Appendix A: LDAP Implementation Details
129
NX-Series Controllers - WebConsole & Programming Guide
Appendix A: LDAP Implementation Details
Overview
The process of verifying credentials and obtaining user authorization is designed to support most organizations requirements for
'least privilege'. The account used to search LDAP to provide user objects for authentication never needs access to user
information. Authorization lookups are performed as the authenticated user and as such, no elevated permission is required.
Changes to LDAP Implementation (v1.4.x)
There are numerous changes to LDAP configuration when you upgrade your Master’s firmware to version 1.4.x or higher.
Upgrading from version 1.3.x to 1.4.x may require you to make changes to the configuration on your LDAP server.
When a remote directory service is enabled, the Master maps a user’s group memberships in the LDAP database to a
locally-def ined Role. A Role is a set of privileges or permissions assigned to one or more users. See the Security -
Roles section on page 47 for more information.
The common name of the LDAP group on the LDAP server must match the name of the Role assigned to the user on the
Master.
ICSP permission is granted for Device-type users, and only when the user is granted the Firmware/Software Update
permission. See the Role Permissions section on page 48 for more information.
Device authentication is no longer checked against the remote LDAP server. All device authentication is performed locally.
Several changes to Active Directory and OpenLDAP configurations. See the Active Directory/OpenLDAP Setup section below
for more details.
Active Directory/OpenLDAP Setup
Unix Identity Module on Active Directory or OpenLDAP must use posixAccount for user and group memberships. For
OpenLDAP, you can add posixAccount to each entry that requires SSH/SFTP authentication. inetOrgPerson will continue
to work for FTP/HTTP/HTTPS/Program Port authentication.
When adding posixAccount to an existing entry, you may be asked for a uidNumber or gidNumber. These numbers must be unique
for each user (uidNumber) or group (gidNumber), however, the actual values do not matter to the NX-controller. When creating the
attributes, consider the following rules:
uidNumber must be unique for each user (often enforced by the server.)
gidNumber must be unique for each group.
homeDirectory can be anything (typically it is /home/<cn>, but you can also use /bin/false or /opt/amx/user.)
NOTE: If you have already installed Identity Management for Unix (IDMU) on your Windows Server, you can assign these attributes
using the tools for IDMU. However, if you do not have IDMU installed, you must enter the attributes manually.
Perform these steps to manually set the attributes:
1. In Windows, select Start | Control Panel | Administrative Tools. Select Active Directory Users and Computers.
2. In the Active Directory Users and Computers dialog, select Advanced Features from the View menu.
3. Create a new user or select an existing user.
4. Right-click the user to view user's properties.
5. Click the Attribute tab.
6. Select gidNumber and click Edit.
7. Enter a gidNumber.
8. Select uidNumber and click Edit.
9. Enter a uidNumber.
10. Click OK to accept the changes, and click OK close the user properties dialog.
To Next Page
Loading...
Need help?
General
