LDAP is a standards-based, cross-platform, extensible protocol that runs directly on top of TCP/IP. It is used to access specialized databases called directories.
To avoid maintaining multiple user credentials, you can use the company LDAP server to authenticate user IDs and passwords.
As a prerequisite, the LDAP server must contain user groups that correspond to the required user roles. For more information, see Understanding user roles.
Click on the upper-right corner of the page.
Click LDAP, and then select Enable LDAP for authentication.
In the LDAP server hostname field, type the IP address or the host name of the LDAP server where the authentication occurs.
Note: If you want to use encrypted communication between the MVE server and the LDAP server, then use the fully qualified domain name (FQDN). |
Specify the server port number according to the encryption protocol selected.
Select the encryption protocol.
None
TLS—A security protocol that uses data encryption and certificate authentication to protect the communication between a server and a client.
SSL/TLS—A security protocol that uses public-key cryptography to authenticate the communication between a server and a client.
Select the binding type.
Anonymous—This option is selected by default. The MVE server does not produce its identity or credentials to the LDAP server to use the LDAP server lookup facility.
Simple—The MVE server produces the specified credentials to the LDAP server to use the LDAP server lookup facility.
Type the bind user name.
Type the bind password, and then confirm the password.
Kerberos—To configure the settings, do the following:
Type the bind user name.
Type the bind password, and then confirm the password.
Click Choose File, and then browse to the krb5.conf file.
SPNEGO—To configure the settings, do the following:
Type the service principal name.
Click Choose File, and then browse to the krb5.conf file.
Click Choose File, and then browse to the Kerberos keytab file.
From the Advanced Options section, configure the following:
Search Base—The base distinguished name (DN) of the root node. In the LDAP community server hierarchy, this node must be the ancestor of the user node and group node. For example,
.Note: When specifying the root DN, make sure that only and are part of the root DN. If or is the ancestor of the user and group nodes, then use or in the user and group search bases. |
User search base—The node in the LDAP community server where the user object exists. This node is under the root DN where all the user nodes are listed. For example,
.User search filter—The parameter for locating a user object in the LDAP community server. For example,
.Log in using | In the “User search filter” field, type |
---|---|
Common name | |
Login name | |
User principal name | |
Telephone number | |
Login name or common name |
Note: The only valid pattern is , which means that MVE searches for the MVE user login name. |
Allow nested user search—The system searches all the nodes under the user search base.
Group search base—The node in the LDAP community server containing the user groups that correspond to the MVE roles. This node is under the root DN where all the group nodes are listed. For example,
.Group search filter—The parameter for locating a user within a group that corresponds to a role in MVE.
Note: Only the and patterns can be used. If is used, then MVE searches for the LDAP user DN. If is used, then MVE searches for the MVE user login name. |
Group role attribute—The attribute that contains the full name of the group. For example,
.Allow nested group search—The system searches all the nodes under the group search base.
From the LDAP Groups to MVE Role Mapping section, enter the names of the LDAP groups that correspond to the MVE roles.
Notes:
Click Save Changes.