beautypg.com

Server authorization, Fips compliance, Configuring ldap – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 295: Importing an ldap ca certificate

background image

Server authorization

The Active Directory (AD) server is used only for authentication. Command authorization of the AD
users is not supported in the AD server. Instead, the access control of AD users is enforced locally by
role-based access control (RBAC) on the switch.

A user on an AD server should be assigned a nonprimary group, and that group name should be either
matched or mapped to one of the existing roles on the switch; otherwise, authentication will fail. After
successful authentication, the switch receives the nonprimary group of the user from the AD server and
finds the corresponding user role for the group based on the matched or mapped roles.

If the switch fails to get the group from the AD server, or the LDAP user is not a member of any
matching AD group, the user authentication fails. Groups that match with the existing switch roles have
higher priority than the groups that are mapped with the switch roles. Thereafter, the role obtained from
AD server (or default role) is used for RBAC.

If multiple nonprimary groups are associated to the AD user, only one of the groups should be mapped
or matched to the switch role. If multiple AD groups of AD users are mapped or matched to the switch
roles, authentication of the user is successful, but there is no guarantee as to which role the AD user
gets among those multiple roles. After successful authentication, the switch gets the nonprimary group
of the user from the AD server and finds the corresponding user role for group based on the matched or
mapped roles. Thereafter, the role obtained from the AD server (or default role) will be used for RBAC.

A maximum 16 AD groups can be mapped to the switch roles.

FIPS compliance

To support FIPS compliance, the CA certificate of the AD server’s certificate should be installed on the
switch, and the FIPS-compliant TLS ciphers for LDAP should be used.

Configuring LDAP

Configuring support for LDAP requires configuring both the client and the server. This section presents
the following major tasks, sorted by client-side and server-side activities:

Client-side tasks:

Configuring an Active Directory server on the client side

on page 296

Configuring Active Directory groups on the client side

on page 300

Clearing sessions on the client side

on page 301

Server-side tasks:

Configuring an Active Directory server on the client side

on page 296

Importing an LDAP CA certificate

The following example imports the LDAP CA certificate from a remote server to a Brocade switch using
secure copy (SCP).

Server authorization

Network OS Administrator’s Guide

295

53-1003225-04

See also other documents in the category Brocade Computer Accessories: