Tripp Lite 93-2879 User Manual

121

LDAP The Lightweight Directory Access Protocol (LDAP) is based on the X.500 standard, but is

significantly simpler and more readily adapted to meet custom needs. The core LDAP
specifications are all defined in RFCs. LDAP is a protocol used to access information stored in an
LDAP server. Further information on configuring remote RADIUS servers can be found at the
following sites:

http://www.ldapman.org/articles/intro_to_ldap.html

http://www.ldapman.org/servers.html

http://www.linuxplanet.com/linuxplanet/tutorials/5050/1/

http://www.linuxplanet.com/linuxplanet/tutorials/5074/4/

9.1.5

RADIUS/TACACS user configuration

Users may be added to the local Console Server appliance. If they are not added and they log in via
remote AAA, a user will be added for them. This user will not show up in the configurators unless they
are specifically added, at which point they are transformed into a completely local user. The newly
added user must authenticate via the remote AAA server, and will not have any access if it is down.

If a local user logs in, they may be authenticated/authorized from the remote AAA server, depending on
the chosen priority of the remote AAA. A local user's authorization is the union of local and remote
privileges.

Example 1:

User A is locally added, and has access to ports 1 and 2. He is also defined on a remote TACACS
server, which says he has access to ports 3 and 4. The user may log in with either his local or
TACACS password, and will have access to ports 1 through 4. If TACACS is down, he will need to
use his local password, and will only be able to access ports 1 and 2.

Example 2:

User B is only defined on the TACACS server, which says he has access to ports 5 and 6. When he
attempts to log in, a new user will be created for him, and he will be able to access ports 5 and
6. If the TACACS server is down, he will not have any access.

Example 3:

User C is defined on a RADIUS server only. He has access to all serial ports and network hosts.

Example 4:

User D is locally defined on an appliance using RADIUS for AAA. Even if the user is also defined
on the RADIUS server, he will only have access to those serial ports and network hosts he has
been authorized to use on the appliance.

If a “no local AAA” option is selected, then root will still be authenticated locally.

Remote users may be added to the admin group via either RADIUS or TACACS. Users may have a set of
authorizations set on the remote TACACS server. Users automatically added by RADIUS will have
authorization for all resources, whereas those added locally will still need their authorizations specified.

LDAP has not been modified, and will still need locally defined users.