Skip to main content

3.5.14 Managing XSCF User Accounts Using LDAP over SSL


3.5.14 Managing XSCF User Accounts Using LDAP over SSL
In the LDAP over SSL settings, items related to an LDAP over SSL client are set. The settings cover the LDAP over SSL server, loading of server certificate, group name, user privilege, user domain, log, DNS locator query, and so on. In the LDAP over SSL server, the XSCF user information is managed.
The available characters for a user account name for XSCF login are lowercase alphabetic characters, numbers, the hyphen (-), the underscore (_), and the period (.). The name is a combination of up to 31 characters. Uppercase alphabetic characters cannot be used. The first character of the name must be a lowercase alphabetic character.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
Note - This section does not describe the configuration and management of the LDAP over SSL server. An administrator who is familiar with the LDAP over SSL server should design the LDAP over SSL server.
Note - For the XCP firmware version that supports LDAP over SSL, see the latest Product Notes.
Table 3-16 lists terms related to the LDAP over SSL settings.
Table 3-16  Terms Related to LDAP over SSL
Term Description
LDAP over SSL LDAP over SSL is a distributed directory service like Active Directory. LDAP over SSL offers enhanced security to LDAP users by using Secure Socket Layer (SSL)/Transport Layer Security (TLS) technology. Like LDAP directory service, LDAP over SSL is used for user authentication.
LDAP over SSL provides both user certificate authentication and authorization of a user access level to network resources. LDAP over SSL uses the authentication to identify specific users before they access the system resources, and to grant specific access privileges to users in order to control their rights to access network resources.

User privileges are either configured on the XSCF or obtained from a server in a network domain based on each user's group membership. A user can belong to more than one group. User domain is the authentication domain used to authenticate a user. LDAP over SSL authenticates users in the order in which the user domains are configured.

Once authenticated, user privileges can be determined in the following ways:
  1. In the simplest case, user privileges are determined by the LDAP over SSL settings on the XSCF. There is a defaultrole parameter for the LDAP over SSL. If the defaultrole parameter is configured or set, all users that are authenticated via LDAP over SSL are assigned the user privileges set in the parameter. Users that are set on the LDAP over SSL server require only a password regardless of their group membership.
  2. If the defaultrole parameter is not configured or set, user privilege is obtained from the LDAP over SSL server based on the user's group membership. On the XSCF, the group parameter must correspond to the group name of an LDAP over SSL server. Each group has a user privilege that is configured on the XSCF and is associated with the group. Once a user is authenticated, the user's group membership is used to determine the user privilege.
LDAP over SSL setting items and shell commands to be used
Table 3-17 lists the setting items and the corresponding shell commands.
Table 3-17  LDAP over SSL Setting Items and Commands to be Used
Setting Item Function Description Shell Command Remarks
LDAP over SSL status display Displays the current status of LDAP over SSL, such as enable/disable of LDAP over SSL and usemapmode. showldapssl  
LDAP over SSL usage enable/disable Specifies whether to enable/disable the use of the LDAP over SSL server for managing authentication and user privileges. setldapssl It is disabled by default.
LDAP over SSL server display Displays the configuration of the primary LDAP over SSL server or up to five alternate LDAP over SSL servers. showldapssl A port number "0" indicates that the default port for LDAP over SSL is used.
LDAP over SSL server/port Specifies IP addresses and port numbers of the primary and up to five alternate LDAP over SSL servers.
Specifies IP addresses or host names for the addresses.
To specify host names for the LDAP over SSL servers, the server names must be resolvable by the DNS server.
setldapssl When a port number is not specified, the default port is used.
Server certificate load/delete Loads or deletes the certificates of the primary and up to five alternate servers. setldapssl The strictcertmode must be in the disabled state for a certificate to be removed.
usermapmode enable/disable Enables/disables the usermapmode.
When enabled, user attributes specified with the usermap operand, rather than user domain, are used for user authentication.
setldapssl It is disabled by default.
usermap display Displays the usermap setting. showldapssl  
usermap Configures the usermap.
The usermap is used for user authentication.
setldapssl The usermapmode must be enabled to use the usermap.
strictcertmode enable/disable Enables or disables the strictcertmode.
If the strictcertmode is enabled, the certificate of a server must have already been uploaded to the server so that the certificate signatures can be validated when the server certificate is presented.
setldapssl It is disabled by default.
Server certificate display Displays the following:
- Certificate information for the primary and up to five alternate servers.

- Entire contents of the certificate
showldapssl  
User domain display Displays user domains. showldapssl  
User domain Configures up to five specified user domains. User domain is specified in the Distinguished Name (DN) format. setldapssl  
defaultrole display Displays the defaultrole setting. showldapssl  
defaultrole Specifies the user privilege assigned to all users that are authenticated via LDAP over SSL. setldapssl  
Group display Displays the configuration of administrator group, operator group, and custom group. showldapssl  
Administrator group Assigns group names for up to five administrator groups. The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. setldapssl  
Operator group Assigns group names for up to five operator groups. The operator group has platop and auditop privileges. These privileges cannot be changed. setldapssl  
Custom group Assigns group names and user privileges for up to five groups. setldapssl  
Timeout Configures transaction timeout in seconds.
You can specify a numeric value from 1 to 20.
setldapssl The default value is 4 seconds. If a specified timeout is too short for the configuration, the login process or retrieval of the user privilege setting could fail.
Log enable/disable Enables/disables the logs of LDAP over SSL authentication and authorization diagnosis messages. setldapssl This log is cleared when the XSCF is rebooted.
Log display Displays LDAP over SSL authentication and authorization diagnosis messages. showldapssl  
Log clear Clears the logs of LDAP over SSL authentication and authorization diagnosis messages. setldapssl  
Default Resets the LDAP over SSL settings to their factory defaults. setldapssl  
Before Configuring the LDAP over SSL Settings
Note the following before configuring the LDAP over SSL settings.
  1. Confirm that the XCP version that supports LDAP over SSL is used. For the XCP that supports LDAP over SSL, see the latest Product Notes.
  2. The useradm privilege is required for the LDAP over SSL settings.
  3. If the XSCF is configured to use LDAP, Active Directory, or LDAP over SSL for user account data, then the user account name and user identifier (if specified) must not already be in use in the XSCF, LDAP, Active Directory, or LDAP over SSL.
  4. To use a host name for the LDAP over SSL server, DNS settings need to be configured properly before setting LDAP over SSL.
  5. In LDAP over SSL, the system account called proxyuser is used. Verify that no user account with that name already exists. If a user account with the name proxyuser exists, then delete the account with the deleteuser command. After deleting the account, reboot the XSCF before using LDAP over SSL.
  6. If the value set by the timeout operand is small, and you log in to the XSCF, user privilege may not be assigned to you. In this case, increase the timeout setting value and try again.
  7. LDAP over SSL users cannot upload a user public key to the XSCF. LDAP over SSL users can login by connecting to the XSCF via SSH using password authentication.
Enabling/Disabling the Use of the LDAP over SSL Server
  1. Execute the showldapssl command to display the usage of the LDAP over SSL server.
XSCF> showldapssl
usermapmode: disabled
state: disabled
strictcertmode: disabled
timeout: 4
logdetail: none
  1. Execute the setldapssl command to enable/disable the use of the LDAP over SSL server.
    In the following example, the use of the LDAP over SSL server is enabled.
XSCF> setldapssl enable
  1. In the following example, the use of the LDAP over SSL server is disabled.
XSCF> setldapssl disable
  1. Execute the showldapssl command, and check whether LDAP over SSL is enabled or disabled.
    In the following example, the LDAP over SSL is enabled.
XSCF> showldapssl
usermapmode: disabled
state: enabled
strictcertmode: disabled
timeout: 4
logdetail: none
Setting LDAP over SSL Servers and Port Numbers
  1. Execute the showldapssl command to display the LDAP over SSL server settings.
XSCF> showldapssl server
Primary Server
address: (none)
port: 0
XSCF> showldapssl server -i
Alternate Server 1
address: (none)
port: 0
Alternate Server 2
address: (none)
port: 0
Alternate Server 3
address: (none)
port: 0
Alternate Server 4
address: (none)
port: 0
Alternate Server 5
address: (none)
port: 0
  1. Execute the setldapssl command to set LDAP over SSL servers.
    In the following example, the primary server and port number are specified.
XSCF> setldapssl server 10.18.76.230:4041
  1. In the following example, alternate servers are specified.
XSCF> setldapssl server -i 1 10.18.76.231
  1. Execute the showldapssl command, and confirm the LDAP over SSL server settings.
XSCF> showldapssl server
Primary Server
address: 10.18.76.230
port: 4041

XSCF> showldapssl server -i
Alternate Server 1
address: 10.18.76.231
port: 0
Alternate Server 2
address: (none)
port: 0
Alternate Server 3
address: (none)
port: 0
Alternate Server 4
address: (none)
port: 0
Alternate Server 5
address: (none)
port: 0
Loading/Deleting the Server Certificate
  1. Execute the showldapssl command to display the server certificate information.
XSCF> showldapssl cert
Primary Server:
certstatus = certificate not present
issuer = (none)
serial number = (none)
subject = (none)
valid from = (none)
valid until = (none)
version = (none)

XSCF> showldapssl cert -i
Alternate Server 1:
certstatus = certificate not present
issuer = (none)
serial number = (none)
subject = (none)
valid from = (none)
valid until = (none)
version = (none)

Alternate Server 2:
... <snip>

Alternate Server 5:
certstatus = certificate not present
issuer = (none)
serial number = (none)
subject = (none)
valid from = (none)
valid until = (none)
version = (none)
  1. Execute the setldapssl command to load the serve certificate to the XSCF.
    In the following example, the server certificate of the primary server is loaded using the user name and password.
XSCF> setldapssl loadcert -u yoshi http://domain_3/UID_2333/testcert
Warning: About to load certificate for Primary Server.
Continue? [y|n]: y
Password:
  1. In the following example, the content of the certificate is copied and pasted on the screen, and then the certificate for the alternate server 1 is loaded from a console. After pressing the [Enter] key, press the [Ctrl] and [D] keys to complete loading.
XSCF> setldapssl loadcert console
Warning: About to load certificate for Alternate Server 1:
Continue? [y|n]: y
Please enter the certificate:
-----BEGIN CERTIFICATE-----

MIIETjCCAzagAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU2FuIERpZWdvMRkwFwYDVQQK
ExBTdW4gTWljcm9zeXN0ZW1zMRUwEwYDVQQLEwxTeXN0ZW0gR3JvdXAxEjAQBgNV
:
-----END CERTIFICATE-----

[Enter]
[Ctrl]+[D]
  1. Execute the showldapssl command, and confirm that the server certificate has been loaded.
XSCF> showldapssl cert
Primary Server:
certstatus = certificate present
issuer = DC = local, DC = xscf, CN = apl
serial number = 55:1f:ff:c4:73:f7:5a:b9:4e:16:3c:fc:e5:66:5e:5a
subject = DC = local, DC = xscf, CN = apl
valid from = Mar 9 11:46:21 2010 GMT
valid until = Mar 9 11:46:21 2015 GMT
version = 3 (0x02)

XSCF> showldapssl cert -i 1
Alternate Server 1:
certstatus = certificate present
issuer = DC = local, DC = aplle, CN = aplle.local
serial number = 0b:1d:43:39:ee:4b:38:ab:46:47:de:0a:b4:a9:ea:04
subject = DC = local, DC = aplle, CN = aplle.local
valid from = Aug 25 02:38:15 2009 GMT
valid until = Aug 25 02:44:48 2014 GMT
version = 3 (0x02)
  1. Execute the setldapssl command to delete the primary server certificate.
XSCF> setldapssl rmcert
Warning: About to delete certificate for Primary Server.
Continue? [y|n]: y
  1. Execute the showldapssl command, and confirm that the server certificate has been deleted.
XSCF> showldapssl cert
Primary Server:
certstatus = certificate not present
issuer = (none)
serial number = (none)
subject = (none)
valid from = (none)
valid until = (none)
version = (none)
  1. The strictcertmode must be in the disabled state for a certificate to be removed.
Enabling/Disabling the usermapmode
  1. Execute the showldapssl command to display whether the usermapmode is enabled or disabled.
XSCF> showldapssl
usermapmode: disabled
state: enabled
strictcertmode: disabled
timeout: 4
logdetail: none
  1. Execute the setldapssl command to enable/disable the usermapmode.
    In the following example, the usermapmode is enabled.
XSCF> setldapssl usermapmode enable
  1. In the following example, the usermapmode is disabled.
XSCF> setldapssl usermapmode disable
  1. Execute the showldapssl command to confirm that the usermapmode is enabled/disabled.
    In the following example, the usermapmode is enabled.
XSCF> showldapssl
usermapmode: enabled
state: enabled
strictcertmode: disabled
timeout: 4
logdetail: none
Setting or Clearing the usermap
  1. Execute the showldapssl command to display the configuration of the usermap.
XSCF> showldapssl usermap
attributeInfo: (none)
binddn: (none)
bindpw: (none)
searchbase: (none)
  1. Execute the setldapssl command to configure the usermap.
    In the following example, attribute information is set.
XSCF> setldapssl usermap attributeInfo '(&(objectclass=person)(uid=))'
  1. In the following example, the bind DN is set.
XSCF> setldapssl usermap binddn CN=SuperAdmin,DC=aCompany,DC=com
  1. In the following example, the bind password is set.
XSCF> setldapssl usermap bindpw b.e9s#n
  1. In the following example, the search base is set.
XSCF> setldapssl usermap searchbase OU=yoshi,DC=aCompany,DC=com
  1. Execute the showldapssl command, and confirm the usermap.
XSCF> showldapssl usermap
attributeInfo: (&(objectclass=person)(uid=))
binddn: CN=SuperAdmin,DC=aCompany,DC=com
bindpw: Set
searchbase: OU=yoshi,DC=aCompany,DC=com
  1. Execute the setldapssl command to clear the usermap.
    In the following example, attribute information is cleared.
XSCF> setldapssl usermap attributeInfo
  1. In the following example, the bind DN is cleared.
XSCF> setldapssl usermap binddn
  1. In the following example, the bind password is cleared.
XSCF> setldapssl usermap bindpw
  1. In the following example, the search base is cleared.
XSCF> setldapssl usermap searchbase
  1. Execute the showldapssl command, and confirm that the usermap has been cleared.
XSCF> showldapssl usermap
attributeInfo: (none)
binddn: (none)
bindpw: (none)
searchbase: (none)
  1. The usermapmode must be enabled to use the usermap.
Enabling/Disabling the strictcertmode
  1. Execute the showldapssl command to display whether the strictcertmode is enabled or disabled.
XSCF> showldapssl
usermapmode: enabled
state: enabled
strictcertmode: disabled
timeout: 4
logdetail: none
  1. Execute the setldapssl command to enable/disable the strictcertmode.
    In the following example, the strictcertmode is enabled.
XSCF> setldapssl strictcertmode enable
  1. In the following example, the strictcertmode is disabled.
XSCF> setsetldapssl strictcertmode disable
  1. Execute the showldapssl command, and confirm that the strictcertmode is enabled/disabled.
    In the following example, the strictcertmode is enabled.
XSCF> showldapssl
usermapmode: enabled
state: enabled
strictcertmode: enabled
timeout: 4
logdetail: none
  1. To enable the strictcertmode, the server certificate must have already been loaded to the XSCF.
Setting a User Domain
  1. Execute the showldapssl command to display user domains.
XSCF> showldapssl userdomain
domain 1: (none)
domain 2: (none)
domain 3: (none)
domain 4: (none)
domain 5: (none)
  1. Execute the setldapssl command to set user domains.
    In the following example, user domain 1 is set.
XSCF> setldapssl userdomain -i 1 '@davidc.example.aCompany.com'
  1. In the following example, user domain 2 is set.
XSCF> setldapssl userdomain -i 2 'CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com'
  1. Execute the showldapssl command, and confirm the user domains.
XSCF> showldapssl userdomain
domain 1: <USERNAME>@davidc.example.aCompany.com
domain 2: CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com
domain 3: (none)
domain 4: (none)
domain 5: (none)
Setting the Default Privilege
  1. Execute the showldapssl command to display the default privilege.
XSCF> showldapssl defaultrole
Default role: (none)
  1. Execute the setldapssl command to set a default privilege.
XSCF> setldapssl defaultrole platadm platop
  1. Execute the showldapssl command, and confirm the default privilege.
XSCF> showldapssl defaultrole
Default role: platadm platop
Setting Group Names and Privileges
  1. Execute the showldapssl command to display group names.
    The following example shows administrator groups.
XSCF> showldapssl group administrator
Administrator Group 1
name: (none)
Administrator Group 2
name: (none)
Administrator Group 3
name: (none)
Administrator Group 4
name: (none)
Administrator Group 5
name: (none)
  1. The following example shows operator groups.
XSCF> showldapssl group operator
Operator Group 1
name: (none)
Operator Group 2
name: (none)
Operator Group 3
name: (none)
Operator Group 4
name: (none)
Operator Group 5
name: (none)
  1. The following example shows custom groups.
XSCF> showldapssl group custom
Custom Group 1
name: (none)
roles: (none)
Custom Group 2
name: (none)
roles: (none)
Custom Group 3
name: (none)
roles: (none)
Custom Group 4
name: (none)
roles: (none)
Custom Group 5
name: (none)
roles: (none)
  1. Execute the setldapssl command to set group names and privileges.
    In the following example, administrator group 1 is set.
XSCF> setldapssl group administrator -i 1 name CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com
  1. In the following example, operator group 1 is set.
XSCF> setldapssl group operator -i 1 name CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local
  1. In the following example, custom group 1 is set.
XSCF> setldapssl group custom -i 1 name CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local
  1. In the following example, the privilege of the custom group 1 is set.
XSCF> setldapssl group custom -i 1 roles platadm,platop
  1. Execute the showldapssl command, and confirm the group names and privileges.
    In the following example, the administrator groups are confirmed.
XSCF> showldapssl group administrator
Administrator Group 1
name: CN=<USERNAME>,CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com
Administrator Group 2
name: (none)
Administrator Group 3
name: (none)
Administrator Group 4
name: (none)
Administrator Group 5
name: (none)
  1. In the following example, the operator groups are confirmed.
XSCF> showldapssl group operator
Operator Group 1
name: CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local
Operator Group 2
name: (none)
Operator Group 3
name: (none)
Operator Group 4
name: (none)
Operator Group 5
name: (none)
  1. In the following example, the custom groups are confirmed.
XSCF> showldapssl group custom
Custom Group 1
name: CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local
roles: platadm platop
Custom Group 2
name: (none)
roles: (none)
Custom Group 3
name: (none)
roles: (none)
Custom Group 4
name: (none)
roles: (none)
Custom Group 5
name: (none)
roles: (none)
  1. The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. The operator group also has platop and auditop privileges. These privileges cannot be changed.
Setting a Timeout
  1. Execute the showldapssl command to display the timeout time.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 4
logdetail: none
  1. Execute the setldapssl command to set the timeout time.
    In the following example, the timeout time is set to 10 seconds.
XSCF> setldapssl timeout 10
  1. Execute the showldapssl command, and confirm the timeout time.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 10
logdetail: none
Enabling or Disabling the Logs of LDAP over SSL Authentication and Authorization Diagnosis Messages
  1. Execute the showldapssl command to display the log detail level.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 10
logdetail: none
  1. Execute the setldapssl command to set the log detail level.
    In the following example, the log is enabled and the log detail level is set to trace.
XSCF> setldapssl logdetail trace
  1. In the following example, the log is disabled.
XSCF> setldapssl logdetail none
  1. Execute the showldapssl command, and confirm the log detail level.
    In the following example, the log detail level is set to trace.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 10
logdetail: trace
Displaying the Log of Diagnosis Messages and Clearing the Log File
  1. Execute the showldapssl command to display the log detail level.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 10
logdetail: trace
  1. Execute the showldapssl command to display the diagnosis messages.
    In the following example, diagnosis messages are displayed in real time.
XSCF> showldapssl log -f
Mon Nov 16 14:47:53 2009 (LdapSSL): module loaded, OPL
Mon Nov 16 14:47:53 2009 (LdapSSL): --error-- authentication status:
auth-ERROR
Mon Nov 16 14:48:18 2009 (LdapSSL): module loaded, OPL
:
  1. Execute the setldapssl command to clear the log file of diagnosis messages.
XSCF> setldapssl log clear
Warning: About to clear log file.
Continue? [y|n]: y
Resetting the LDAP over SSL Settings to Their Defaults
  1. Execute the showldapssl command to display the status of the LDAP over SSL settings.
XSCF> showldapssl
dnslocatormode: enabled
expsearchmode: enabled
state: enabled
strictcertmode: enabled
timeout: 10
logdetail: trace
  1. Execute the setldapssl command to reset the LDAP over SSL settings to their defaults.
XSCF> setldapssl default -y
Warning: About to reset settings to default.
Continue? [y|n]: y
  1. Execute the showldapssl command, and confirm that the LDAP over SSL settings have been reset to their defaults.
XSCF> showldapssl
dnslocatormode: disabled
expsearchmode: disabled
state: disabled
strictcertmode: disabled
timeout: 4
logdetail: none
Logging In With the LDAP over SSL User Account
After completing each setting, confirm whether login with the user account of LDAP over SSL is possible.