Switch configuration, Supported ldap options – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Switch configuration

By default, the remote authentication services are disabled, so AAA services default to the switch’s local
database.

To enable remote authentication, it is strongly recommended that you access the CLI through an SSH
connection so that the shared secret is protected. Multiple login sessions can configure simultaneously,
and the last session to apply a change leaves its configuration in effect. After a configuration is applied,
it persists after a reboot or an HA failover.

To enable the secure LDAP service, you must install a certificate from the Microsoft Active Directory
server or the OpenLDAP server. By default, the LDAP service does not require certificates.

The configuration applies to all switches. On a Backbone, the configuration replicates itself on a standby
CP blade if one is present. It is saved in a configuration upload and applied in a configuration download.

Brocade recommends configuring at least two authentication servers, so that if one fails, the other will
assume service. Up to five servers are supported.

You can set the configuration with any one of the supported authentication services and local
authentication enabled, so that if the authentication servers do not respond because of a power failure
or network problems, the switch uses local authentication.

Consider the effects of the use of a remote authentication service on other Fabric OS features. For
example, when a remote authentication service is enabled, all account passwords must be managed on
the authentication server. The Fabric OS mechanisms for changing switch passwords remain functional;
however, such changes affect only the involved switches locally. They do not propagate to the
authentication server, nor do they affect any account on the authentication server. Authentication
servers also support notifying users of expiring passwords.

When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and
without RADIUS, LDAP, and TACACS+ support, the way a switch authenticates users depends on
whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a switch with remote
authentication support and configuration, authentication bypasses the local password database. For a
switch without remote authentication support or configuration, authentication uses the switch’s local
account names and passwords.

Supported LDAP options

The following table summarizes the various LDAP options and Brocade support for each.

LDAP options

TABLE 23

Protocol

Description

Channel type Default port URL

Brocade
supported?

LDAPv3

LDAP over TCP

Unsecured

389

ldap://

No

LDAPv3 with TLS
extension

LDAPv3 over TLS

Secured

389

ldap://

Yes

LDAPv3 with TLS
and Certificate

LDAPv3 over TLS channel and
authenticated using a certificate

Secured

389

ldap://

Yes

LDAPv2 with SSL

5

LDAPv2 over SSL. Port 636 is
used for SSL. Port 389 is for
connecting to LDAP.

Secured

636 and 389 ldaps:// No

5

This protocol was deprecated in 2003 when LDAPv3 was standardized.

Switch configuration

Fabric OS Administrators Guide

149

53-1003130-01