LDAP

Introduction

LDAP (Lightweight Directory Access Protocol) is a directory service for centralizing management of users, groups, hostnames and other resources (called objects). This service on the appliance acts as an LDAP client so that:

LDAP users can login to FTP and HTTP/WebDAV.
LDAP user names (instead of numerical ids) can be used to configure root directory ACLs on a share.
LDAP users can be granted privileges for appliance administration. The appliance supplements LDAP information with its own privilege settings.

Properties

Consult your LDAP server administrator for the appropriate settings for your environment.

Property	Description
Protect LDAP traffic with SSL/TLS	Use TLS (Transport Layer Security, the descendant of SSL) to establish secure connections to the LDAP server
Base search DN	Distinguished name of the base object, the starting point for directory searches.
Search scope	Which objects in the LDAP directory are searched, relative to the base object. Search results can be limited only to objects directly beneath the base search object (one-level) or they can include any object beneath the base search object (subtree). The default is one-level.
Authentication method	Method used to authenticate the appliance to the LDAP server. The appliance supports Simple (RFC 4513), SASL/DIGEST-MD5, and SASL/GSSAPI authentication. If the Simple authentication method is used, SSL/TLS should be enabled so that the user's DN and password are not sent in plaintext. When using the SASL/GSSAPI authentication method, only the self bind credential level is available.
Bind credential level	Credentials used to authenticate the appliance to the LDAP server. "Anonymous" gives the appliance access only to data that is available to everyone. "Proxy" directs the service to bind via a specified account. "Self" authenticates the appliance using local authentication. Self authentication can only be used with the SASL/GSSAPI authentication method.
Proxy DN	Distinguished name of account used for proxy authentication.
Proxy Password	Password for account used for proxy authentication.
Schema definition	Schema used by the appliance. This property allows administrators to override the default search descriptor, attribute mappings, and object class mappings for users and groups. See "Custom Mappings" below.
Servers	List of LDAP servers to use. If only one server is specified, the appliance will only use that one server and LDAP services will be unavailable if that server fails. If multiple servers are specified, any functioning server may be used at any time without preference. If any server fails, another server in the list will be used. LDAP services will remain available unless all specified servers fail.

Changing services properties is documented in the BUI and CLI sections of Services.

Custom Mappings

To lookup users and groups in the LDAP directory, the appliance uses a search descriptor and must know which object classes correspond to users and groups and which attributes correspond to the properties needed. By default, the appliance uses object classes specified by RFC 2307 (posixAccount and posixGroup) and the default search descriptors shown below, but this can be customized for different environments. The base search DN used in the examples below is dc=example,dc=com:

Search descriptor	Default value	Example
users	ou=people,base search DN	ou=people,dc=example,dc=com
groups	ou=group,base search DN	ou=group,dc=example,dc=com

The search descriptor, object classes, and attributes used can be customized using the Schema definition property. To override the default search descriptor, enter the entire DN you wish to use. The appliance will use this value unmodified, and will ignore the values of the Base search DN and Search scope properties. To override user and group attributes and objects, choose the appropriate tab ("Users" or "Groups") and specify mappings using the default = new syntax, where default is the default value and new is the value you want to use. For examples:

To use unixaccount instead of posixAccount as the user object class, enter posixAccount = unixaccount in Object class mappings on the Users tab.
To use employeenumber instead of uid as the attribute for user objects, enter uid = employeenumber in Attribute mappings on the Users tab.
To use unixgroup instead of posixGroup as the group object class, type posixGroup = unixgroup in Object class mappings on the Groups tab.
To use groupaccount instead of cn as the attribute for group objects, enter cn = groupaccount in Attribute mappings on the Groups tab.

Logs

Log	Description
appliance-kit-nsswitch:default	Log of the appliance name service, through which LDAP queries are made

To view service logs, refer to the Logs section from Services.

Tasks

The following are example tasks. See the BUI and CLI sections for how these tasks apply to each interface method.

LDAP Tasks

Adding an appliance administrator from LDAP

If you have an existing user in LDAP who would like to login using their LDAP credentials and administer the appliance:

Go to Configuration->Services->LDAP
Set the LDAP service properties.
Apply/commit the configuration.
Go to Configuration->Users
Add user with type "directory"
Set username to their LDAP username
Continue with the instructions in Users for adding authorizations to this user.

Skip Navigation Links
Exit Print View
	Sun ZFS Storage 7000 System Administration Guide