How to configure LDAP authentication on Crossbeam X-Series

book

Article ID: 168017

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How to configure LDAP authentication on Crossbeam X-SeriesN/A

Cause

This solution applies for any customer who wants to use LDAP authentication using the Crossbeam X-Series.
It describes all the required steps.

Resolution

Network Diagram

Crossbeam X series CPM ---- network --- LDAP Server

In our test network, the CPM and LDAP server are attached to the same IP subnet, so no particular route entry is needed. A customer with a different network configuration may need to set up CPM routing differently.


Technical Overview

The LDAP protocol is a directory service which can be composed of different elements such as user elements, as well as accounts, groups and profile information and even X509 Certificate data. The LDAP architecture is based on a directory server listening on port 389, and a secured LDAP protocol exists on port 689. However, the Crossbeam X-Series Platform does not support it at this time.

The LDAP protocols run using a Distinguished name which is used as a uniqe reference to a given user account. The distinguished name is of the form : cn=usera,ou=lab,dc=acme,dc=com


Specific Notes

The Microsoft Active Directory is a LDAP implementation of Microsoft. However, due to the current Schemas of Microsoft AD, it is not recommended to use LDAP authentication against such LDAP implementation. RADIUS authentication should be used instead.

An LDAP server may serve many Organisational units or different departments within the same company. If someone wants to restrain the access of the Crossbeam machine using LDAP accounts only within a specific OU it can do so.
If the configuration of the DN is set to : DN:"ou=lab,dc=crossbeamsystems,dc=com" only users within the "lab" OU will be matched. Any other users even though present in both the LDAP directory in a different OU and which has been configured on the Crossbeam will be refused.

To ensure a proper authentication irrespective of the OU, the network administrator may choose to select to bind the Crossbeam's ROOT DN to the following: DN:" dc=crossbeamsystems,dc=com"

Should the network administrator makes such choice, then the security is enforced at the Crossbeam level based on whether users have the right to access the Crossbeam system (just configure the user or do not).


Configuration Steps

1) On the LDAP server, identify what is the DN for the user  to be authenticated on the Crossbeam chassis.

For example : dn= ou=lab,dc=crossbeamsystems,dc=com

2) Configure on the LDAP server a user and keep the username.
3) Configure on the X-Series chassis a user which will be authenticated by the LDAP server.

    configure username ldaptest max-days 65535 privilege <0-15>

Key in any password (this will be a fallback password for this user)

4) On the Crossbeam chassis, configure the LDAP server and the specific distinguished name DN:

    configure ldap-server 192.168.128.1
  configure ldap-parameter version 3 distinguished-name 'ou=lab,dc=crossbeamsystems,dc=com'


5- Try to logon from a SSH or console connection to the Crossbeam and use the password entered in the LDAP directory.


Configuration Summary

username radius privilege 15 gui-level guest maxdays 65535
username admin privilege 15 gui-level administrator maxdays 65535
username ldaptest privilege 15 gui-level guest maxdays 65535
username corpldap privilege 15 gui-level guest maxdays 65535


ldap-server 192.168.128.1
ldap-parameter version 3 distinguished-name 'ou=lab,dc=crossbeamsystems,dc=com'



Troubleshooting

You can troubleshoot the LDAP authentication from the LDAP server with openldap using standard logging.


Working Result

Dec 24 17:38:54 simba slapd[16733]: conn=78 fd=15 ACCEPT from IP=192.168.128.201:32865 (IP=0.0.0.0:389)
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=0 BIND dn="" method=128
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=0 RESULT tag=97 err=0 text=
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=1 SRCH base="ou=lab,dc=crossbeamsystems,dc=com" scope=2 deref=0 filter="(uid=ldaptest)"
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=2 BIND dn="cn=ldap test,ou=lab,dc=crossbeamsystems,dc=com" method=128
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=2 BIND dn="cn=ldap test,ou=lab,dc=crossbeamsystems,dc=com" mech=SIMPLE ssf=0
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=2 RESULT tag=97 err=0 text=
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=3 BIND anonymous mech=implicit ssf=0
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=3 BIND dn="" method=128
Dec 24 17:38:54 simba slapd[16733]: conn=78 op=3 RESULT tag=97 err=0 text=

---


Non existing user or not under the DN root.:

Dec 24 17:39:09 simba slapd[16733]: conn=79 op=0 BIND dn="" method=128
Dec 24 17:39:09 simba slapd[16733]: conn=79 op=0 RESULT tag=97 err=0 text=
Dec 24 17:39:09 simba slapd[16733]: conn=79 fd=20 ACCEPT from IP=192.168.128.201:32866 (IP=0.0.0.0:389)
Dec 24 17:39:09 simba slapd[16733]: conn=79 op=1 SRCH base="ou=lab,dc=crossbeamsystems,dc=com" scope=2 deref=0 filter="(uid=nouser)"
Dec 24 17:39:09 simba slapd[16733]: conn=79 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

Workaround

N/A