2.4.1.6 LDAP CLI Authentication Configuration

This section provides information about how to configure LDAP authentication for CLI users on the DSR system using the ldapCliAuthentication.sh script. The script allows users to connect to an LDAP server by providing the necessary configurations. Additionally, LDAP authentication can be extended to GUI users by configuring LDAP server in the DSR GUI.

Assumptions

  • LDAP Authentication will be applicable only to newly created users. Default users such as admusr and root remain unaffected by LDAP Authentication.
  • Access to sudo and other administrative commands for a LDAP user will be dependent on their group permissions. DSR provides a mechanism to add LDAP users to system groups.
  • To support both CLI and GUI Authentication for LDAP users, DSR assumes that the same LDAP server is configured on both CLI and GUI.
  • In case of only CLI Authentication, configure LDAP for CLI by running the ./ldapCliAuthentication script as mentioned in the below steps.
  • If the system is not using a DNS server or IP address for the LDAP server, the LDAP server must be added to the /etc/hosts file. See Configuring /etc/hosts section to update /etc/hosts using a script.
  • In case of multiple LDAP servers, the base DN must be identical across all the LDAP servers.
  • In case of multiple LDAP servers, the first available server in the configuration is used to perform the authentication. Secondary servers are only used if the first server is unreachable.
  • LDAP user IDs must not conflict with existing user ids present in the DSR system.
  • Users created in LDAP server must have UID between 5 and 32 characters. There is no restriction for username length at DSR CLI level, however this limit should be followed to remain consistent with the username length in DSR GUI.
  • The default login attribute for LDAP users is UID and default filter is objectClass=posixAccount. These settings are not currently changeable.

    Table 2-51 LDAP Authentication

    LDAP Authentication Configuration
    LDAP authentication for DSR GUI LDAP authentication for DSR GUI
    LDAP Authentication on DSR GUI as well as CLI LDAP Authentication on DSR GUI as well as CLI
    LDAP Authentication on DSR CLI LDAP Authentication on DSR CLI

LDAP Authentication for DSR GUI

Perform the following steps to enable LDAP authentication for DSR GUI

  1. For configuring LDAP server on GUI, see LDAP Authentication Fields.
  2. For configuring LDAP user on the GUI, see Viewing User Account Information.

    Note:

    • These steps are identical to those used in previous DSR releases.
    • GUI Authentication is only supported for A and B-level servers.

LDAP Authentication on DSR CLI

Perform the following steps to enable LDAP Authentication on DSR CLI:

  1. Configure /etc/hosts following the Configuring /etc/hosts section if required (Optional).
  2. Configure LDAP for CLI by running the ldapCliAuthentication script as given in the Configuring LDAP Authentication for CLI section.

    Note:

    CLI Authentication is supported for all the servers of the topology.

LDAP Authentication on DSR GUI as well as CLI

Perform the following steps to enable LDAP Authentication on DSR GUI as well as CLI:

  1. Configure /etc/hosts following the section Configuring /etc/hosts (Optional).
  2. Configure LDAP for CLI by running the ldapCliAuthentication script as mentioned in the following section Configuring LDAP Authentication for CLI.
  3. For configuring LDAP server on GUI, see LDAP Authentication Fields.
  4. For configuring LDAP user on the GUI, see Viewing User Account Information.

    Note:

    This shall enable GUI authentication using LDAP on the A and B-level servers and LDAP CLI Authentication on all the servers (A-level/B-level/C-level) of the topology.