Fabric OS Administrator’s Guide 111
53-1001763-02
The authentication model using RADIUS and LDAP 5
d. Add the Brocade profile.
e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA
SecurID.

LDAP configuration and Microsoft Active Directory

LDAP provides user authentication and authorization using the Microsoft Active Directory service in
conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication,
FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For
more information on LDAP in FIPS mode, refer to Chapter 7, “Configuring Security Policies”. The
following are restrictions when using LDAP in non-FIPS mode:
There is no password change through Active Directory.
There is no automatic migration of newly created users from the local switch database to
Active Directory. This is a manual process explained later.
Only IPv4 is supported for LDAP.
LDAP authentication is used on the local switch only and not for the entire fabric.
You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
A user can belong to multiple groups as long as one of the groups has the same name as the
Brocade role name. Among those groups, one group name must match with either the Brocade
role or be mapped to a switch role in the Brocade switch.
A user can be part of any Organizational Unit (OU).
Active Directory LDAP 2000, 2003, and 2003 is supported.
Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg -–maprole ldap_role name switch_role command to map an LDAP server role to one of
the default roles available on a switch. For more information on RBAC roles, see “Role-Based
Access Control (RBAC)” on page 84.
NOTE
All instructions involving Microsoft Active Directory can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Following is the overview of the process used to set up LDAP:
1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP.
Follow Microsoft instructions for generating and installing CA certificates on a Windows server.
2. Create a user in Microsoft Active Directory server.
For instructions on how to create a user, refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.