Brocade Communications Systems 53-1001763-02 사용자 설명서
Fabric OS Administrator’s Guide
111
53-1001763-02
The authentication model using RADIUS and LDAP
5
d. Add the Brocade profile.
e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA
SecurID.
LDAP configuration and Microsoft Active Directory
LDAP provides user authentication and authorization using the Microsoft Active Directory service in
conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication,
FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For
more information on LDAP in FIPS mode, refer to
conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication,
FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For
more information on LDAP in FIPS mode, refer to
. The
following are restrictions when using LDAP in non-FIPS mode:
•
There is no password change through Active Directory.
•
There is no automatic migration of newly created users from the local switch database to
Active Directory. This is a manual process explained later.
Active Directory. This is a manual process explained later.
•
Only IPv4 is supported for LDAP.
•
LDAP authentication is used on the local switch only and not for the entire fabric.
•
You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
•
A user can belong to multiple groups as long as one of the groups has the same name as the
Brocade role name. Among those groups, one group name must match with either the Brocade
role or be mapped to a switch role in the Brocade switch.
Brocade role name. Among those groups, one group name must match with either the Brocade
role or be mapped to a switch role in the Brocade switch.
•
A user can be part of any Organizational Unit (OU).
•
Active Directory LDAP 2000, 2003, and 2003 is supported.
Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg
-–
maprole ldap_role name switch_role command to map an LDAP server role to one of
the default roles available on a switch. For more information on RBAC roles, see
NOTE
All instructions involving Microsoft Active Directory can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Following is the overview of the process used to set up LDAP:
1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP.
Follow Microsoft instructions for generating and installing CA certificates on a Windows server.
2. Create a user in Microsoft Active Directory server.
For instructions on how to create a user, refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.
documentation to create a user in your Active Directory.