Ldap – H3C Technologies H3C S12500-X Series Switches User Manual
Page 21
9
9.
The user enters the password.
10.
After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11.
If the authentication succeeds, the HWTACACS server sends back an authentication response to
indicate that the user has passed authentication.
12.
The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13.
If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14.
Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15.
The HWTACACS client sends a start-accounting request to the HWTACACS server.
16.
The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17.
The user logs off.
18.
The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19.
The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
157B
LDAP
The Lightweight Directory Access Protocol (LDAP) provides standard multi-platform directory service.
LDAP was developed on the basis of the X.500 protocol, and improves the read/write interactive access,
browse, and search functions of X.500. It is suitable for storing data that does not often change.
LDAP is typically used to store user information. For example, LDAP server software Active Directory
Server is used in Microsoft Windows operating systems to store the user information and user group
information for user login authentication and authorization.
344B
LDAP directory service
LDAP uses directories to maintain the organization information, personnel information, and resource
information. The directories are organized in a tree structure and include entries. An entry is a set of
attributes with distinguished names (DNs). The attributes are used to store information such as usernames,
passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly
used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun
ONE Directory Server.
345B
LDAP authentication and authorization
AAA can use LDAP to provide user authentication and authorization services. LDAP defines a set of
operations to implement its functions. The main operations for authentication and authorization are the
bind operation and search operation:
•
The bind operation allows an LDAP client to establish a connection with the LDAP server, obtain the
access rights to the LDAP server, and check the validity of user information.
•
The search operation constructs search conditions and obtains the directory resource information of
the LDAP server.
The basic LDAP authentication process is as follows:
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches