Openldap server configuration overview, Enabling group membership – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 163
on page 209. When using OpenLDAP in non-FIPS mode, you must use
the Common-Name for OpenLDAP authentication. User-Principal-Name is not supported in OpenLDAP.
OpenLDAP 2.4.23 is supported.
When a user is authenticated, the role of the user is obtained from the memberOf attribute, which
determines group membership. This feature is supported in OpenLDAP through the memberOf overlay.
You must use this overlay on the OpenLDAP server to assign membership information.
For OpenLDAP servers, you can use the ldapCfg --maprole command to map LDAP server
permissions to one of the default roles available on a switch. For more information on RBAC roles, see
on page 134.
OpenLDAP server configuration overview
For complete details about how to install and configure an OpenLDAP server, refer to the OpenLDAP
user documentation at http://www.openldap.org/doc/. A few key steps for the Brocade environment are
outlined here.
1. If your OpenLDAP server needs to be verified by the LDAP client (that is, the Brocade switch), then
you must install a Certificate Authority (CA) certificate on the OpenLDAP server.
Follow OpenLDAP instructions for generating and installing CA certificates on an OpenLDAP server.
2. Enable group membership through the memberOf mechanism by including the memberOf overlay in
the slapd.conf file.
3. Create entries (users) in the OpenLDAP Directory.
4. Assign users to groups by using the member attribute.
5. Use the ldapCfg --maprole ldap_role_name switch_role command to map an LDAP server role to
one of the default roles available on the switch.
6. Add the user’s Admin Domains or Virtual Fabrics to the user entry.
a)
Add the brcdAdVfData attribute to the existing OpenLDAP schema,
b)
Add the brcdAdVfData attribute to the user entry in the LDAP directory with a value that
identifies the Administrative Domains or Virtual Fabrics with which to associate the user.
Enabling group membership
Group membership in OpenLDAP is specified by an overlay called memberOf. Overlays are helpful in
customizing the back-end behavior without requiring changes to the back-end code. The memberOf
overlay updates the memberOf attribute whenever changes occur to the membership attribute of
entries of the groupOfNames objectClass. To include this overlay, add "overlay memberof" to the
slapd.conf file, as shown in the following example.
overlay memberof
Example file:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/local.schema
###############################################
TLSCACertificateFile /root/sachin/ldapcert/cacert.pem
TLSCertificateFile /root/sachin/ldapcert/serverCert.pem
TLSCertificateKeyFile /root/sachin/ldapcert/serverKey.pem
TLSVerifyClient never
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=mybrocade,dc=com"
rootdn "cn=Manager,dc=mybrocade,dc=com"
rootpw {SSHA}HL8uT5hPaWyIdcP6yAheMT8n0GoWubr3
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
OpenLDAP server configuration overview
Fabric OS Administrators Guide
163
53-1003130-01