAP) server and enters LDAP server configuration mode.

Step 5

authentication bind-first

Example:

Device(config-ldap-server)# authentication bind-first

Configures the sequence of search and bind operations for an authentication request.

Step 6

authentication compare

Example:

Device(config-ldap-server)# authentication compare

Replaces the bind request with the compare request for authentication.

Step 7

exit

Example:

Device(config-ldap-server)# exit

Exits LDAP server group configuration mode.

Configuring a Dynamic Attribute Map on an SLDAP Server

You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as required.


Note


To use the attribute mapping features correctly, you need to understand the Cisco LDAP and user-defined attribute names and values.


Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ldap attribute-map map-name

Example:

Device(config)# ldap attribute-map map1

Configures a dynamic LDAP attribute map and enters attribute-map configuration mode.

Step 4

map type ldap-attr-type aaa-attr-type

Example:

Device(config-attr-map)# map type department supplicant-group

Defines an attribute map.

Step 5

exit

Example:

Device(config-attr-map)# exit

Exits attribute-map configuration mode.

Verifying the SLDAP Configuration

To view details about the default LDAP attribute mapping, use the following command:

Device# show ldap attributes

To view the LDAP server state information and various other counters for the server, use the following command:

Device# show ldap server