Ldap configuration and microsoft active directory – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 160
d)
When selecting items from the Add Return List Attribute , select Brocade-Auth-Role
and type the string Admin . The string you type equals the role on the switch.
e)
Add the Brocade profile.
f)
In RSA Authentication Manager , edit the user records that will be authenticated using
RSA SecurID.
LDAP configuration and Microsoft Active Directory
LDAP provides user authentication and authorization using the Microsoft Active Directory service or
using OpenLDAP in conjunction with LDAP on the switch. This section discusses authentication and
authorization using Microsoft Active Directory. For information about authentication and authorization
using OpenLDAP, refer to
LDAP configuration and OpenLDAP
on page 162.
Two operational modes exist in LDAP authentication, FIPS mode and non-FIPS mode. This section
discusses LDAP authentication in non-FIPS mode. For more information on LDAP in FIPS mode, refer
to
on page 209. The following are restrictions when using LDAP in non-
FIPS mode:
• There is no password change through Active Directory.
• There is no automatic migration of newly created users from the local switch database to Active
Directory. This is a manual process explained later.
• Only IPv4 is supported for LDAP on Windows 2000 and LDAP on Windows Server 2003. For LDAP
on Windows Server 2008, both IPv4 and IPv6 are supported.
• LDAP authentication is used on the local switch only and not for the entire fabric.
• You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still supported for
Active Directory LDAP 2000 and 2003. Common Name-based authentication is not recommended for
new installations.
• A user can belong to multiple groups as long as one of the groups is the primary group. The primary
group in the AD server should not be set to the group corresponding to the switch role. You can
choose any other group.
• A user can be part of any Organizational Unit (OU).
• Active Directory LDAP 2000, 2003, and 2008 are supported.
When authentication is performed by User-Principal-Name, in Fabric OS 7.1.0 and later releases, the
suffix part of the name (the @domain-name part) can be omitted when the user logs in. If the suffix
part of the User-Principal-Name name is omitted, the domain name configured for the LDAP server (in
theaaaConfig --add command) is added and used for authentication purposes.
Roles for Brocade-specific users can be added through the Microsoft Management Console. Groups
created in Active Directory must correspond directly to the RBAC user roles on the switch. Role
assignments can be achieved by including the user in the respective group. A user can be assigned to
multiple groups such as Switch Admin and Security Admin. For LDAP servers, you can use the
ldapCfg --maprole command to map LDAP server permissions to one of the default roles available on
a switch. For more information on RBAC roles, refer to
NOTE
Microsoft documentation. Confer with your system or network administrator prior to configuration for
any special needs your network environment may have.
Configuring Microsoft Active Directory LDAP service
The following is an overview of the process used to set up LDAP.
LDAP configuration and Microsoft Active Directory
160
Fabric OS Administrators Guide
53-1003130-01