Configuring LDAP authentication

LDAP is disabled by default and must be explicitly enabled. To use LDAP authentication on the router, configure one or more LDAP servers on the network.

TLS certificates and clients must also be configured. For more information about configuring TLS, see TLS.

Use the following CLI commands to configure LDAP.

CLI syntax:

config>system>security>ldap
   [no] public-key-authentication
   [no] retry
   [no] server
   [no] shutdown
   [no] timeout
   [no] use-default-template

config>system>security>password
  authentication-order [method] exit-on-reject

config>system>security>ldap
  public-key-authentication
  server server-index create
    address ip-address port port
    bind-authentication root-dn [password password] [hash | hash2 | custom]
    ldap-server server-name
    search base-dn
    tls-profile tls-profile-name
    no shutdown
  exit
  no shutdown

The following displays an LDAP authentication configuration example:

A:SwSim14>config>system>security>ldap#
----------------------------------------------
    [no] public-key-authentication
    [no] retry
    [no] server
    [no] shutdown
    [no] timeout
    [no] use-default-template
----------------------------------------------
*A:SwSim14>config>system>security>password#
----------------------------------------------
    authentication-order [local | radius | tacplus | ldap] exit-on-reject
----------------------------------------------
*A:SwSim14>config>system>security>ldap# info
----------------------------------------------
    public-key-authentication
    server 1 create
        address 10.1.1.1
        bind-authentication "cn=administrator,cn=users,dc=nacblr2,dc=example,dc=com
          password"
        ldap-server "active-server"
        search "dc=sns,dc=example,dc=com"
        tls-profile "server-1-profile"
        no shutdown
    exit
    no shutdown
----------------------------------------------
*A:SwSim8>config>system>security>tls# info
----------------------------------------------
    client-tls-profile "server-1-profile" create
        cipher-list "to-active-server"
        trust-anchor-profile ‟server-1-ca‟
    no shutdown
    exit