beautypg.com

Dell POWEREDGE M1000E User Manual

Page 163

background image

Fabric OS Administrator’s Guide

163

53-1002745-02

Remote authentication

5

LDAP authentication is used on the local switch only and not for the entire fabric.

You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.

A user can belong to multiple groups as long as one of the groups is the primary group. The
primary group in the AD server should not be set to the group corresponding to the switch role.
You can choose any other group.

A user can be part of any Organizational Unit (OU).

Active Directory LDAP 2000, 2003, and 2008 are supported.

When authentication is performed by User-Principal-Name, in Fabric OS 7.1.0 and later releases,
the suffix part of the name (the @domain-name part) can be omitted when the user logs in. If the
suffix part of the User-Principal-Name name is omitted, the domain name configured for the LDAP
server (in the aaaConfig --add server -d domain command) is added and used for authentication
purposes.

Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg

-–

maprole ldap_role_name switch_role command to map an LDAP server permissions

to one of the default roles available on a switch. For more information on RBAC roles, see

“Role-Based Access Control”

on page 134.

NOTE

All instructions involving Microsoft Active Directory can be obtained from

www.microsoft.com

or your

Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.

Configuring Microsoft Active Directory LDAP service

The following is an overview of the process used to set up LDAP.

1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is,

the Brocade switch), then you must install a Certificate Authority (CA) certificate on the
Windows Active Directory server for LDAP.

Follow Microsoft instructions for generating and installing CA certificates on a Windows server.

2. Create a user in Microsoft Active Directory server.

For instructions on how to create a user, refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.

3. Create a group name that uses the switch’s role name so that the Active Directory group’s

name is the same as the switch’s role name.

or

Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role

to one of the default roles available on the switch.