1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. LDAP Configuration
  5. LDAP Properties

LDAP Properties

For the appropriate settings for your environment, consult with your LDAP server administrator.

The tables in this section describe LDAP schema properties, security properties, and server properties.

Table 3-19 LDAP Schema Properties

BUI Property CLI Property Description

Base search DN

base_dn

The Distinguished Name of the base object, which is the starting point for directory searches.

A default subtree specification is automatically prepended to this base search DN: ou=people for user searches, ou=group for group searches, ou=netgroup for netgroup searches. To override this default behavior, use the search descriptor properties listed below and described in LDAP Custom Mappings.

Search scope

  • One-level (non-recursive)

  • Subtree (recursive)

search_scope

  • one

  • sub

Which objects in the LDAP directory are searched, relative to the base object.

For non-recursive, or one, search results are limited to only objects that are directly beneath the base search object. This is the default.

For recursive, or sub, search results can include any object beneath the base search object.

Schema definition for Users, Groups, and Netgroups

  • Search descriptor

  • Attribute mappings

  • Object class mappings

  • user_search, group_search, netgroup_search

  • user_mapattr, group_mapattr, netgroup_mapattr

  • user_mapobjclass, group_mapobjclass, netgroup_mapobjclass

The schema used by the appliance. Use these properties to override the default search descriptor (base DN plus a default subtree specification), attribute mappings, and object class mappings for users, groups, and netgroups. For more information, see LDAP Custom Mappings.

Related Topics

Table 3-20 LDAP Security Properties

BUI Property CLI Property Description

Authenticate as

  • Anonymous

  • Self

  • Proxy (Specific User)

cred_level

  • anonymous

  • self

  • proxy

Credentials used to authenticate the appliance to the LDAP server. See LDAP Security Settings for descriptions of these choices.

Enable SSL/TLS

use_tls

Toggles TLS (Transport Layer Security, the descendant of SSL) to establish secure connections to the LDAP server. If authenticating as Self, this option is not available because Self uses Kerberos encryption.

If you specify port 636 when an LDAP server is added, the system configures LDAP and raw TLS. If you specify any other port when an LDAP server is added (typically 389), the system configures LDAP and StartTLS. When using raw TLS, a separate dedicated port is used for the secure TLS connection. With StartTLS, the LDAP server does not require a dedicated port to establish the encrypted LDAP connection; the LDAP server uses the same 389 port for a TLS connection.

Authentication Method

  • Simple (RFC 4513)

  • SASL/DIGEST-MD5

auth_method

  • simple

  • sasl/DIGEST-MD5

  • sasl/GSSAPI

  • none

Method used to authenticate the appliance to the LDAP server.

If authenticating as Proxy, select the Simple or SASL/DIGEST-MD5 authentication method and set the DN and password.

In the CLI, set auth_method to sasl/GSSAPI if authenticating as self. Set auth_method to none if authenticating as anonymous.

DN

proxy_dn

The distinguished name of the account that will be used for proxy authentication.

Password

proxy_password

The password for the proxy DN account.

Related Topics

Table 3-21 LDAP Server Properties

BUI Property CLI Property Description

  • Use server order

  • Ignore server order

use_server_order

See the description of the server property for an explanation of the effect of the server order setting on a list of servers.

Server

servers

The list of LDAP servers to use.

  • If only one server is specified, the appliance uses only that server. If that server fails, LDAP services are unavailable.

  • If multiple servers are specified and Ignore server order is selected in the BUI or use_server_order is false, any functioning server on the list can be used at any time without preference. If any server fails, another server in the list is used. LDAP services remain available unless all specified servers fail.

  • If multiple servers are specified and Use server order is selected in the BUI or use_server_order is true, LDAP services will use the first available server on the list. The first server on the list is selected; if that server fails, the next server on the list is selected. LDAP services remain available unless all specified servers fail.

Related Topics