Cisco Cisco Expressway Maintenance Manual
Configuring remote account authentication using
LDAP
LDAP
The
LDAP configuration
page (
Users > LDAP configuration
) is used to configure an LDAP connection to
a remote directory service for administrator account authentication.
The configurable options are:
Field
Description
Usage tips
Remote account authentication
: this section allows you to enable or disable the use of LDAP for remote account
authentication.
Administrator
authentication
source
authentication
source
Defines where administrator login credentials are
authenticated.
authenticated.
Local only: credentials are verified against a local
database stored on the system.
database stored on the system.
Remote only: credentials are verified against an
external credentials directory.
external credentials directory.
Both: credentials are verified first against a local
database stored on the system, and then if no
matching account is found the external credentials
directory is used instead.
database stored on the system, and then if no
matching account is found the external credentials
directory is used instead.
The default is Local only.
Both allows you to continue to use
locally-defined accounts. This is useful
while troubleshooting any connection or
authorization issues with the LDAP
server.
locally-defined accounts. This is useful
while troubleshooting any connection or
authorization issues with the LDAP
server.
You cannot log in using a locally-
configured administrator account,
including the default admin account, if
Remote only authentication is in use.
Note: do not use Remote only if
Expressway is managed by Cisco TMS.
configured administrator account,
including the default admin account, if
Remote only authentication is in use.
Note: do not use Remote only if
Expressway is managed by Cisco TMS.
LDAP server configuration
: this section specifies the connection details to the LDAP server.
FQDN
address
resolution
address
resolution
Defines how the LDAP server address is resolved.
SRV record: DNS SRV record lookup.
Address record: DNS A or AAAA record lookup.
IP address: entered directly as an IP address.
The default is Address record.
Note: if you use SRV records, ensure that the
records use the standard ports for LDAP. _ldap._
tcp.<domain>
records use the standard ports for LDAP. _ldap._
tcp.<domain>
must use 389 and _ldaps._
tcp.<domain>
must use 636. The Expressway
does not support other port numbers for LDAP.
The SRV lookup is for either _ldap._tcp
or _ldaps._tcp records, depending on
whether Encryption is enabled. If
multiple servers are returned, the priority
and weight of each SRV record
determines the order in which the
servers are used.
or _ldaps._tcp records, depending on
whether Encryption is enabled. If
multiple servers are returned, the priority
and weight of each SRV record
determines the order in which the
servers are used.
Host name
and Domain
and Domain
or
Server
address
address
The way in which the server address is specified
depends on the FQDN address resolution setting:
depends on the FQDN address resolution setting:
SRV record: only the Domain portion of the server
address is required.
address is required.
Address record: enter the Host name and Domain.
These are then combined to provide the full server
address for the DNS address record lookup.
These are then combined to provide the full server
address for the DNS address record lookup.
IP address: the Server address is entered directly
as an IP address.
as an IP address.
If using TLS, the address entered here
must match the CN (common name)
contained within the certificate
presented by the LDAP server.
must match the CN (common name)
contained within the certificate
presented by the LDAP server.
Port
The IP port to use on the LDAP server.
Non-secure connections use 389 and
secure connections use 636.
secure connections use 636.
Cisco Expressway Administrator Guide (X8.5)
Page 202 of 394
User accounts
Configuring remote account authentication using LDAP