LDAP can be used for the UDS. LDAP supports anonymous, simple, or Kerberos authentication. There are also options to configure the LDAP schema, enable LDAP secure (using SSL) to encrypt the LDAP traffic, and configure the Certification Authority (CA) certificate for authentication. Table 12 shows the description and syntax for all the LDAP configuration settings.
Setting | Anonymous | Simple | Simple (AD LDAP or IDMU) | Kerberos |
Server | LDAP Server IPs or Hostnames | |||
Port | LDAP Server Port Number - Default: 389 / SSL: 636 | |||
Base DN | Base DN in LDAP notation format. For example, if using svt.lab.com, the Base DN would be DC=svt,DC=lab,DC=com | The Base DN is the same as the Fully Qualified Domain Name. For example, svt.lab.com | Base DN in LDAP notation format. For example, if using svt.lab.com, the Base DN would be DC=svt,DC=lab,DC=com | |
Profile DN (optional) | Profile DN for the iPlanet or OpenLDAP server |
|
| |
Bind DN |
| User account in LDAP notation format. For example, cn=administrator,cn=users,dc=svt,dc=lab,dc=com |
| |
Bind DN Password |
| User account password |
|
Note: Active Directory is not supported with Anonymous LDAP authentication.
There are two methods for configuring Kerberos:
The LDAP configuration must adhere to either the IDMU, RFC 2307, or RFC2307bis schemas. See the RFC for a list of what is required for each schema. You can verify the current schema configuration by using the Retrieve Current Schema link on the LDAP page to retrieve the ldap.conf file, edit it, and upload a new version.
All containers that are specified in the ldap.conf file must point to a location that is valid and exists in the LDAP configuration, including containers that might not be in use, such as netgroup and host. If any entries are removed from this file, the NAS server automatically sets them to a default value based on the Base DN, which may result in lookup issues. Consult with your domain administrator to get the proper values for each container. Figure 28 shows an example of a valid LDAP schema for IDMU.