3.5.14 Managing XSCF User Accounts Using LDAP over SSL
3.5.14 Managing XSCF User Accounts Using LDAP over SSL
In the LDAP over SSL settings, items related to an LDAP over SSL client are set. The settings cover the LDAP over SSL server, loading of server certificate, group name, user privilege, user domain, log, DNS locator query, and so on. In the LDAP over SSL server, the XSCF user information is managed.
The available characters for a user account name for XSCF login are lowercase alphabetic characters, numbers, the hyphen (-), the underscore (_), and the period (.). The name is a combination of up to 31 characters. Uppercase alphabetic characters cannot be used. The first character of the name must be a lowercase alphabetic character.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
| Note - This section does not describe the configuration and management of the LDAP over SSL server. An administrator who is familiar with the LDAP over SSL server should design the LDAP over SSL server. |
| Note - For the XCP firmware version that supports LDAP over SSL, see the latest Product Notes. |
Table 3-16 lists terms related to the LDAP over SSL settings.
| Term | Description |
|---|---|
| LDAP over SSL | LDAP over SSL is a distributed directory service like Active Directory. LDAP over SSL offers enhanced security to LDAP users by using Secure Socket Layer (SSL)/Transport Layer Security (TLS) technology. Like LDAP directory service, LDAP over SSL is used for user authentication. |
LDAP over SSL provides both user certificate authentication and authorization of a user access level to network resources. LDAP over SSL uses the authentication to identify specific users before they access the system resources, and to grant specific access privileges to users in order to control their rights to access network resources.
User privileges are either configured on the XSCF or obtained from a server in a network domain based on each user's group membership. A user can belong to more than one group. User domain is the authentication domain used to authenticate a user. LDAP over SSL authenticates users in the order in which the user domains are configured.
Once authenticated, user privileges can be determined in the following ways:
User privileges are either configured on the XSCF or obtained from a server in a network domain based on each user's group membership. A user can belong to more than one group. User domain is the authentication domain used to authenticate a user. LDAP over SSL authenticates users in the order in which the user domains are configured.
Once authenticated, user privileges can be determined in the following ways:
- In the simplest case, user privileges are determined by the LDAP over SSL settings on the XSCF. There is a defaultrole parameter for the LDAP over SSL. If the defaultrole parameter is configured or set, all users that are authenticated via LDAP over SSL are assigned the user privileges set in the parameter. Users that are set on the LDAP over SSL server require only a password regardless of their group membership.
- If the defaultrole parameter is not configured or set, user privilege is obtained from the LDAP over SSL server based on the user's group membership. On the XSCF, the group parameter must correspond to the group name of an LDAP over SSL server. Each group has a user privilege that is configured on the XSCF and is associated with the group. Once a user is authenticated, the user's group membership is used to determine the user privilege.
LDAP over SSL setting items and shell commands to be used
Table 3-17 lists the setting items and the corresponding shell commands.
| Setting Item | Function Description | Shell Command | Remarks |
|---|---|---|---|
| LDAP over SSL status display | Displays the current status of LDAP over SSL, such as enable/disable of LDAP over SSL and usemapmode. | showldapssl | |
| LDAP over SSL usage enable/disable | Specifies whether to enable/disable the use of the LDAP over SSL server for managing authentication and user privileges. | setldapssl | It is disabled by default. |
| LDAP over SSL server display | Displays the configuration of the primary LDAP over SSL server or up to five alternate LDAP over SSL servers. | showldapssl | A port number "0" indicates that the default port for LDAP over SSL is used. |
| LDAP over SSL server/port | Specifies IP addresses and port numbers of the primary and up to five alternate LDAP over SSL servers. Specifies IP addresses or host names for the addresses. To specify host names for the LDAP over SSL servers, the server names must be resolvable by the DNS server. |
setldapssl | When a port number is not specified, the default port is used. |
| Server certificate load/delete | Loads or deletes the certificates of the primary and up to five alternate servers. | setldapssl | The strictcertmode must be in the disabled state for a certificate to be removed. |
| usermapmode enable/disable | Enables/disables the usermapmode. When enabled, user attributes specified with the usermap operand, rather than user domain, are used for user authentication. |
setldapssl | It is disabled by default. |
| usermap display | Displays the usermap setting. | showldapssl | |
| usermap | Configures the usermap. The usermap is used for user authentication. |
setldapssl | The usermapmode must be enabled to use the usermap. |
| strictcertmode enable/disable | Enables or disables the strictcertmode. If the strictcertmode is enabled, the certificate of a server must have already been uploaded to the server so that the certificate signatures can be validated when the server certificate is presented. |
setldapssl | It is disabled by default. |
| Server certificate display | Displays the following: - Certificate information for the primary and up to five alternate servers. - Entire contents of the certificate |
showldapssl | |
| User domain display | Displays user domains. | showldapssl | |
| User domain | Configures up to five specified user domains. User domain is specified in the Distinguished Name (DN) format. | setldapssl | |
| defaultrole display | Displays the defaultrole setting. | showldapssl | |
| defaultrole | Specifies the user privilege assigned to all users that are authenticated via LDAP over SSL. | setldapssl | |
| Group display | Displays the configuration of administrator group, operator group, and custom group. | showldapssl | |
| Administrator group | Assigns group names for up to five administrator groups. The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. | setldapssl | |
| Operator group | Assigns group names for up to five operator groups. The operator group has platop and auditop privileges. These privileges cannot be changed. | setldapssl | |
| Custom group | Assigns group names and user privileges for up to five groups. | setldapssl | |
| Timeout | Configures transaction timeout in seconds. You can specify a numeric value from 1 to 20. |
setldapssl | The default value is 4 seconds. If a specified timeout is too short for the configuration, the login process or retrieval of the user privilege setting could fail. |
| Log enable/disable | Enables/disables the logs of LDAP over SSL authentication and authorization diagnosis messages. | setldapssl | This log is cleared when the XSCF is rebooted. |
| Log display | Displays LDAP over SSL authentication and authorization diagnosis messages. | showldapssl | |
| Log clear | Clears the logs of LDAP over SSL authentication and authorization diagnosis messages. | setldapssl | |
| Default | Resets the LDAP over SSL settings to their factory defaults. | setldapssl |
Before Configuring the LDAP over SSL Settings
Note the following before configuring the LDAP over SSL settings.
- Confirm that the XCP version that supports LDAP over SSL is used. For the XCP that supports LDAP over SSL, see the latest Product Notes.
- The useradm privilege is required for the LDAP over SSL settings.
- If the XSCF is configured to use LDAP, Active Directory, or LDAP over SSL for user account data, then the user account name and user identifier (if specified) must not already be in use in the XSCF, LDAP, Active Directory, or LDAP over SSL.
- To use a host name for the LDAP over SSL server, DNS settings need to be configured properly before setting LDAP over SSL.
- In LDAP over SSL, the system account called proxyuser is used. Verify that no user account with that name already exists. If a user account with the name proxyuser exists, then delete the account with the deleteuser command. After deleting the account, reboot the XSCF before using LDAP over SSL.
- If the value set by the timeout operand is small, and you log in to the XSCF, user privilege may not be assigned to you. In this case, increase the timeout setting value and try again.
- LDAP over SSL users cannot upload a user public key to the XSCF. LDAP over SSL users can login by connecting to the XSCF via SSH using password authentication.
Enabling/Disabling the Use of the LDAP over SSL Server
- Execute the showldapssl command to display the usage of the LDAP over SSL server.
| XSCF> showldapssl usermapmode: disabled state: disabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setldapssl command to enable/disable the use of the LDAP over SSL server.
In the following example, the use of the LDAP over SSL server is enabled.
| XSCF> setldapssl enable |
- In the following example, the use of the LDAP over SSL server is disabled.
| XSCF> setldapssl disable |
- Execute the showldapssl command, and check whether LDAP over SSL is enabled or disabled.
In the following example, the LDAP over SSL is enabled.
| XSCF> showldapssl usermapmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
Setting LDAP over SSL Servers and Port Numbers
- Execute the showldapssl command to display the LDAP over SSL server settings.
| XSCF> showldapssl server Primary Server address: (none) port: 0 XSCF> showldapssl server -i Alternate Server 1 address: (none) port: 0 Alternate Server 2 address: (none) port: 0 Alternate Server 3 address: (none) port: 0 Alternate Server 4 address: (none) port: 0 Alternate Server 5 address: (none) port: 0 |
- Execute the setldapssl command to set LDAP over SSL servers.
In the following example, the primary server and port number are specified.
| XSCF> setldapssl server 10.18.76.230:4041 |
- In the following example, alternate servers are specified.
| XSCF> setldapssl server -i 1 10.18.76.231 |
- Execute the showldapssl command, and confirm the LDAP over SSL server settings.
| XSCF> showldapssl server Primary Server address: 10.18.76.230 port: 4041 XSCF> showldapssl server -i Alternate Server 1 address: 10.18.76.231 port: 0 Alternate Server 2 address: (none) port: 0 Alternate Server 3 address: (none) port: 0 Alternate Server 4 address: (none) port: 0 Alternate Server 5 address: (none) port: 0 |
Loading/Deleting the Server Certificate
- Execute the showldapssl command to display the server certificate information.
| XSCF> showldapssl cert Primary Server: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) XSCF> showldapssl cert -i Alternate Server 1: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) Alternate Server 2: ... <snip> Alternate Server 5: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) |
- Execute the setldapssl command to load the serve certificate to the XSCF.
In the following example, the server certificate of the primary server is loaded using the user name and password.
| XSCF> setldapssl loadcert -u yoshi http://domain_3/UID_2333/testcert Warning: About to load certificate for Primary Server. Continue? [y|n]: y Password: |
- In the following example, the content of the certificate is copied and pasted on the screen, and then the certificate for the alternate server 1 is loaded from a console. After pressing the [Enter] key, press the [Ctrl] and [D] keys to complete loading.
| XSCF> setldapssl loadcert console Warning: About to load certificate for Alternate Server 1: Continue? [y|n]: y Please enter the certificate: -----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU2FuIERpZWdvMRkwFwYDVQQK ExBTdW4gTWljcm9zeXN0ZW1zMRUwEwYDVQQLEwxTeXN0ZW0gR3JvdXAxEjAQBgNV : -----END CERTIFICATE----- [Enter] [Ctrl]+[D] |
- Execute the showldapssl command, and confirm that the server certificate has been loaded.
| XSCF> showldapssl cert Primary Server: certstatus = certificate present issuer = DC = local, DC = xscf, CN = apl serial number = 55:1f:ff:c4:73:f7:5a:b9:4e:16:3c:fc:e5:66:5e:5a subject = DC = local, DC = xscf, CN = apl valid from = Mar 9 11:46:21 2010 GMT valid until = Mar 9 11:46:21 2015 GMT version = 3 (0x02) XSCF> showldapssl cert -i 1 Alternate Server 1: certstatus = certificate present issuer = DC = local, DC = aplle, CN = aplle.local serial number = 0b:1d:43:39:ee:4b:38:ab:46:47:de:0a:b4:a9:ea:04 subject = DC = local, DC = aplle, CN = aplle.local valid from = Aug 25 02:38:15 2009 GMT valid until = Aug 25 02:44:48 2014 GMT version = 3 (0x02) |
- Execute the setldapssl command to delete the primary server certificate.
| XSCF> setldapssl rmcert Warning: About to delete certificate for Primary Server. Continue? [y|n]: y |
- Execute the showldapssl command, and confirm that the server certificate has been deleted.
| XSCF> showldapssl cert Primary Server: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) |
- The strictcertmode must be in the disabled state for a certificate to be removed.
Enabling/Disabling the usermapmode
- Execute the showldapssl command to display whether the usermapmode is enabled or disabled.
| XSCF> showldapssl usermapmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setldapssl command to enable/disable the usermapmode.
In the following example, the usermapmode is enabled.
| XSCF> setldapssl usermapmode enable |
- In the following example, the usermapmode is disabled.
| XSCF> setldapssl usermapmode disable |
- Execute the showldapssl command to confirm that the usermapmode is enabled/disabled.
In the following example, the usermapmode is enabled.
| XSCF> showldapssl usermapmode: enabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
Setting or Clearing the usermap
- Execute the showldapssl command to display the configuration of the usermap.
| XSCF> showldapssl usermap attributeInfo: (none) binddn: (none) bindpw: (none) searchbase: (none) |
- Execute the setldapssl command to configure the usermap.
In the following example, attribute information is set.
| XSCF> setldapssl usermap attributeInfo '(&(objectclass=person)(uid=))' |
- In the following example, the bind DN is set.
| XSCF> setldapssl usermap binddn CN=SuperAdmin,DC=aCompany,DC=com |
- In the following example, the bind password is set.
| XSCF> setldapssl usermap bindpw b.e9s#n |
- In the following example, the search base is set.
| XSCF> setldapssl usermap searchbase OU=yoshi,DC=aCompany,DC=com |
- Execute the showldapssl command, and confirm the usermap.
| XSCF> showldapssl usermap attributeInfo: (&(objectclass=person)(uid=)) binddn: CN=SuperAdmin,DC=aCompany,DC=com bindpw: Set searchbase: OU=yoshi,DC=aCompany,DC=com |
- Execute the setldapssl command to clear the usermap.
In the following example, attribute information is cleared.
| XSCF> setldapssl usermap attributeInfo |
- In the following example, the bind DN is cleared.
| XSCF> setldapssl usermap binddn |
- In the following example, the bind password is cleared.
| XSCF> setldapssl usermap bindpw |
- In the following example, the search base is cleared.
| XSCF> setldapssl usermap searchbase |
- Execute the showldapssl command, and confirm that the usermap has been cleared.
| XSCF> showldapssl usermap attributeInfo: (none) binddn: (none) bindpw: (none) searchbase: (none) |
- The usermapmode must be enabled to use the usermap.
Enabling/Disabling the strictcertmode
- Execute the showldapssl command to display whether the strictcertmode is enabled or disabled.
| XSCF> showldapssl usermapmode: enabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setldapssl command to enable/disable the strictcertmode.
In the following example, the strictcertmode is enabled.
| XSCF> setldapssl strictcertmode enable |
- In the following example, the strictcertmode is disabled.
| XSCF> setsetldapssl strictcertmode disable |
- Execute the showldapssl command, and confirm that the strictcertmode is enabled/disabled.
In the following example, the strictcertmode is enabled.
| XSCF> showldapssl usermapmode: enabled state: enabled strictcertmode: enabled timeout: 4 logdetail: none |
- To enable the strictcertmode, the server certificate must have already been loaded to the XSCF.
Setting a User Domain
- Execute the showldapssl command to display user domains.
| XSCF> showldapssl userdomain domain 1: (none) domain 2: (none) domain 3: (none) domain 4: (none) domain 5: (none) |
- Execute the setldapssl command to set user domains.
In the following example, user domain 1 is set.
| XSCF> setldapssl userdomain -i 1 '@davidc.example.aCompany.com' |
- In the following example, user domain 2 is set.
| XSCF> setldapssl userdomain -i 2 'CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com' |
- Execute the showldapssl command, and confirm the user domains.
| XSCF> showldapssl userdomain domain 1: <USERNAME>@davidc.example.aCompany.com domain 2: CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com domain 3: (none) domain 4: (none) domain 5: (none) |
Setting the Default Privilege
- Execute the showldapssl command to display the default privilege.
| XSCF> showldapssl defaultrole Default role: (none) |
- Execute the setldapssl command to set a default privilege.
| XSCF> setldapssl defaultrole platadm platop |
- Execute the showldapssl command, and confirm the default privilege.
| XSCF> showldapssl defaultrole Default role: platadm platop |
Setting Group Names and Privileges
- Execute the showldapssl command to display group names.
The following example shows administrator groups.
| XSCF> showldapssl group administrator Administrator Group 1 name: (none) Administrator Group 2 name: (none) Administrator Group 3 name: (none) Administrator Group 4 name: (none) Administrator Group 5 name: (none) |
- The following example shows operator groups.
| XSCF> showldapssl group operator Operator Group 1 name: (none) Operator Group 2 name: (none) Operator Group 3 name: (none) Operator Group 4 name: (none) Operator Group 5 name: (none) |
- The following example shows custom groups.
| XSCF> showldapssl group custom Custom Group 1 name: (none) roles: (none) Custom Group 2 name: (none) roles: (none) Custom Group 3 name: (none) roles: (none) Custom Group 4 name: (none) roles: (none) Custom Group 5 name: (none) roles: (none) |
- Execute the setldapssl command to set group names and privileges.
In the following example, administrator group 1 is set.
| XSCF> setldapssl group administrator -i 1 name CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com |
- In the following example, operator group 1 is set.
| XSCF> setldapssl group operator -i 1 name CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local |
- In the following example, custom group 1 is set.
| XSCF> setldapssl group custom -i 1 name CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local |
- In the following example, the privilege of the custom group 1 is set.
| XSCF> setldapssl group custom -i 1 roles platadm,platop |
- Execute the showldapssl command, and confirm the group names and privileges.
In the following example, the administrator groups are confirmed.
| XSCF> showldapssl group administrator Administrator Group 1 name: CN=<USERNAME>,CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com Administrator Group 2 name: (none) Administrator Group 3 name: (none) Administrator Group 4 name: (none) Administrator Group 5 name: (none) |
- In the following example, the operator groups are confirmed.
| XSCF> showldapssl group operator Operator Group 1 name: CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local Operator Group 2 name: (none) Operator Group 3 name: (none) Operator Group 4 name: (none) Operator Group 5 name: (none) |
- In the following example, the custom groups are confirmed.
| XSCF> showldapssl group custom Custom Group 1 name: CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local roles: platadm platop Custom Group 2 name: (none) roles: (none) Custom Group 3 name: (none) roles: (none) Custom Group 4 name: (none) roles: (none) Custom Group 5 name: (none) roles: (none) |
- The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. The operator group also has platop and auditop privileges. These privileges cannot be changed.
Setting a Timeout
- Execute the showldapssl command to display the timeout time.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 4 logdetail: none |
- Execute the setldapssl command to set the timeout time.
In the following example, the timeout time is set to 10 seconds.
| XSCF> setldapssl timeout 10 |
- Execute the showldapssl command, and confirm the timeout time.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: none |
Enabling or Disabling the Logs of LDAP over SSL Authentication and Authorization Diagnosis Messages
- Execute the showldapssl command to display the log detail level.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: none |
- Execute the setldapssl command to set the log detail level.
In the following example, the log is enabled and the log detail level is set to trace.
| XSCF> setldapssl logdetail trace |
- In the following example, the log is disabled.
| XSCF> setldapssl logdetail none |
- Execute the showldapssl command, and confirm the log detail level.
In the following example, the log detail level is set to trace.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
Displaying the Log of Diagnosis Messages and Clearing the Log File
- Execute the showldapssl command to display the log detail level.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
- Execute the showldapssl command to display the diagnosis messages.
In the following example, diagnosis messages are displayed in real time.
| XSCF> showldapssl log -f Mon Nov 16 14:47:53 2009 (LdapSSL): module loaded, OPL Mon Nov 16 14:47:53 2009 (LdapSSL): --error-- authentication status: auth-ERROR Mon Nov 16 14:48:18 2009 (LdapSSL): module loaded, OPL : |
- Execute the setldapssl command to clear the log file of diagnosis messages.
| XSCF> setldapssl log clear Warning: About to clear log file. Continue? [y|n]: y |
Resetting the LDAP over SSL Settings to Their Defaults
- Execute the showldapssl command to display the status of the LDAP over SSL settings.
| XSCF> showldapssl dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
- Execute the setldapssl command to reset the LDAP over SSL settings to their defaults.
| XSCF> setldapssl default -y Warning: About to reset settings to default. Continue? [y|n]: y |
- Execute the showldapssl command, and confirm that the LDAP over SSL settings have been reset to their defaults.
| XSCF> showldapssl dnslocatormode: disabled expsearchmode: disabled state: disabled strictcertmode: disabled timeout: 4 logdetail: none |
Logging In With the LDAP over SSL User Account
After completing each setting, confirm whether login with the user account of LDAP over SSL is possible.
< Previous Page | Next Page >